2018-08-10 Meeting Notes
Date
Attendees
Vacation - (Philippines) | ||
Traveling UCCSC | ||
Goals
- Updates on continuing development
- Review, organize and add to work items
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
Welcome |
| ||
General Info |
| ||
10:00 - 10:45 AM | Meet With Apigee | Diana Antova | Apigee has agreed to meet with us to review our implementation. Jordan engaged an architectural resource. Questions
Demo - Steven K = Kevin Park, S = Steven Maglio, D = Diana Antova, J = Wyatt Jordan K - how are we structured? Do we have couple of admins or everyone can manage everything? K - Logging policies - do we have them? S - We do not, we will need to figure out how to add them. Steven has an idea! K - it is a brand new feature that should help with monitoring. Post - client flow, K will send us a document on how to use it. It is hidden feature. S - dining cam API - image tag that contains the API key. how do we handle security with the api key in the header? K - keep the initial API key for the initial auth to retrieve the html, and then request a one-time token that is exposed to the end user. JWT and OAuth, json tokens. We have Apigee's oauth implemented, we need to use it for the on-time token. S - for now we continue this way until we implement campus oauth. We still use a separate application for this case. the dining cam api should not be auto-approved so we can control the separate application key for S - options response is before the API key, is it a bad way to so it? K - it is fine to do it this way S - employee API proxy, key-value map operation, K - KVM is the basic way to do encryption, change - the scope, from API proxy to environment, so we have different credentials for each environment. The scope of the KVM should be environment scope. K - Recommended to have a catch-all proxy. to display an error message if the other proxies are called incorrectly.
K - not recommended to have a min-max parameters, best to use query parameters. url is for resources and sub-resources - student/id/classes. for limiting data or choosing which min or max parameter it is best to use query parameters. Ian - API versioning - what is best practice? K - lots of philosophies, URL is what he recommends, makes things a lot easier to use. Having it explicitly in teh URL makes it easy to know what people are using. S - multiple versions withing the same proxy K - seen a lot more success when people split the versions into separate proxies, analytics gives you quick insight into what is used. Deprecation is much easier. customer permissions thru api products. S - Version numbers - every unit can handle their version numbers, major versions inside the URI, if you don't put a number, you go to latest major version. If they want to get the minor version, they have to pass a header. K - that is fine, how often will the API methods change? S - we have done it twice already. K - if we are not making braking changes, we could use a minor version bump, but it is a lot of initial overhead and not provide value. recommends not using minor versions if no braking change. Even if the back end logic changes. Decision - we can drop minor versions. D- Security S - API key and user name and password now. With oauth we want to just get one key that has all. we are hoping JWT token will help with this, K - can share some slides that show why oauth is important. API key and secret is only for the application to authenticate into Apigee, from security standpoint is very secure. S - company ad-on. non-mint drupal plugin. without the enterprise version we cannot manage the teams from the gateway. we are thinking to use the bot to manage. K - company feature he does not have experience with. non-mint companies leverage the rback functionality. For each developer they force them to select a role. Permissions are applied to a particular role that they can access thru the portal. dev portal team is working on a team feature now. One role is defined in apigee edge, dev portal is another role. He will send us information about how it works. S - MFA for the chat ops account. Created a separate account for chat-ops without MFA. What is the right way to setup an account to do that? K - cannot use MFA, and we will use the license.
Avg active users is a term they use, so some might not count as such. Jordan will send us the description. D - reporting J - will ask Kevin and get back to us. |
Action Items From Previous Meeting | Steven Maglio |
| |
Portal - API Docs only Visible to Registered Users | Ian Lessing (Unlicensed) |
| |
Workflow - Publish a New API |
| ||
@apibot - Powershell Conversion & Hosting | Kevin Wu |
| |
Access Request Workflow | Diana Antova |
| |
Portal - Apigee Companies Add-On | Ian Lessing (Unlicensed) / Steven Maglio |
| |
New API Request Workflow in Portal | Diana Antova |
Specific use case from Ann Crawford: Here is the API use case that I sent to housing for the photos. Our use case is to get all new or changed photos for Type graduate or undergraduate with the perm (university ID) New photos are perms we don't have a photo in the student health database. Changed photos are those where the saved photo hash <> current photo hash for a given perm. Currently the sproc returns a hash of the photo so we can compare and save, along with a perm (university ID), Type, first name, last name. We don't use the first name or last name but it is good for testing. | |
11:00 AM - 11:30 AM | API Versioning | Steven Maglio |
|
API Keys in Public Code | Former user (Deleted) |
| |
Pantheon Training Follow-Up
| Steven Maglio |
| |
Documentation | Former user (Deleted) |
|