[katello-devel] Changes in the API
Lukas Zapletal
lzap at redhat.com
Tue Jan 17 14:54:44 UTC 2012
> Why the change to /repositories/repo_id/* ?
>
Yeah, dunno why I forgot to explain it a bit :-)
All controllers have their "index" actions nested in their parents, for
example:
/repositories/XYZ/distributions
/repositories/XYZ/packages
The logic is to find repository first (we store it in the katello db),
check permissions and then list all the records from Pulp using a simple
REST call (index action). This is pretty straightforward.
Now, when I want to display details about particular record
(distribution, errata, package) with our API, I am using the "show"
action. Those were available directly:
/distributions/XYZ/
/errata/XYZ/
/packages/XYZ/
But when I wanted to check for permissions, I need to get it's parent
repository. The logical solution is to change routes and to nest them.
/repositories/R123/distributions/XYZ/
/repositories/R123/errata/XYZ/
/repositories/R123/packages/XYZ/
This helps to find the repository itself, but I still need to "pair"
both objects, because possible attacker could provide a random
repository that he does not have any access to.
Fortunately the "show" action in the Pulp provides information about
repository the package (I hope for errata, distribution too) belongs to.
So there is additional check in the find filter. Pulp provides a list of
all repositories the package belongs to.
So this is the reason why I need to change those routes. I need to find
the particular repository to check permission against. Pulp is only able
to provide me a list, I need the particular one.
I also need to change the CLI commands - there will be an option
--repo_id or --repository/--environment/--product triple required of
course.
I hope that explains it a bit. I think those three controllers havent
rules implemented in the UI too - I guess you will need something
similar. Maybe. UI has the session advantage - API is not able to store
anything, so all information must come in the URL.
LZ
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the katello-devel
mailing list