Story of the King of CI/CD in WSO2 API Manager
Pop Quiz! Are you looking for answers to the below questions?
- Is the admin the only user role that can perform CI/CD tasks using the WSO2 API Controller?
- How hard is to create a custom user (or a user role) who can perform CI/CD tasks via WSO2 API Controller?
- Who is the new Internal/devops role introduced by WSO2 API Manager 3.2.0 and where it fits in?
If so, this is the perfect place to find answers to the above questions and to clarify all your doubts.
Oops, but let me tell you one thing. This article will not discuss the basic concepts of WSO2 API Controller. You can refer to the official documentation below to learn about the basics of the latest release WSO2 API Controller 3.2.0.
How user roles of WSO2 API Manager relate to WSO2 API Controller?
WSO2 API Controller which is also known as apictl, is a platform-agnostic tool that helps the organizations to perform CI/CD tasks using their custom-built pipelines across API Manager environments. If we simplify this more, we can say like this.
apictl helps to migrate APIs, API Products, Applications with their relevant artifacts (such as Documents, Mediation Sequences, Certificates etc) from one environment (a lower environment) to another environment (an upper environment), by providing a friendly set of commands to execute in a CLI.
To perform a particular set of tasks in any system a user should have a set of permissions with authentication. WSO2 API Manager has scopes and permissions which are bound to user roles so that a user who has a particular user role can perform a limited set of functions that requires the scopes and permissions that match with his/her user role.
For example, in WSO2 API Manager, there are user roles such as admin, Internal/creator, Internal/publisher, Internal/subscriber, and Internal/devops. A user who has the admin role can do any task in the system while a user who has the Internal/subscriber role can perform tasks in the Developer Portal.
Oh yes, you will be thinking now, “How the API Controller comes to this story?”. If someone wants to use the API Controller, first that user needs to be logged into the relevant environment using the below command.
apictl login <environment-name>The user will be prompted to enter the username and the password to get authenticated. So which kind of a user should log in? Let me keep the enthusiasm for a few minutes and let’s understand the history of apictl and the user roles associated with it.
The past journey of the WSO2 API Controller and the user roles
WSO2 API Controller was introduced first as WSO2 API Manager Tooling, which was also known as apimcli. The most popular apimcli version is 2.x which was compatible with WSO2 API Manager 2.6.0. Only two (2) types of users were able to perform tasks using this apimcli as listed below.
- A user with the admin role
- A user with a role that has the API-M Admin, Login, and API Create permissions
To eliminate the drawbacks and the confusions which led to the 1st Question — Is the admin the only user role that can perform CI/CD tasks using WSO2 API Controller?, a new approach was introduced from the next release which is WSO2 API Controller 3.0.0 that was compatible with WSO2 API Manager 3.0.0. Here too, a user with the admin role could perform any task using apictl. Further, a set of scopes and permissions were listed so that, if a person wants to create his own role, he/she can refer to it and create a custom role to perform apictl operations. Refer to the below link for that scopes and permissions list.
With the WSO2 API Controller 3.1.0 which was compatible with WSO2 API Manager 3.1.0, a bunch of new commands and new features were introduced. Those commands made the above list of scopes and permissions more complex which lead to Question 2 — How hard is to create a custom user (or a user role) who can perform CI/CD tasks via WSO2 API Controller?. Refer below for more information.
As the solution, a new role named Internal/devops has been introduced with WSO2 API Manager 3.2.0 + WSO2 API Controller 3.2.0.
Internal/devops, the Guest of Honour!
Let me introduce you to the Guest of Honour, Internal/devops. It is a user role that was introduced by WSO2 API Manager 3.2.0 onwards to assist the WSO2 API Controller customers when deciding whether whom they should use as the apictl user. A user with this role can perform any task associated with CI/CD using the WSO2 API Controller 3.2.0.
Yeah, it is time to follow the steps to use the Internal/devops role.
- Go to the Carbon Management Console (https://<hostname>:9443/carbon ) and login as the admin user.
- Click on Add under the Users and Roles in the left menu as shown below.
3. Now, click on Add New User.
4. Enter the Username and the Password as you wish, and click on Next.
5. Make sure to select Internal/devops and click on Finish.
Congratulations! Now you have successfully created a user named devops with the Internal/devops role.
6. You can log in to the API Manager environment using the API Controller by executing the login command as shown below.
It is time to do the “Tech Talk”!
Hey, are you more techy? Perfect then, now it is time for you. Let me share the secret of Internal/devops with you. Basically, it is the scopes and roles of it. For each and every apictl operation, there is some scope level and some permissions that are required. The Internal/devops role already has those scopes and permissions which makes him the most powerful person when performing CI/CD using the API Manager.
You can find the detailed list of scopes and permissions that are needed to perform CI/CD tasks using WSO2 API Controller 3.2.0. Some of those help Internal/devops to be more invincible.
The scopes, apim:api_import_export, apim:api_product_import_export and apim:app_import_export, are the main required scopes to perform apictl operations. Internal/devops incorporates these three (3) scopes. Further, it has permissions such as API Create, API Publish, API Subscribe, and Login. Three scopes (3) and four (4) permissions make Internal/devops the king.
Answers to the questions
Last but not least, I would like to wrap things up by summarizing the answers to the questions which I mentioned at the beginning.
- Is the admin the only user role that can perform CI/CD tasks using the WSO2 API Controller? Answer — Absolutely not. We have Internal/devops from WSO2 API Manager 3.2.0 onwards.
- How hard is to create a custom user (or a user role) who can perform CI/CD tasks via WSO2 API Controller? Answer — Not hard at all. Just create a user with the king, Internal/devops role.
- Who is the new Internal/devops role introduced by WSO2 API Manager 3.2.0 and where it fits in? Answer — It is the king of CI/CD that was introduced with WSO2 API Manager 3.2.0 onwards, who has three (3) scopes and four (4) permissions.
With these answers, I will be concluding the story of the king of CI/CD, Internal/devops. I hope this article will be more helpful to those who look forward to organizing their CI/CD tasks with WSO2 API Manager using the WSO2 API Controller.
Stay safe everyone! Goodbye until the next time…
