Can I define a new throttling tier like: "unlimited use for 30 days"?
<wsp:Policy>
<throttle:ID throttle:type="ROLE">30-days</throttle:ID>
<wsp:Policy>
<throttle:Control>
<wsp:Policy>
<throttle:MaximumCount> ? </throttle:MaximumCount>
<throttle:UnitTime> ? </throttle:UnitTime>
</wsp:Policy>
</throttle:Control>
</wsp:Policy>
EDIT: the goal is to make "expire" the subscription of a certain API for a certain user after 30 days...is it possible?
You can't specify your requirement with the two parameters MaximumCount and UnitTime in a policy file. The solution as of now for your requirement would be to publish your API using the predefined Unlimited tier in the API Publisher, and manually remove it from the API gateway by changing the life cycle state of the API from Published to Created after a month's time.
Related
Per this documentation Addendum: Service account authorization without OAuth, it says
If the API you want to call has a service definition published in the Google APIs GitHub repository, you can make authorized API calls using a JWT instead of an access token
I see Google Cloud Storage published on that Github repository but I can not seem to be able to get a file on Google Cloud Storage with the approach in the documentation. According to JWT header and payload example show in step 3 of the documentation, I did the following adjustments
Change kid from abcdef1234567890 to my service account private_key_id
Change iss and sub to my service account client_email
Change aud to https://storage.googleapis.com/
Change iat and exp to now and now + 1 hour
I use signed JWT as bearer token trying to get file from http://storage.googleapis.com/<bucket>/path/file but I keep getting this response
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AuthenticationRequired</Code><Message>Authentication required.</Message></Error>
Can we really use this approach with Google Cloud Storage? Am I doing anything wrong?
Note that I can access the file with oauth access_token when following another approach described on the same page documentation page but I prefer not to make a request to get access_token first before making a request to get the file.
I drew the same conclusion as you from reading this documentation, but it doesn't work for me either on Google Cloud Storage.
It does work on some services like Google Cloud Pub/Sub.
I also confirmed that the Google Cloud SDK doesn't use the "Service account authorization without OAuth" method for GCS, but it does for Pub/Sub.
For example in the Node.js SDK, the variable determining whether or not to use this method is useSelfSignedJWT in google-auth-library:
const useSelfSignedJWT =
(!this.hasUserScopes() && url) ||
(this.useJWTAccessWithScope && this.hasAnyScopes());
A service like Pub/Sub that supports self-signed JWT sets useJWTAccessWithScope = true, but GCS doesn't
set this variable.
That being said I forced the GCS SDK to use self-signed JWT and got it to work that way!
const { Storage } = require('#google-cloud/storage')
const storage = new Storage({
keyFilename: 'service-account-key.json'
})
storage.authClient.useJWTAccessWithScope = true
// Use client and watch how it doesn't call the OAuth2 endpoint,
// and requests are still successful.
The interesting thing to note is that the self-signed JWT that Google SDK generated is a bit different from what they document for Service account authorization without OAuth:
{
"iss": "service-account#project.iam.gserviceaccount.com",
"sub": "service-account#project.iam.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/devstorage.full_control",
"exp": 1234567890,
"iat": 1234567890
}
Whereas their documentation says to use a aud field and doesn't mention scopes:
{
"iss": "123456-compute#developer.gserviceaccount.com",
"sub": "123456-compute#developer.gserviceaccount.com",
"aud": "https://firestore.googleapis.com/",
"iat": 1511900000,
"exp": 1511903600
}
So you can set a scope field with a valid OAuth scope, e.g. for GCS. This did work for me on GCS, and it might work for other APIs that don't accept self-signed tokens with aud.
I want to change the expiration time of JWT token created in WSO2 Api Manager.
It seems that the default time is 15 minutes.
{"typ":"JWT","alg":"none"}.
{
"iss": "wso2.org/products/am",
"exp": 1464255150998,
...
}
From this link - Wso2 Jira - APIMANAGER-3493 , it seems that we can use "SecurityContextTTL" property in /repository/conf/api-manager.xml under APIKeyManager to change the expiration time of the JWT.
But I could not find this setting available in api-manager.xml (not even as a commented out configuration). I am using wso2am-1.9.1.
Is this property removed from the configurations? If yes, then how can we change the expiration time of the JWT?
Is there any documentation available mentioning about this property and its usage?
Any pointers are appreciated. Thanks.
It should be applied as follows, under APIKeyValidator section,
<APIKeyValidator>
<SecurityContextTTL>5</SecurityContextTTL>
</APIKeyValidator>
But as per the Jira you mentioned, it seems there is a bug in this version.
WSO2 has fixed this in next version(2.0.0), using a new property, see [1].
[1] https://wso2.org/jira/browse/APIMANAGER-4575
I'm creating an API using the 1.10.0 new Rest API. Below are some of the parameters I'm sending:
body.setTransport(createList("http", "https"));
body.setApiDefinition("{\"paths\":{\"/*\":{\"post\":{\"x-auth-type\":\"None\",\"responses\":{\"201\":{\"description\":\"Created\"}},\"x-throttling-tier\":\"Unlimited\"},\"get\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"},\"delete\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"},\"put\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"}}},\"swagger\":\"2.0\",\"info\":{\"title\":\"" + providerApi.getName() + "\",\"version\":\"1.0.0\"}}");
body.setTiers(createList("Unlimited"));
body.setVisibility(VisibilityEnum.PUBLIC);
body.setVisibleRoles(createList());
So the API is created as Unlimited/PUBLIC.
I changed all three default tiers configuration files:
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-res-tiers.xml
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-app-tiers.xml
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-tiers.xml
To allow 10000 requests per minute for Unauthenticated role.
<throttle:ID throttle:type="ROLE">Unauthenticated</throttle:ID>
<wsp:Policy>
<throttle:Control>
<wsp:Policy>
<throttle:MaximumCount>10000</throttle:MaximumCount>
<throttle:UnitTime>60000</throttle:UnitTime>
</wsp:Policy>
</throttle:Control>
</wsp:Policy>
</wsp:Policy>
Yet after sending 60 requests per minute - the API is responded with status code 429 and error log indicate that quota exceeded...
After each change I re-started the APIM gateway and re-created the API's, just in case.
Any idea why the 10000 limit is not honored by the gateway?
API Manager will read those file on the very first up of the server and copied the content to registry, there after, API Manager won't check these files for any updates.
You have to update your policies in the registry.
Use the Registry browser through Management Console and navigate to following location /_system/governance/apimgt/applicationdata. You can see the tier xml file.
Log in to APIM management console (https://:9443/carbon) and select Browse under Resources
Nagigate to /_system/governance/apimgt/applicationdata
You will see app-tiers.xml, res-tiers.xml, tiers.xml.
I am getting the following respose while trying to assess my api endpoint:
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>101504</am:code><am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description>Send timeout</am:description>
</am:fault>
Kindly suggest what went wrong.
Lucas, it is exactly what it says - looks like the backend service is only available intermittently so when it is not available - you get the timeout reported by the gateway.
Just add a header to accept text/xml:
'content-type': 'text/xml'
I had the same issue and the solution was to Increase the Endpoint Timeout from the API Manager as described here :
https://apim.docs.wso2.com/en/latest/design/endpoints/resiliency/endpoint-timeouts/
Sign in to the API Publisher Portal.
https://:9443/publisher
Example: https://localhost:9443/publisher
Use your username and password to sign in.
Click on an API in the API Publisher Portal listing page.
Click Endpoints under API Configurations.
Click on the cogwheel, which is inline with the endpoint that you need to configure, and update the endpoint related configurations as required.
Go to Advanced Endpoint Configurations.
Increase Connection Timeout value
We're looking to replace an existing API manager with wso2 and one of the features of the other platform is that we can identify a 'user' of the API at run time and have the throttling work.
The 'user' is not OAuth identified, rather they authenticate via the API and a session id is returned (so they've never registered at a 'store'). This session id is then used to setup the throttling at the API Manager. Additionally the other tool has code to look for the user logging in and using that id in the throttling. so if a user tries to login too many times per hour the API manager blocks the request in addition to too many requests for a logged in user per hour. The combinations of login attempts, API calls etc. are summed into the throttle. (All this was implemented by their services team years ago)
The main reason we need this is we don't want to force our old clients to go to OAuth immediately but want much more visibility, reporting and throttling.
Thoughts on how to do this with wso2? I see where we can add our own Handlers to the API to figure out session ids, login ids etc. but I don't see where to create the logic to do the throttling.
Thanks,
Chris
Login to Carbon and edit the tiers.xml (/_system/governance/apimgt/applicationdata/tiers.xml)。You can found the section <throttle:ID throttle:type="ROLE">Unauthenticated</throttle:ID>