improve route and right specification#70
improve route and right specification#70Martin187187 merged 3 commits intoadmin-shell-io:IDTA-01004-3-1_Workingfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| This work is licensed under a [Creative Commons Attribution 4.0 International License]( | ||
| https://creativecommons.org/licenses/by/4.0/). | ||
|
|
||
| SPDX-License-Identifier: CC-BY-4.0 |
|
|
||
| //// | ||
|
|
||
| = Examples of ROUTEs and HTTP requests |
| The following requests use real path templates from the published AAS Part 2 OpenAPI descriptions. | ||
| They are representative examples for access control decisions on ROUTE objects. | ||
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. |
| The following requests use real path templates from the published AAS Part 2 OpenAPI descriptions. | ||
| They are representative examples for access control decisions on ROUTE objects. | ||
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. |
| @@ -0,0 +1,63 @@ | |||
| @startuml | |||
| rectangle "Patch" as V_PATCH | ||
| rectangle "Put" as V_PUT | ||
| rectangle "Post" as V_POST | ||
| rectangle "GetAll" as V_GETALL |
| representations. | ||
| end note | ||
|
|
||
| @enduml No newline at end of file |
| V_DELETE --> H_DELETE | ||
|
|
||
| note bottom of V_GETALL | ||
| Examples in AAS Part 2 also use GET |
There was a problem hiding this comment.
GET? it points to "GetAll". I would remove the comment and explain it in the text only
There was a problem hiding this comment.
i removed this comment.
|
|
||
| [source,http] | ||
| ---- | ||
| POST /api/v3/shells HTTP/1.1 |
There was a problem hiding this comment.
why is it important to add HTTP/1.1?
There was a problem hiding this comment.
you are right. this information is unnecessary. i removed it.
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. | ||
|
|
||
| === CREATE |
There was a problem hiding this comment.
It was not clear for me from the structure that you assume that the examples in this section all require CREATE Rights. Please add as sentence at the beginning, similar to other sections.
There was a problem hiding this comment.
I added a leading sentence before each RIGHT example section
| POST /api/v3/shells HTTP/1.1 | ||
| ---- | ||
|
|
||
| Example 2: create a new submodel at a client-addressable route by PUT if the addressed submodel does not yet exist. |
There was a problem hiding this comment.
why is it important to sometimes add "client-addressable route" and sometimes just "use collection route" and not "client-addressable collection route"?
There was a problem hiding this comment.
Focus is on the RIGHTs and not on the route paths, so i removed this unnecessary information
|
|
||
| === CREATE | ||
|
|
||
| Example 1: create a new AAS in the repository by POST to a collection route. |
There was a problem hiding this comment.
is "collection route" a technical term? We did not use it so far, do we?
| They are representative examples for access control decisions on ROUTE objects. | ||
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. | ||
|
|
There was a problem hiding this comment.
I expected examples like
ACCESSRULE:
ATTRIBUTES:
GLOBAL(ANONYMOUS)
RIGHTS: CREATE UPDATE
ACCESS: ALLOW
OBJECTS:
ROUTE "/shells"
ROUTE "/submodels/*"
because it is easier from an example to see what exactly to write as value for ROUTE - is my example correct? It could also be added to the other example file.
So rule above would allow me to execute POST /api/v3/shells and PUT /api/v3/shells as well as POST /api/v3/submodels PUT /api/v3/submodelsand POST /api/v3/submodels/{submodelIdentifier} and so on
There was a problem hiding this comment.
Your example is correct. But be aware that for post {submodelIdentifier} is not needed and for PUT it is needed.
So correct endpoints would be:
- POST /api/v3/shells
- PUT /api/v3/shells/{aasIdentifier}
- POST /api/v3/submodels
- PUT /api/v3/submodels/{submodelIdentifier}
BirgitBoss
left a comment
BirgitBoss
left a comment
There was a problem hiding this comment.
approved although I wish for another ACCESSRULE example and had some questions
Martin187187
left a comment
Martin187187
left a comment
There was a problem hiding this comment.
Thank you @BirgitBoss for your feedback. I answered your questions and applied all your remarks as they were all reasonable!
| V_DELETE --> H_DELETE | ||
|
|
||
| note bottom of V_GETALL | ||
| Examples in AAS Part 2 also use GET |
There was a problem hiding this comment.
i removed this comment.
| They are representative examples for access control decisions on ROUTE objects. | ||
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. | ||
|
|
There was a problem hiding this comment.
Your example is correct. But be aware that for post {submodelIdentifier} is not needed and for PUT it is needed.
So correct endpoints would be:
- POST /api/v3/shells
- PUT /api/v3/shells/{aasIdentifier}
- POST /api/v3/submodels
- PUT /api/v3/submodels/{submodelIdentifier}
| For client-addressable routes with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| In the examples below, `PUT /api/v3/submodels/{id}` and `POST /api/v3/lookup/shells/{someencodedid}` therefore appear under both CREATE and UPDATE with different preconditions. | ||
|
|
||
| === CREATE |
There was a problem hiding this comment.
I added a leading sentence before each RIGHT example section
|
|
||
| === CREATE | ||
|
|
||
| Example 1: create a new AAS in the repository by POST to a collection route. |
|
|
||
| [source,http] | ||
| ---- | ||
| POST /api/v3/shells HTTP/1.1 |
There was a problem hiding this comment.
you are right. this information is unnecessary. i removed it.
| POST /api/v3/shells HTTP/1.1 | ||
| ---- | ||
|
|
||
| Example 2: create a new submodel at a client-addressable route by PUT if the addressed submodel does not yet exist. |
There was a problem hiding this comment.
Focus is on the RIGHTs and not on the route paths, so i removed this unnecessary information
| For example, GET may correspond to READ for full content access or VIEW for reference-only or existence-only access. | ||
| Search-style read operations may also use POST in specific interfaces. | ||
| For endpoints with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| For example, `PUT /api/v3/submodels/{submodelIdentifier}` requires CREATE if the addressed submodel does not yet exist and UPDATE if it already exists. |
| Search-style read operations may also use POST in specific interfaces. | ||
| For endpoints with create-or-replace or upsert semantics, the required right depends on whether the addressed resource already exists. | ||
| For example, `PUT /api/v3/submodels/{submodelIdentifier}` requires CREATE if the addressed submodel does not yet exist and UPDATE if it already exists. | ||
| The same principle applies to endpoint-specific POST operations such as `POST /api/v3/lookup/shells/{aasIdentifier}` if the endpoint creates the addressed resource when absent and updates it when present. |
|
|
||
| === READ | ||
|
|
||
| Here are endpoints that can need READ rights to access existing resources or entries in the repository or registry. VIEW right can be used as an alternative for GetAll endpointsif only existence information, references, identifiers, or descriptor entries shall be accessible. |
Martin187187
merged commit 6593f96
into
admin-shell-io:IDTA-01004-3-1_Working
3 participants
closes #58, #56