[katello-devel] Changes in the API

Jason Rist jrist at redhat.com
Tue Jan 17 15:00:50 UTC 2012 

On Tue 17 Jan 2012 07:54:44 AM MST, Lukas Zapletal wrote:
>> Why the change to /repositories/repo_id/* ?
>>
>
> Yeah, dunno why I forgot to explain it a bit :-)
>
> All controllers have their "index" actions nested in their parents, for
> example:
>
> /repositories/XYZ/distributions
> /repositories/XYZ/packages
>
> The logic is to find repository first (we store it in the katello db),
> check permissions and then list all the records from Pulp using a simple
> REST call (index action). This is pretty straightforward.
>
> Now, when I want to display details about particular record
> (distribution, errata, package) with our API, I am using the "show"
> action. Those were available directly:
>
> /distributions/XYZ/
> /errata/XYZ/
> /packages/XYZ/
>
> But when I wanted to check for permissions, I need to get it's parent
> repository. The logical solution is to change routes and to nest them.
>
> /repositories/R123/distributions/XYZ/
> /repositories/R123/errata/XYZ/
> /repositories/R123/packages/XYZ/
>
> This helps to find the repository itself, but I still need to "pair"
> both objects, because possible attacker could provide a random
> repository that he does not have any access to.
>
> Fortunately the "show" action in the Pulp provides information about
> repository the package (I hope for errata, distribution too) belongs to.
> So there is additional check in the find filter. Pulp provides a list of
> all repositories the package belongs to.
>
> So this is the reason why I need to change those routes. I need to find
> the particular repository to check permission against. Pulp is only able
> to provide me a list, I need the particular one.
>
> I also need to change the CLI commands - there will be an option
> --repo_id or --repository/--environment/--product triple required of
> course.
>
> I hope that explains it a bit. I think those three controllers havent
> rules implemented in the UI too - I guess you will need something
> similar. Maybe. UI has the session advantage - API is not able to store
> anything, so all information must come in the URL.
>
> LZ
>

Thanks for the explanation.  Very helpful!

-- 
Jason E. Rist
Senior Software Engineer
Systems Management and Cloud Enablement
Red Hat, Inc.
+1.919.754.4048
Freenode: jrist

More information about the katello-devel mailing list