[Apiman-user] apiman suitable for managing end users?

Tim Dudgeon tdudgeon.ml at gmail.com
Mon Jul 20 15:33:24 EDT 2015 

Eric,

Thoughts? Well, what you wrote raises many!

1. so it would seem that the best approach for now at least is to handle 
end user authentication completely separately and just pass through the 
user id?
Or is it possible somehow to use the same keycloak server for this 
(apiman does use keyclock?) so that all users first have to register as 
an end user before they can get "promoted" to service provider or 
developer status within apiman?

2. automatically assigning roles on registration sounds like a good 
idea, though I suspect that working out how to do this will be tricky as 
there will be lots of different scenarios. I'll raise a JIRA issue on 
this, but will wait a day or so unless anyone else want to chip in here 
first.

3. By a "generic user registration extension" did you have in mind 
something like a "post registration" (javascript) hook?

Tim

On 20/07/2015 10:09, Eric Wittmann wrote:
> Hi Tim.
>
> Interesting scenario.  The typical scenario is that the apiman UI is 
> only used by service providers and application developers.  End users 
> will typically not use the apiman UI.  However, that doesn't mean 
> apiman can't track end users.  If authentication is enabled (either 
> BASIC or OAuth2), then rate limiting can be configured on a per-user 
> basis.  When you configure the rate limit policy, you can choose 
> "user" as an option and then provide the HTTP header containing the 
> user.  When configuring the authentication policy (which must come 
> first in the policy chain) you would need to enable forwarding of the 
> username.
>
> In addition, the next version of apiman will also include the 
> authenticated user in the metrics data.  This would allow you to query 
> the elasticsearch metrics information by username.  We won't have any 
> specific support in the UI for breaking down metrics by user, at least 
> not right away, but it will be in the data at least.
>
> Of course, you *can* use apiman the way you are suggesting.  But as 
> you observed there are some challenges.  We don't currently have a way 
> to assign roles to users automatically when they register.  It would 
> need to be a feature request I think:
>
> https://issues.jboss.org/browse/APIMAN
>
> I think if we added a very generic "user registration" extension point 
> to apiman, then you could write your own custom handler to do whatever 
> you want.  Such a handler would be invoked the first time a new user 
> logged into apiman.  You could drive off their email address, roles, 
> whatever.  You could also provide a handler via a plugin.
>
> Thoughts?  :)
>
> -Eric
>
>
> On 7/19/2015 7:45 AM, Tim Dudgeon wrote:
>> Hi
>>
>> I've been looking into apiman and like what I see, but have a conceptual
>> question about its usage.
>> I need something to manage the end users of my applications, not just
>> the people who are developing and managing those applications. Is apiman
>> suitable for this? e.g. each actual user of the applications would
>> register to apiman and use their own access keys. I need this as I will
>> want to handle metrics and usage on the level of the individual user.
>>
>> Also, if this was to be a sensible approach how does one configure the
>> registration process. I understand apiman is using keycloak for this,
>> but I see no link in the UI to configure keycloak. And I would need a
>> way that new users could automatically be assigned to an organisation
>> (e.g. a default organisation, or a specific one based on their email
>> address).
>>
>> Tim
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>

More information about the Apiman-user mailing list