2018-08-10 Meeting Notes

Date

Attendees

(tick)
(tick)
(error)Vacation  -  (Philippines)
(tick)
(error)Traveling UCCSC
(tick)

Goals

  • Updates on continuing development
  • Review, organize and add to work items

Discussion items

TimeItemWhoNotes
Welcome
  • Greetings and salutations

General Info
  • Vince Nievares
    • Will be on vacation  -  (Phillipines)
  • UC Path
    • August and September is going to have UC Path as the priority


10:00 - 10:45 AMMeet With ApigeeDiana Antova

Apigee has agreed to meet with us to review our implementation. Jordan engaged an architectural resource.
they will meet with us this Friday from 10-10:45.
Here is the meeting info:
meet.google.com/eom-jrqm-dcg

Questions

  • We have a chatbot to help perform common tasks. Whats the correct way to setup an account to do that?
  • One common task the chatbot does is search for Apps that have API Products in a particular status (Pening, Revoked, etc). To search for that information, the bot needs to (1) search for all developer email addresses, then (2) search for all the application associated with each address, and finally (3) search for api products associated with each application. The creates a large number of requests, which sometimes hits a quota limitation (too many requests per second). Is there a better way to search? Is there a way to simply search for all Applications that use an API Product? Or all API Products by status?
  • Are we using Teams properly?
  • Best way to get to Drupal 8?
  • Does Apigee offer services where they might handle the conversion from Drupal 7 to Drupal 8?
  • Are handling security well - gateway and portal?
  • Reporting

Demo - Steven

K = Kevin Park, S = Steven Maglio, D = Diana Antova, J = Wyatt Jordan (tongue)

K - how are we structured? Do we have couple of admins or everyone can manage everything? 

K - Logging policies - do we have them? 

S - We do not, we will need to figure out how to add them. Steven has an idea!

K - it is a brand new feature that should help with monitoring. Post - client flow, K will send us a document on how to use it. It is hidden feature. 

S - dining cam API - image tag that contains the API key. how do we handle security with the api key in the header?

K - keep the initial API key for the initial auth to retrieve the html, and then request a one-time token that is exposed to the end user. JWT and OAuth, json tokens. We have Apigee's oauth implemented, we need to use it for the on-time token. 

S - for now we continue this way until we implement campus oauth. We still use a separate application for this case. the dining cam api should not be auto-approved so we can control the separate application key for 

S - options response is before the API key, is it a bad way to so it?

K - it is fine to do it this way

S - employee API proxy, key-value map operation,

K -  KVM is the basic way to do encryption, change - the scope, from API proxy to environment, so we have different credentials for each environment. The scope of the KVM should be environment scope.

K - Recommended to have a catch-all proxy. to display an error message if the other proxies are called incorrectly. 

K - not recommended to have a min-max parameters, best to use query parameters. url is for resources and sub-resources - student/id/classes. for limiting data or choosing which min or max parameter it is best to use query parameters.

Ian - API versioning - what is best practice?

K - lots of philosophies, URL is what he recommends, makes things a lot easier to use. Having it explicitly in teh URL makes it easy to know what people are using.

S - multiple versions withing the same proxy

K - seen a lot more success when people split the versions into separate proxies, analytics gives you quick insight into what is used. Deprecation is much easier. customer permissions thru api products.

S - Version numbers - every unit can handle their version numbers, major versions inside the URI, if you don't put a number, you go to latest major version. If they want to get the minor version, they have to pass a header. 

K - that is fine, how often will the API methods change? 

S - we have done it twice already.

K - if we are not making braking changes, we could use a minor version bump, but it is a lot of initial overhead and not provide value. recommends not using minor versions if no braking change. Even if the back end logic changes. 

Decision - we can drop minor versions. 

D- Security

S - API key and user name and password now. With oauth we want to just get one key that has all. we are hoping JWT token will help with this, 

K - can share some slides that show why oauth is important. API key and secret is only for the application to authenticate into Apigee, from security standpoint is very secure. 

S - company ad-on. non-mint drupal plugin. without the enterprise version we cannot manage the teams from the gateway. we are thinking to use the bot to manage. 

K - company feature he does not have experience with. non-mint companies leverage the rback functionality. For each developer they force them to select a role. Permissions are applied to a particular role that they can access thru the portal. dev portal team is working on a team feature now. 

One role is defined in apigee edge, dev portal is another role. He will send us information about how it works. 

S - MFA for the chat ops account. Created a separate account for chat-ops without MFA. What is the right way to setup an account to do that? 

K - cannot use MFA, and we will use the license. 

Avg active users is a term they use, so some might not count as such. Jordan will send us the description. 

D - reporting

J - will ask Kevin and get back to us. 




Action Items From Previous MeetingSteven Maglio
  • Steven Maglio Create @apibot report commnds requirements. Add a use case where users can get usage; and usage by version number; and usage by version with appication breakdown; and high level report where someone can access it (push onto developer.ucsb.edu?)
    • Research - Are there any companies that Apigee logs are already being pushed to, which have better reporting already written. Do those companies allow for dashboards to be displayed in external apps (developer.ucsb.edu)?
  • Diana Antova - API Proposal - An api that could return who has left UCSB (UC Path/PPS) in the past X days (maybe Adam can do this)
    • who has changed departments
  • Diana Antova and Steven Maglio will start this process with Registrar's Office to use the Publish an API Workflow for the APIs that are already in place.



Portal - API Docs only Visible to Registered UsersIan Lessing (Unlicensed)
  • Permissions to only allow Logged In users to see some API Documentation (APIGEE-117)
    • Steven Maglio will contact Denise and see if she can put it back so it's grouped. And ask if she can work with the css to make it easier to read and emphasis the APIs over the groupings.



Workflow - Publish a New API

Ian Lessing (Unlicensed)

  • Dev Portal Documentation - How To Use Workflow (APIGEE-119)



@apibot - Powershell Conversion & HostingKevin Wu
  • Working on Kevin's Computer (node 8.9.X) (APIGEE-105 & APIGEE-101)
  • Apigee Authorization Module (AuthApigee)
  • Replacement Functionality Progress Update
    • apps 
      • apps (no|approved|revoked|pending|all)
      • apps (approve|revoke) email developerApp
      • apps (approve|revoke) email developerApp apiProduct
      • apps search
      • apps users?
    • devs
      • devs created <days=1>
    • targetserver
    • companies
      • Kevin Wu will implement?
      • Need to build requirements
      • Need to build use cases
      • Need reporting that will display in developer.ucsb.edu
      • Need annual clean up times
  • Get operational on GCP
    • Kevin Wu will determine if this is the platform we want to use and will figure out the annual costs if we. We will use this to put together a flex card request.



Access Request WorkflowDiana Antova



Portal - Apigee Companies Add-OnIan Lessing (Unlicensed)Steven Maglio



New API Request Workflow in PortalDiana Antova
  • Brought up by Ann Crawford with the following questions:
    • How do we request a use case for an API
    • What is the work flow? Possible status are : received, rejected (with reason ie duplicate), closed ( with deploy date), in test,  in code
    • How do we search what's in the works?
    • Who will mange requests?
Specific use case from Ann Crawford:
Here is the API use case that I sent to housing for the photos.
Our use case is to get all new or changed photos for Type graduate or undergraduate with the perm (university ID)

New photos are perms we don't have a photo in the student health database.
Changed photos are those where the saved photo hash <> current photo hash for a given perm.   Currently the sproc returns a hash of the photo so we can compare and save, along with a perm (university ID), Type, first name, last name.  We don't use the first name or last name but it is good for testing.
11:00 AM - 11:30 AMAPI VersioningSteven Maglio



API Keys in Public CodeFormer user (Deleted)
  • Need to use API Key in public code (Javascript). It can get stolen so we need extra lockdown. That should be referrer domain name set upin API App. Or some other complex auth system, but it always needs to include the domain. (This should be Security Workgroup's job )

Pantheon Training Follow-Up

 

Steven Maglio
  •  1 - 5 pm - Pantheon Overview, Terminus Overview and Demo, Performance & Going Live
  •  1 - 5 pm - Custom Upstream Development
  • What did people learn?

DocumentationFormer user (Deleted)
  • Docs on Portal site need some updates and fine tuning. I can work on those and edit them with a "technical writing" style. 
  • Data Access Requests should be done thru docusign, and we should standardize it for all UCSB depts.

Action items

  •