Layer7 API Management

  • 1.  SERVICE_DOCUMENT entity

    Posted Jan 06, 2017 01:33 PM

    We use the restman api to clear debug trace options from all our published services. I got a permission denied because of lacking delete permission on entity SERVICE_DOCUMENT when clearing this option for a soap service. I can not find the object SERVICE_DOCUMENT to give a user this permission. Does somebody know how to give a user this permission?

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

        <l7:Type>PermissionDenied</l7:Type>

        <l7:TimeStamp>2017-01-06T18:59:04.120+01:00</l7:TimeStamp>

        <l7:Link rel="self" uri="https://localhost:8443/restman/1.0/services/4000FAD0E2E1817429BE81802F3D80D4"/>

        <l7:Detail>Permission denied for user AhmMonitorService on entity SERVICE_DOCUMENT with id 4000fad0e2e1817429be81802f3d8114. Requested operation Delete</l7:Detail>

    </l7:Error>



  • 2.  Re: SERVICE_DOCUMENT entity

    Broadcom Employee
    Posted Jan 06, 2017 07:16 PM

    Edward,

     

    Good afternoon. The role that should open this permission is the Manage WebServices role. This may give the user more rights than you would like so you should look to create a custom role that has Publish services and some additional pieces if required.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: SERVICE_DOCUMENT entity

    Posted Jan 07, 2017 10:17 AM

    Even the Manage Webservices role does not give enough permissions to clear the debug tracing option. I tried to add a lot of other permissions that could make sense, but without success. The only way I could give the needed permission is to give the user also the Delete and Create permission on all object types, which is way too much for disabling only the debug tracing option. Could the service_document be a missing object type in de policy manager interface?



  • 4.  Re: SERVICE_DOCUMENT entity

    Broadcom Employee
    Posted Feb 06, 2017 07:17 PM

    Good evening,

     

    I've been able to test this out on a 9.1 using RESTMAN and was able to clear the trace debugging for a SOAP Service. My WSDL does not include an import statements for additional WSDL or Schema files. Does the example you are trying have these included?

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: SERVICE_DOCUMENT entity

    Posted Feb 07, 2017 01:33 AM

    Hi Stephen,

    The WSDL has indeed references to external schema's.

     

    In the service definition

    "..... <wsdl:types>
            <xs:schema elementFormDefault="qualified" targetNamespace="http://schemas.kvk.nl/schemas/hrip/dataservice/2015/01" version="2">
                <xs:import namespace="http://schemas.kvk.nl/schemas/hrip/catalogus/2015/01" schemaLocation="catalogus/Catalogus.xsd"/>
                <xs:complexType name="ProductRequestType">
                    <xs:sequence>
                        <xs:element maxOccurs="1" minOccurs="1" name="klantreferentie" type="cat:Tekst50"/>
                    </xs:sequence>
                </xs:complexType>..."

     

    When requesting wsdl from api gateway

    "....

    <wsdl:types>
    <xs:schema elementFormDefault="qualified" targetNamespace="http://schemas.kvk.nl/schemas/hrip/dataservice/2015/01" version="2">
    <xs:complexType name="ProductRequestType">
    <xs:sequence>
    <xs:element maxOccurs="1" minOccurs="1" name="klantreferentie" type="cat:Tekst50"/>
    </xs:sequence>
    </xs:complexType>.."

    "



  • 6.  Re: SERVICE_DOCUMENT entity

    Broadcom Employee
    Posted Feb 07, 2017 06:42 PM

    I've been able to reproduce the issue that you are seeing and it appears that the publish webservice does not have the deeper permissions to delete then re-add the imported schema into the Service_Document table. I've tried to add additional permissions to other roles but found that I was unable to find a combination that would allow for this functionality without giving too much permissions. I'll confer with a development colleague to determine if anything else can be done.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: SERVICE_DOCUMENT entity
    Best Answer

    Broadcom Employee
    Posted Feb 10, 2017 01:11 PM

    Good morning. After speaking with our development team, we have a way to make this work. You will need to create a new role using the restman interface as it is not possible through the Policy Manager. To create the role you will need to POST the below message to the URI /restman/1.0/roles and add your user to the role ServicesAndResourcesOnlyRestMan.

     

    <l7:Role version="0" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
                    <l7:name>ServicesAndResourcesOnlyRestMan</l7:name>
                    <l7:description></l7:description>
                    <l7:userCreated>true</l7:userCreated>
                    <l7:permissions>
                        <l7:permission>
                            <l7:operationType>READ</l7:operationType>
                            <l7:entityType>SERVICE_DOCUMENT</l7:entityType>
                            <l7:predicates/>
                        </l7:permission>
                        <l7:permission>
                            <l7:operationType>UPDATE</l7:operationType>
                            <l7:entityType>SERVICE</l7:entityType>
                            <l7:predicates/>
                        </l7:permission>
                        <l7:permission>
                            <l7:operationType>UPDATE</l7:operationType>
                            <l7:entityType>SERVICE_DOCUMENT</l7:entityType>
                            <l7:predicates/>
                        </l7:permission>
                        <l7:permission>
                    <l7:operationType>CREATE</l7:operationType>
                    <l7:entityType>SERVICE_DOCUMENT</l7:entityType>
                    <l7:predicates/>
                        </l7:permission>
                        <l7:permission>
                    <l7:operationType>DELETE</l7:operationType>
                    <l7:entityType>SERVICE_DOCUMENT</l7:entityType>
                    <l7:predicates/>
                        </l7:permission>
                        <l7:permission>
                            <l7:operationType>READ</l7:operationType>
                            <l7:entityType>SERVICE</l7:entityType>
                            <l7:predicates/>
                        </l7:permission>
                    </l7:permissions>
                    <l7:assignments/>
                </l7:Role>

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 8.  Re: SERVICE_DOCUMENT entity

    Posted Feb 10, 2017 02:00 PM

    Thank you Stephen! It solved my issue.