Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve description of Reader role #7583

Closed
idlewis opened this issue Sep 17, 2024 · 10 comments · Fixed by #7618
Closed

Improve description of Reader role #7583

idlewis opened this issue Sep 17, 2024 · 10 comments · Fixed by #7618
Assignees
@ramkumar-k-9286
Labels
Developer reviewed
Milestone
24.0.0.10

Comments

@idlewis
Copy link
Member

idlewis commented Sep 17, 2024

https://openliberty.io/docs/latest/reference/feature/restConnector-2.0.html
This pages describes Liberty's reader user role, but doesn't make it sufficiently clear the level of access that this role provides.

Where the page currently states:
Users who are in the reader role can monitor the server ...
I'd like to change it to say something like:
Users who are in the reader role have the same permissions to monitor the server as the users in the administrator role ...

@mingcyu
@leochr
Thoughts welcome on the wording
@dmuelle dmuelle added this to the 24.0.0.10 milestone Sep 17, 2024
@ramkumar-k-9286 ramkumar-k-9286 self-assigned this Sep 17, 2024
@ramkumar-k-9286
Copy link
Contributor

ramkumar-k-9286 commented Sep 17, 2024
edited
Loading

@idlewis
Based on the comment, the proposed change in the paragraph:

When the REST connector feature is enabled, you can configure management roles for your Open Liberty server. These roles grant users and groups that are defined in a user registry access to select administrative REST APIs. You can use any supported user registry.

  • Administrator role: Grants users read and write access to administrative REST APIs, including modifying their configuration or settings.

  • Reader role: Grants users the same permissions to monitor the server as in the administrator role, but without the ability to modify any configuration or settings. The role is restricted to read-only access to administrative REST APIs.

The following example maps users and groups that are defined in a basic user registry to the reader and administrator roles.

@ramkumar-k-9286
Copy link
Contributor

Hi Ian @idlewis

Changes made to the description as suggested.

Draft Link: https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/restConnector-2.0.html

Please review the same and add the Developer Reviewed label if you are satisfied with the changes.

Regards,
Ramkumar

CC @dmuelle

@idlewis
Copy link
Member Author

idlewis commented Sep 18, 2024

One further comment. This sentence from your draft:
The role is restricted to read-only access to administrative REST APIs.
I think it might be better phrased as:
The reader role restricts access to REST APIs that are considered read-only.
This is consistent with the way this idea is stated in the WebSphere Liberty docs

@ramkumar-k-9286
Copy link
Contributor

@idlewis

Quick question based on your comment above.

Does the role determine the kind of access you have to a given API, or does the API itself determine which roles can access it?

The way you drafted the sentence suggests that the API determines which roles can access it. Is that the case?

CC @dmuelle

@idlewis
Copy link
Member Author

idlewis commented Sep 18, 2024

The administrator role can access all APIs.
The reader role can access a subset of those APIs.
The APIs which the reader role can access provide ready only actions.
The extra APIs which the administrator role can access provide read/write actions
Sorry, it is a bit hard to describe, I hope that helps.

@idlewis
Copy link
Member Author

idlewis commented Sep 18, 2024

the API determines which roles can access it. Is that the case?

Yes, I think that is accurate.

@ramkumar-k-9286
Copy link
Contributor

@idlewis

One further comment. This sentence from your draft:
The role is restricted to read-only access to administrative REST APIs.
I think it might be better phrased as:
The reader role restricts access to REST APIs that are considered read-only.
This is consistent with the way this idea is stated in the WebSphere Liberty docs

Would this be ok?
The reader role provides access to REST APIs that are considered read-only. Users in this role can monitor the server, but cannot modify it in any way.

CC @dmuelle

@idlewis
Copy link
Member Author

idlewis commented Sep 19, 2024

I think that should be okay. Could you update the draft so that I can review it in context?

ramkumar-k-9286 added a commit that referenced this issue Sep 19, 2024
@ramkumar-k-9286
7583-Improve description of Reader role-2
3eecba4 
7583-Improve description of Reader role-2

#7583
@ramkumar-k-9286 ramkumar-k-9286 mentioned this issue Sep 19, 2024
Merged
@ramkumar-k-9286
Copy link
Contributor

Hi Ian @idlewis

I've made the suggested changes.

Draft Link: https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/restConnector-2.0.html

Please review the same and add the Developer Reviewed label if you are satisfied with the changes.

Regards,
Ramkumar

CC @dmuelle

@dmuelle
Copy link
Member

dmuelle commented Oct 2, 2024

@ramkumar-k-9286 - looks good, please open a PR to staging

@dmuelle dmuelle mentioned this issue Oct 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramkumar-k-9286 ramkumar-k-9286

Labels
Developer reviewed
Projects
None yet
Milestone
24.0.0.10
Development

Successfully merging a pull request may close this issue.

Staging to vNext 24.0.0.10 docs OpenLiberty/docs
3 participants
@idlewis @dmuelle @ramkumar-k-9286