WSO2 API Manager : Sharing API Subscriptions between developers

Subscription management is a crucial part of an API Management solution. WSO2 API Manager provides this capability to API developers via the API Portal (API Store) or via exposed portal APIs. API subscriptions are associated with applications. An API needs to be subscribed under an application and the application can have one or many APIs subscribed to it. This application is a logical space that represent a real life application. Each application would have an associated API key through which the API Can be consumed, This concept can be explained with the following example.

 

Lets look at this from the perspective of a local met department which exposes a set of APIs for consumption. They would be using WSO2 API Manager to expose the APIs. Lets consider WeatherNow as a company that would build an app to provide weather information. WeatherNow would consume multiple APIs provided by the local met department to display weather information on the app.

 

 

They need access to multiple APIs exposed by the local met department in order to get this app up and running. The app would provide information on the temperature, rainfall, snowfall and wind speed of a given location. All these data are exposed as individual APIs by the Met department. Developers from WeatherNow would need to subscribe to the required weather APIs from the met department. WeatherNow would create an application in API Manager to do so. This is illustrated in the diagram below

 

sub1

 

This works perfectly if you have just one developer from WeatherNow to access the developer portal and subscriptions, but what if there are multiple developers from WeatherNow working on these APIs. They cannot create their own subscriptions but is required to share the same subscription with each other. WSO2 API Manager facilitate this capability via the API Store. It is possible to enable subscription sharing where developers in the same organization share subscriptions with the other developers belonging to the same organization.

Sub2

 

 

This capability is disabled by default in the API Manager and can be enabled by commenting the following in api-manager.xml (<API-Manager_Home>\repository\conf\api-manager.xml).

<GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor>

 

This capability takes into account the claim name ‘Organization’ in the user store to group the users. The DefaultGroupIDExtractorImpl can be modified to consider any other claim to group the users.

Please note that the this default extractor doesn’t work with SAML SSO. You need to write a custom implementation using the WSO2ISGroupIdExtractor.java class as an example.

Advertisements

Bulk Importing of API’s to API Manager

In the last post we discussed on a tool that allows an admin to bulk export API’s from WSO2 API Manager. This is a useful tool if you have large number of API’s that needs to be exported. This blog looks at another tool that I have written to import API’s to an API Manager. Bulk importing of API’s may not be as common occurrence as bulk export, in many cases API’s are selectively imported to the API Manager rather than importing everything at once. However you can still identify which API’s to be imported and include them inside a folder where the tool will pick all the API’s inside the folder and import them to the WSO2 API Manager. The source code and instructions on how to run this tool can be found in the following Git Repo.

https://github.com/nadeesha5814/APIBulkImport

 

 

Bulk exporting of API’s in WSO2 API Manager

WSO2 API Manager is really powerful Opensource API Management tool that would allow you to expose, secure, manage and monitor API’s exposed via the API Manager. The product now comes with a nice feature to export/import API’s from and to the API Manager deployment. This feature comes in handy when you want to migrate API’s from one environment to another or when you want to copy an API from one API Manager to another. The feature is exposed as a RESTful API that can be invoked from a REST client, CuRL or a 3rd party script.

The limitation of the current implementation is that it only allows a single API to be exported at once. This is fine for majority of use-cases but there may be some instances where you may have 100’s of API’s and it might not be practical to export each and every API individually. To avoid this situation I have written the following tool that would allow you to do a Bulk export of API’s from the API Manager. The code and the instructions on how to use this tool can  be found in the following GIT repo.

https://github.com/nadeesha5814/APIBulkExport

 

 

Integrating any WSO2 product to the LDAP user store of WSO2 Identity Server

 

Integrating to an external user-store is a feature that is available in the carbon kernel hence all WSO2 products has this feature available. However most of the product distributions are shipped with the product been integrated to a JDBC user-store which is linked to the inbuilt H2 DB.

WSO2 Identity Server which is the Identity and Access Management product of WSO2 has an in-built LDAP user-store. It is possible to integrate any other WSO2 product to this internal LDAP user store of the Identity Server to carry out testing on any cross product scenarios where the user-store needs to be shared with each other. Let’s see how this can be done.

 

In order to get this working you will need a WSO2 Identity Server product. In this case we are using the latest Identity Server version available (5.1.0). We will also need another WSO2 product that needs to integrate to the LDAP of the Identity Server, in this case we will choose WSO2 API Manager (1.10). First of all open the following user-mgt.xml file in the API Manager configuration which can be found in the following location.

<API_Manager_Home>\repository\conf\user-mgt.xml

 

Inside this configuration file you would see the user-store configuration relating to the product. The default product distribution is integrated to the inbuilt H2 Database through the JDBCUserStoreManager. Let’s comment this configuration. Now add the below configuration that would provide details on the remote LDAP instances hosted inside the WSO2 Identity Server. Note that we are setting ‘ConnectionURL’ assuming that the Identity Server runs on localhost.

 

 

In this case we are integrating the API Manager so that it can both read and write from the user-store, it is possible to configure the instance to only read from the external user-store in such a case change the class name to ‘org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager’.

 

Start the Identity Server first and then the secondary WSO2 product (in this case the WSO2 API Manager). You can now see that users which resides in the WSO2 Identity Server is shared with the WSO2 API Manager instance.

 

 

 

Publish custom data from API Manager to WSO2 Business Activity Monitor

WSO2 API Manager provides out of the box integration with WSO2 Business Activity Monitor (WSO2 BAM), this integration would allow API Manager to publish a pre-defined event stream which would be stored, processed and summarized by WSO2 BAM to provide a meaningful set of information in the API Manager dashboard. A case may arise when an organization wants to publish custom data to the WSO2 BAM. For example a user may want to publish some values which are passed in the response message header to WSO2 BAM. In such a case the existing data Publisher needs to be customized to accommodate this custom value. API Manager’s extension mechanism allows you to write your own class to do this. In order to do this you can extend the ‘APIMgtUsageDataPublisher’ class and write your own data publisher. Given below is a custom data publisher written to pass a custom value to the WSO2 BAM. Please note that this is similar to the existing data publisher class with the difference of it using a custom DTO to publish response data.

This custom data publisher refers to a ‘CustomDataBridgeResponsePublisherDTO’ to publish data to WSO2 BAM. Given below is the custom DataBridgeResponsePublisherDTO.

As you could see here, we have add a ‘customValue’ field to the original datastream , and when creating the payload the custom value is included in the payload. In this example we are passing a string as the custom value, this logic can be replaced to pass any other value to WSO2 BAM.

 

Once you have done this changes build the source and add the jar file to the following folder.

<API_Manager_Home>\repository\components\lib

 

Java project file is attached for you to customize the values as required and build (through Maven).

Once this is done lets add the datapublisher class to APIManager.xml file. Lets modify the file to reflect the details of our custom data publisher. Given below is a sample snippet of the file. Notice that the custom data publisher is included as the ‘PublisherClass’ and the version of the response stream has been changed to’1.1.0′.

Now lets look at the changes needed to be done to WSO2 BAM, we need configure WSO2 BAM to expect this new data stream. You can do this by configuring the API Manage toolbox to include this value. The toolbox can be found in the following location.

<API_Manager_Home>\wso2am-1.9.1\statistics

The toolbox is a compressed file (.tbox format) that can be uncompressed, amended and re-compressed backed to a ‘.tbox’ file. I have attached a modified ‘.tbox’ file with this blog. This toolbox is configured to accept the field ‘customValue’ received in the response data stream.

Once you have a modified toolbox you enable statistics from the ‘admin-dashboard’ of API Manager which will automatically install this new toolbox to WSO2 BAM. Please make sure that you have uninstalled any existing API Manager toolbox before doing this.

 

You have now configured to publish a custom data value from WSO2 API Manager to WSO2 BAM

 

Git Project for the this example is given below. Toolbox is also available within this project.

https://github.com/nadeesha5814/Custom_Analytics

Enabling artifact types in WSO2 Governance Registry Publisher and Store UI’s

 

New generation of WSO2 Governance Registry (5.x) releases has its own publisher and store user interfaces to publish and consume assets. Asset owners can publish the assets from the Publisher UI and manage the lifecycle of these assets from this UI, while consumers of assets can discover them from the Store UI. WSO2 Governance Registry currently ships many asset types however not every asset type is enabled in the Governance Registry Publisher and Store UI’s. Let’s take the asset type endpoints. This asset type is available in the default Governance Registry distribution but the Publisher and Store UI’s doesn’t have this asset type. Hence it is not possible to create endpoints from the PublisherUI or consume/view these assets from the Store UI. As you see below the Publisher doesn’t show an asset type endpoint in the Publisher UI.

AssetType-before

To enable the asset in the Publisher lets open the following config file

<G-Reg Home>\repository\deployment\server\jaggeryapps\publisher\extensions\app\greg_publisher\app.js

You will find the following code snippet; remove the asset from the disabledAssets section.

Restart the server, the asset type is now available in the Publisher UI.

AssetType-after

You can also enable a given asset type in the store UI. In order to do this you will need to do the same change in the following file.

<G-Reg Home>\repository\deployment\server\jaggeryapps\store\extensions\app\greg_store\app.js

Role based API Throttling through WSO2 API Manager

If you are already familiar with the WSO2 API Manager you would know that the API Manager provides the capability to apply throttling tiers to an exposed API. A throttling tier is an access limit which is applied to a given API subscription to make sure that API’s are not used over and above the expected level. WSO2 API Manager’s subscription plan is such that an API Subscriber can choose from a set of throttling tiers available to him when subscribing for an API. By default all the throttling tiers are available for all users. 

In real world an organization would want to have control over how users can subscribe and access their API’s. Opening up all the tiers to all users may not be acceptable. In order to address this concern API Manager provides a capability to assign roles to different throttling tiers hence only users belonging to a given role would have access to that particular throttling tier. Lets take the following example. You would have multiple user groups such as internal developers, registered external partners, and guest external partners. You would want to open up your API’s for these users but want to have different plans to these users. For this example we will only be dealing with the existing throttling tiers, based on this I will create the following mapping of user roles to tiers.

Bronze Tier - No Restriction
Silver Tier - All users expect guest external partners
Gold Tier   - Only Internal developers and Admin users
Unlimited   - Only Admin users

These restrictions can be created from the API Publisher’s user interface. In order to do this, login into the Publisher console as a API Publisher. Once you are logged in you will see the ‘Tier Permissions’ link on the left hand navigation panel. Click on the this link. Once you are in the Tier Permission page set the roles to which you need to ‘Allow’ or ‘Deny’ to a given throttling tier.tierPermission

You can Create your own throttling tiers [1] and then define how these tiers should be made available to different application developers using the Tier Permission option provided available in the API Publisher.

[1] https://docs.wso2.com/display/AM191/Adding+new+Throttling+Tiers