Time | Item | Who | Notes |
---|
| Welcome | | - Greetings and salutations
|
| General Info |
| |
| Email Groups | Steven Maglio | - Should we add an email group for Business Approvers (that way they won't get hit by emails for api-consumers@developer.ucsb.edu)
- Is there a programmatic way to distinguish between the two? (An attribute 'role': 'business-approver')
- will create api-ba@developer.ucsb.edu
|
| GoGaucho |
| - Potential Plan
- Seth Northrop will reach out to Jennifer Lofthus - Seth is waiting until we do our review
- Hengyu Liu request for API access - also a developer of the same app
- For the Campus Web API Group
- We will need to do a code review of the application
- We will need to come up with language that says you will use the student credentials securely that they will need to sign
- The language will also need to state terms of notifications for potential problems (will this make it an official endorsement which will then create legal liabilities )
- Most likely we should use the Standard DS (Data Security) agreement
- We will need to do periodic reviews of the application to ensure the application keeps the security standards in place
- Our View Point on this Scenario
- Student developed apps should be given just as much opportunity as staff developed apps
- Their needs to be a security review of any app that is using an API which requires approval before it's approved through the Campus Web API Gateway
- Reviews of the application will be with team that developed the application and the API Gateway Team
- A previous review with a development team can be used to approved any future applications that they create
- Student developed apps will need to sign extra agreements (like Security DS)
- Staff developed apps will not need this because the agreement is already part of working on the campus
|
| API Call Quota Level | Steven Maglio | - Farah found that the 100 requests per minute (default quota level) to be too limiting. She also found that the way the quota level is implemented, the system will literally have to wait for the full minute to expire before allowing requests to flow again.
- The smallest increment of time we can do in the UI is per minute. The REST API has the same limitation.
- What would we think about ...
- 1000 per minute (60 ms per request)
- 10000 per minute (6 ms per request)
- 20000 per minute (3 ms per request)
- I made some calls with the tracing tool turned on just to see how long a "simple call" takes to return.
|
| Workflow - Access Request | Diana Antova | - Diana Antova - Develop Access Request Workflow Requirements (APIGEE-146)
- Use Scheduled Task to send Email asking for more information on new Access Requests
- Need to include asking for Form to be filled out
- Need to include list of API Products being asked for
- Should include a line asking if a face to face meeting would be better
- Vince Nievares - Document User Access Request Workflow for End Users (APIGEE-120)
- Diana Antova - Create Access Request Workflow for End Users (APIGEE-87)
- Review API publishing and access request approval process with Registrar - Diana Antova
- Meeting scheduled for Oct 5 (today)
- How do we allow logged in users to access the form?
|
| Workflow - Publish a New API | Diana Antova | - Dev Portal Documentation - How To Use the Publishing Workflow (APIGEE-119) - Ian Lessing (Unlicensed)
- Steven Maglio Test the workflow with the Registrar office (APIGEE-161)
- API publishers - fill in the form for each API, and have them approved by the business owners.
- How do we allow logged in users to access the form?
- Update: Text of Business Functional Email
- Original: Departmental email that can be included in the communication with the business user.
- Updated: In case we get ... Diana Antova will figure it out
- Add example in description for Security Information
- Move Protection Level above Security Information
- Split Security Implementation
- API Provider Security Implementation
- Add Firewall/IP Restriction
- Options:
- API Gateway Security Implementation
- Availability Level description may need to word smithing
|
| @apibot - Powershell Conversion & Hosting | Kevin Wu | - Working on Kevin's Computer (node 8.9.X) (APIGEE-105 & APIGEE-101)
- Apigee Authorization Module (AuthApigee)
- Replacement Functionality Progress Update
- apps
- apps (no|approved|revoked|pending|all)
- apps (approve|revoke) email developerApp
- apps (approve|revoke) email developerApp apiProduct
- apps search
- apps users?
- devs
- targetserver
- targetserver list <env>
- targetserver (add|update) <env> <name> <hostname>
- targetserver delete <env> <name>
- companies
- Kevin Wu will implement?
- Need to build requirements
- Need to build use cases
- Need reporting that will display in developer.ucsb.edu
- Need annual clean up times
- Get operational on GCP
- Kevin Wu has determined that GCP is not the right platform for the bot because of the difficulty in setting it up.
- Kevin Wu tried out Heroku and found it really easy to work with. He wants to know if we can use this?
- Kevin Wu will write-up a request form and submit it to Matt Hall/Elise Meyer.
- Heroku for deployment
|
| Google Analytics | Christian Montecino | - Talk about the full details of what we want to have google analytics track
- Initial list
- URL
- Method (GET, POST, etc)
- Category (Students, Academic, Dining, etc)
- Response Time
- HTTP Status Code (200, 401, etc)
Research - Apigee will not support exporting data to an external system
- Christian and Steven created a policy that exports the call info to google analytics.
|
| Action Items From Previous Meeting |
| |
| Service Account | Steven Maglio | - Attributes we want on it
- ucsbCampusId
- Department
- Contact Name (probably primary person responsible)
- Contact Email (probably a shared email address)
- Callback App Url (for use with SSO)
- ApigeeClientId (UID from Apigee)
|
| API Access Expected Usage | Steven Maglio | - Expected Usage Text and Legal-ize (Terms of Service) - page
- on App create send the legal text to the developer
- on API access request -
- email on auto-approve for API expected usage, send them the form to fill with a check-box to agree on API usage terms
- email on requesting that they fill out the form for any non-auto approval- add same check-box
- Do we have this documented? Has this been turned into an Apigee Ticket?
|
| API Proxy Standards | Steven Maglio | - Drop Minor Versions as a requirement
- Write standard approach for departments that want to use Minor versions; using the approach is also optional.
- Do we have this documented? Has this been turned into an Apigee Ticket?
|
| Developer Portal Front Page Updates |
| - In About Section
- Diana Antova - Add page about winning the Sautter Award
- Diana Antova - If Diana thinks its a good idea to add it to the main page, then she will work with Denise to do so
|
| API Versioning | Steven Maglio | - Do we have this documented? Has this been turned into an Apigee Ticket?
|
| CSF notification | Diana Antova | - Email csf to notify developers of existing APIs and the roadmap APIGEE-155
|
| API Health check/Monitoring | Diana Antova | - Steven Maglio will compare Pingdom and Uptime Robot
- Reinard will check out Zabbix
- Can we ask campus if we can use one of the existing monitoring systems?
- will use uptime robot
- Ian Lessing (Unlicensed), Steven Maglio write requirements - use health check end point
- uptime is separate - checks for an api proxy being there, steven is ready to deploy it to uptime robot
|
| API Dictionary | Diana Antova | - API dictionary and data governance - define field meaning, naming conventions (Bruce Miller)
|
| Improved Documentation | Diana Antova | - More documentation, need testers that will help us define the optimal set. Can we have a link to a documentation page?
- dedicate a meeting to documentation once a month
|
| API Selection page | Ian Lessing (Unlicensed) | - API select page - fix layout (Denise)
|
| Accounts for separated employees/student | Steven Maglio
| - What do we do with separated employees
- periodic verification (quarterly, yearly)
|