2018-10-26 Meeting Notes

Date

Attendees

Goals

  • Updates on continuing development
  • Review, organize and add to work items


Focus points for this meeting

  • General Info
  • Email groups
  • GoGaucho app review
  • Google Analytics integration
  • API Health check/Monitoring

Discussion items

TimeItemWhoNotes
Welcome
  • Greetings and salutations

General Info
  • Axiomatics Data Redaction IAM - provide a policy system that integrates with Apigee
  • UCB API Gateway Security Rearchitecture - using AWS with very high level security 

  • Oregon state university is also using Apigee and have done a lot of automation, Steven is contacting them to do a demo for us.

Email GroupsSteven Maglio
  • Should we add an email group for Business Approvers (that way they won't get hit by emails for api-consumers@developer.ucsb.edu)
    • Is there a programmatic way to distinguish between the two? (An attribute 'role': 'business-approver')
    • will create api-ba@developer.ucsb.edu

GoGaucho
  • Potential Plan
    • Seth Northrop will reach out to Jennifer Lofthus - Seth is waiting until we do our review
    • Hengyu Liu request for API access - also a developer of the same app
    • For the Campus Web API Group 
      • We will need to do a code review of the application
      • We will need to come up with language that says you will use the student credentials securely that they will need to sign
        • The language will also need to state terms of notifications for potential problems (will this make it an official endorsement which will then create legal liabilities (question))
        • Most likely we should use the Standard DS (Data Security) agreement
      • We will need to do periodic reviews of the application to ensure the application keeps the security standards in place
    • Our View Point on this Scenario
      • Student developed apps should be given just as much opportunity as staff developed apps
      • Their needs to be a security review of any app that is using an API which requires approval before it's approved through the Campus Web API Gateway
      • Reviews of the application will be with team that developed the application and the API Gateway Team
        • A previous review with a development team can be used to approved any future applications that they create
      • Student developed apps will need to sign extra agreements (like Security DS)
        • Staff developed apps will not need this because the agreement is already part of working on the campus

API Call Quota LevelSteven Maglio
  • Farah found that the 100 requests per minute (default quota level) to be too limiting. She also found that the way the quota level is implemented, the system will literally have to wait for the full minute to expire before allowing requests to flow again.
  • The smallest increment of time we can do in the UI is per minute. The REST API has the same limitation.
  • (question) What would we think about ...
    • 1000 per minute (60 ms per request)
    • 10000 per minute (6 ms per request)
    • 20000 per minute (3 ms per request)
  • I made some calls with the tracing tool turned on just to see how long a "simple call" takes to return.

Workflow - Access RequestDiana Antova

Workflow - Publish a New APIDiana Antova
  • Dev Portal Documentation - How To Use the Publishing Workflow (APIGEE-119) - Ian Lessing (Unlicensed)
  • Steven Maglio Test the workflow with the Registrar office (APIGEE-161)
  • API publishers - fill in the form for each API, and have them approved by the business owners. 
  • How do we allow logged in users to access the form?


  • Update: Text of Business Functional Email
    • Original: Departmental email that can be included in the communication with the business user. 
    • Updated: In case we get ... Diana Antova will figure it out
  • Add example in description for Security Information
  • Move Protection Level above Security Information
  • Split Security Implementation
    • API Provider Security Implementation
      • Add Firewall/IP Restriction
      • Options:
        • Remove OpenID
    • API Gateway Security Implementation
      • Options:
        • API Key
        • OAuth
  • Availability Level description may need to word smithing

@apibot - Powershell Conversion & HostingKevin Wu
  • Working on Kevin's Computer (node 8.9.X) (APIGEE-105 & APIGEE-101)
  • Apigee Authorization Module (AuthApigee)
  • Replacement Functionality Progress Update
    • apps 
      • apps (no|approved|revoked|pending|all)
      • apps (approve|revoke) email developerApp
      • apps (approve|revoke) email developerApp apiProduct
      • apps search
      • apps users?
    • devs
      • devs created <days=1>
    • targetserver
      • targetserver list <env>
      • targetserver (add|update) <env> <name> <hostname>
      • targetserver delete <env> <name>
    • companies
      • Kevin Wu will implement?
      • Need to build requirements
      • Need to build use cases
      • Need reporting that will display in developer.ucsb.edu
      • Need annual clean up times
  • Get operational on GCP
    • Kevin Wu has determined that GCP is not the right platform for the bot because of the difficulty in setting it up.
    • Kevin Wu tried out Heroku and found it really easy to work with. He wants to know if we can use this?
      • Kevin Wu will write-up a request form and submit it to Matt Hall/Elise Meyer.
  • Heroku for deployment

Google AnalyticsChristian Montecino
  • Talk about the full details of what we want to have google analytics track
    • Initial list 
      • URL
      • Method (GET, POST, etc)
      • Category (Students, Academic, Dining, etc)
      • Response Time
      • HTTP Status Code (200, 401, etc) 
  • Research

  • Apigee will not support exporting data to an external system
  • Christian and Steven created a policy that exports the call info to google analytics.

Action Items From Previous Meeting



Service AccountSteven Maglio
  • Attributes we want on it
    • ucsbCampusId
    • Department
    • Contact Name (probably primary person responsible)
    • Contact Email (probably a shared email address)
    • Callback App Url (for use with SSO)
    • ApigeeClientId (UID from Apigee)



API Access Expected UsageSteven Maglio
  • Expected Usage Text and Legal-ize (Terms of Service) - page
  • on App create send the legal text to the developer
  • on API access request - 
    • email on auto-approve for API expected usage, send them the form to fill with a check-box to agree on API usage terms
    • email on requesting that they fill out  the form for any non-auto approval- add same check-box
  • Do we have this documented? Has this been turned into an Apigee Ticket?

API Proxy Standards

Steven Maglio

  • Drop Minor Versions as a requirement
  • Write standard approach for departments that want to use Minor versions; using the approach is also optional.


  • Do we have this documented? Has this been turned into an Apigee Ticket?

Developer Portal Front Page Updates
  • In About Section
    • Diana Antova - Add page about winning the Sautter Award
    • Diana Antova - If Diana thinks its a good idea to add it to the main page, then she will work with Denise to do so

API VersioningSteven Maglio
  • Do we have this documented? Has this been turned into an Apigee Ticket?

CSF notificationDiana Antova
  • Email csf to notify developers of existing APIs and the roadmap APIGEE-155

API Health check/MonitoringDiana Antova
  • Steven Maglio will compare Pingdom and Uptime Robot
  • Reinard will check out Zabbix
  • Can we ask campus if we can use one of the existing monitoring systems?
  • will use uptime robot
  • Ian Lessing (Unlicensed)Steven Maglio write requirements - use health check end point
  • uptime is separate - checks for an api proxy being there, steven is ready to deploy it to uptime robot

API DictionaryDiana Antova
  • API dictionary and data governance - define field meaning, naming conventions (Bruce Miller)

Improved DocumentationDiana Antova
  • More documentation, need testers that will help us define the optimal set. Can we have a link to a documentation page?
    • dedicate a meeting to documentation once a month

API Selection pageIan Lessing (Unlicensed)
  • API select page - fix layout (Denise)

Accounts for separated employees/student

 Steven Maglio


  • What do we do with separated employees
  • periodic verification (quarterly, yearly)

Action items

  •