[Pki-devel] Proposed RESTful interface to dogtag

Adam Young ayoung at redhat.com
Tue Oct 18 02:33:03 UTC 2011 

On 10/17/2011 10:00 PM, Jack Magne wrote:
> On 10/17/2011 05:35 PM, Adam Young wrote:
>> On 10/17/2011 08:10 PM, Jack Magne wrote:
>>> On 10/17/2011 01:18 PM, Ade Lee wrote:
>>>> Hi all,
>>>>
>>>> I tried to put this on the dogtag wiki, but it did not seem to work.
>>>> Will chat with Matt.
>>>>
>>>> In the meantime, here is a copy for you guys to look at and comment on.
>>>> It has most everything except the installation servlets and token
>>>> operations (for which I need to think about the object model).  If you
>>>> look at the mapped servlets, you'll get a sense of what operations are
>>>> covered in each URL mapping.
>>>>
>>>> This is a first cut -- hopefully a good starting point for discussion.
>>>> So please comment away!
>>>>
>>>> Ade
>>>>
>>>>
>>>>    
>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-devel mailing list
>>>> Pki-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>>    
>>> Thanks Ade. Just a few questions after having a look.
>>>
>>> 1. I noticed we have the following key related resources:
>>>
>>>
>>> PUT         /pki/key     "Add a key"
>>>
>>> POST      /pki/key      "Modify a key"
>>>
>>> In my quick readings, it appeared that the POST method was favored 
>>> for creating brand new resources where PUT was used to modify 
>>> existing ones?
>> I think you have it backwards.  PUT is the normal way for creating 
>> things. The POST operation is very generic and no specific meaning 
>> can be attached to it.  In general, use POST when only a subset of a 
>> resource needs to be modified and it cannot be accessed as its own 
>> resource; or when the equivalent of a method call must be exposed.
>>
>> http://developer.mindtouch.com/REST/REST_for_the_Rest_of_Us  says 
>> this about POST:
>>
>> " usually either create a new one, or replace the existing one with 
>> this copy, where as POST is kinds of a catch all.  "
>>
>> We could possibly use PUT for both add and modify if we wanted.
>>
> My bad. I guess I chose to read a conflicting article on this subject:
>
>
> http://www.ibm.com/developerworks/webservices/library/ws-restful/
>
> where it says the following:
>
>   * To create a resource on the server, use POST.
>   * To retrieve a resource, use GET.
>   * To change the state of a resource or to update it, use PUT.
>   * To remove or delete a resource, use DELETE.
>
> Perhaps I was further thrown off about the discussions I've seen about 
> the idempotence property of PUT, whereby if you replay the same 
> request more than once, you get the same result as the first time. 
> Where in POST, if you repeat the exercise multiple times, you will get 
> a list of new resources. Perhaps you could speak a little to that subject.
>
> I think I see now why he would chose PUT to create a key, because PUT 
> replaces the entire resource, and POST can be used to replace part of 
> a resource. If we were to modify a key or a request for a key, I'm 
> guessing we would not replace the entity entirely.

We are all learning this stuff, and I had a little too narrow a view 
before this discussion.  One other resource I read states that you 
should use POST for anything that would not be idempotent:  thus,  PUT 
to create makes sense if you know the name to PUT it into, but you would 
use POST for creating a new identifier.  So, I think that agrees with 
what you are saying.

So, yeah, I think you would PUT a key, assuming that the the PUT 
provides also the name of the key.  You would POST a CSR to get a 
Certificate (in a simplified view)  as the Certificate would get a 
Serial number, and that would be the unique ID.

I guess for creating a user, it would depend on if you were assigning 
the numeric UID whether it would be POST of a PUT.


I've a lot to learn about the Domain model here, so I'll let myself be 
guided by you guys as far as what the appropriate behavior of the 
business objects should be.



>
>
>
>
>>
>> I tend to favor making objects immutable, and to replacing whole 
>> objects when possible.  However, I know that is not always possible, 
>> especially when working with a pre-existing API.  So I'd say lets try 
>> to stick to PUT semantics where possible, but deliberately use POST 
>> when we are making finer grain API calls.
>>
>>>
>>> I also noticed that you have two GET versions of "pki/key". Is that 
>>> kind of duplication encouraged? Or is that really just the same api 
>>> entity with different input payloads?
>>>
>>> 2. You suggested I take a look at some of the TKS TokenServlet 
>>> stuff. I noticed that we have a simple short list of servlets that 
>>> appear to return very short lived resources. Examples being, session 
>>> keys , encrypted data , and a block of randomly generated data.
>>>
>>> I would imagine it would be a POST op like something as follows:
>>>
>>> POST /pki/tks/sessionKey   , which would return a link to the key 
>>> itself? But does it make sense to have a "resource" for something so 
>>> short lived, or does this concept even belong in such a design?
>>
>> In general, REST works best if the service is stateless.  Session 
>> based information should be minimized if possible.
> Perhaps REST is not the way to go in the token space due to the nature 
> of the beast.
>
>>
>>
>>>
>>> 3. I was just curious about the Java back-end for this design. Will 
>>> we be using the JAX-RS stuff that provides annotations in the java 
>>> code in order to hook all of this up?
>>
>> I am not a fan of annotations.  Under other circumstances, I might be 
>> prone to say "well, that is the way of the world" and go with JAX-RS, 
>> but since we don not yet have a set of Entity objects that would 
>> drive the JAX-RS, I am more prone to  look at other alternatives.  
>> THere are good libraries for serializing to JSON or XML  that should 
>> be sufficient for our needs, and that will keep us from having to 
>> make our API  conform to JAX-RS.  So my inclination is to say no to 
>> JAX-RS to start.
>>
>>>
>>> thanks,
>>> jack
>>
>
> Thanks for the clarifications!
>>
>> Ade's document has founds its way into the wiki world:
>>
>> http://pki.fedoraproject.org/wiki/Dogtag_Future_Directions
>>
>>
>> I might have made some Wiki errors in translation.   If this 
>> contradicts Ade's spreadsheet, assume the spreadsheet is Canonical.
>>
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>>    
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20111017/d21f6fc1/attachment.htm>

More information about the Pki-devel mailing list