Cloud Endpoints Portal public access

[pierluigi...@revevol.eu]

I've a question regarding the new feature of cloud endpoints portal. 

Right now it doesn't seem possible to let the endpoints portal open to everyone, since it requires the service to be shared with the role "Service Consumer" with single users or google groups.

Using the values "allUsers" or "allAuthenticatedUsers" rise the error:  "Member 'allUsers' is not allowed in role 'roles/servicemanagement.serviceConsumer'."

In my scenario, we use a custom jwt token to let the users access the api, so there's no need to secure the entire portal behind a google account, and it seems to be too much trouble to actually track and add people to the service by hand every time someone needs to use the api.

Is this behavior just temporary for the sake of the beta/alpha or is it permanent ? 

Am I actually missing something about the portal publishing process ? 

thank you everybody for your time :)

[Andrew Gunsch]

Thanks for the feedback!

On Friday, June 15, 2018 at 1:10:16 AM UTC-7, pierluigi...@revevol.eu wrote:

I've a question regarding the new feature of cloud endpoints portal. 

Right now it doesn't seem possible to let the endpoints portal open to everyone, since it requires the service to be shared with the role "Service Consumer" with single users or google groups.

Using the values "allUsers" or "allAuthenticatedUsers" rise the error:  "Member 'allUsers' is not allowed in role 'roles/servicemanagement.serviceConsumer'."

For the portal, permission to view is tied to the same permissions in Cloud Endpoints --- if a user can enable your API (serviceConsumer), then they can also see the portal.

Unfortunately, Cloud Endpoints as a product doesn't allow you to make your API public to all users today.

Right now, that implies that your portal also cannot be made publicly viewable to all users (since that would subvert the restrictions you applied to your API), though we're considering other options here. It's not connected to alpha/beta/GA status for us.

 

In my scenario, we use a custom jwt token to let the users access the api, so there's no need to secure the entire portal behind a google account, and it seems to be too much trouble to actually track and add people to the service by hand every time someone needs to use the api.

One other option in the meantime is that you could use Google groups for authentication --- that is, you can add a Google group as "Service Consumer", and then every member of that group can view the API + portal.

 

Is this behavior just temporary for the sake of the beta/alpha or is it permanent ? 

Am I actually missing something about the portal publishing process ? 

You're not missing anything---that's how the permissions model works today. We're considering options for ways to make certain APIs public in the portal, since as you mention in cases like yours it doesn't necessarily broaden access to your API.

We'll keep this list updated if we make any changes to the permissions model. In the meantime, we're really appreciative of this kind of input.

Best,

- Andrew

[pierluigi...@revevol.eu]

Thank you for the reply :) 

I'll keep myself updated for any updates regarding this topic

[jona...@beliantech.com]

Just to add a +1 to this. Right now Cloud Endpoints isn't ideal for the purpose of marketing an API, letting developers play with the API, etc. 

[caleb....@gmail.com]

+1

For now I'll probably host a public swagger-ui over my API.

On Friday, June 15, 2018 at 1:10:16 AM UTC-7, pierluigi...@revevol.eu wrote:

[mite...@finqware.com]

Hi Andrew,

any idea how this dev portal actually has public access?

https://endpointsportal.endpoints-portal-demo.cloud.goog/

Thank you

regrads

[ma...@bkper.com]

Hi Guys,

Sometimes users just want to take a look to the API resources and documentation quality, in order to even consider adopting the product. 

Why not let the Developer Portal aways public, and only request authentication when user actually try the API, like the API Explorer?

Thanks,

Mael

[Dumitru Taraianu]

Totally agree.
We’re now using the dev portal for our internal use & communication. It would be great to have public access with some restrictions.

Thanks
Regards

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-endpoints/-GrnDqyauiI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/b2f7551a-776a-4b0f-850e-4ebe117559f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Dumitru Taraianu

finqware - devops & infrastructure

mite...@finqware.com

[Mike McDonald]

Hey folks,

Andrew has unfortunately left Google, so I doubt he'll be responding here.

I'm a little surprised that allUsers doesn't work here, as that would be the preferred way to make things public. I can bother some folks and see why this is the case.

We can't make all API portals public, because there are a large category of customers who are using these portals for internal use (e.g. private corp APIs), and set the ACLs to a domain or a group.

Thanks,

--Mike

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CAJUG1x7UG%2BtJdNpFUB%2BhfjKhfP_HoCO2y1oZa5Gy-YONmLkQMA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Michael McDonald | Product Manager, Serverless | mpmcd...@google.com | 1-844-THE-FIRE 

[Mael Caldas]

Hi Mike,

Thanks for the update.

Yes, that's makes sense not to be aways public, but allowing a way to make it public explicitly, like setting allUsers, and provide the same experience you provide at your demo here:

https://endpointsportal.endpoints-portal-demo.cloud.goog/

Would be really valuable for our business, since we could have users checking the API and its documentation, without even the need to login.

Best,

Mael

[Mike McDonald]

Yeah, I'm not sure how that's been hacked around, but I'll dig in and see if we can make allUsers work. Given that it looks like we can set IAM policies on individual Endpoints services, I'm surprised allUsers doesn't work (I know it doesn't work at the project level).

Thanks,

--Mike

[Rob Wyrick]

+Franco Ponticelli 

-Rob

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CANC_gMoZH0DccSJVdmY9LH1zTf_Cq-7d36dYukgy9scxCZEd-A%40mail.gmail.com.

[spaq...@systemsbiology.org]

Just want to add that we have this problem as well - a number of our APIs are *meant* to be public, and not require users to be members of Google Groups / enable the API in a GCP project. We're using Swagger UI for the moment, but it'd be nice to not have to produce an entirely separate documentation set just to provide our users with a way to view the APIs in this manner, when the functionality is clearly already there.

[se...@staked.us]

+1 any movement on this?

[james....@machinemax.com]

@mike do you have an update on this?

[Joan Grau]

There is actually a filed Feature Request for this [1] (filed on March this year), however it has no updates from the Cloud Endpoints team as of yet.

I think it would be also good to add any input or comments there, in order to give more traction to the request. 

[1] https://issuetracker.google.com/127623472

[Rob Wyrick]

+Franco Ponticelli to comment on Portal

-Rob

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/ecc26b58-d9ab-478f-b877-3a92774b4970%40googlegroups.com.

[Alan Peters]

We have looked at making this change but because the authentication is so closely coupled with Cloud Endpoints, this would require large changes for portals. This is not a priority on our roadmap for the next two quarters. 

[ric...@mindloops.nl]

Another +1 for this change. Also I would suggest making more clear in de public Cloud Endpoints docs that currently you can't expose the Developer Portal without Google Authentication.

[nos...@gmail.com]

Yep, because for example we created portal just to find out that it's useless in a few weeks.

[David Van Geest]

I'm using the gRPC to REST transcoding feature of Cloud Endpoints. I assume that at some point, Cloud Endpoints generates OpenAPI documentation from the gRPC. If that's true, is there at least a way to export that OpenAPI documentation from Cloud Endpoints?

[Teju Nareddy]

Unfortunately, no. We generate Google service config from OpenAPI, not the other way around. So for gRPC, OpenAPI documentation is never generated, only Google service config.

[Prateek Malhotra]

I am able to generate swagger definitions using the grpc-gateway project. This project somewhat overlaps ESP (minus the Google service integration) in that it will allow you to serve both gRPC + OpenAPI clients from the same server. I use this to run my gRPC servers on AppEngine (I know this is hacky...)

To generate a swagger definition file from the proto file, run: 

protoc -I. --swagger_out=logtostderr=true:./gen/swagger your/service/v1/your_service.proto

You should be able to generate OpenAPI documentation based on that output. I hope that helps!

Prateek Malhotra

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/2217ea96-a75f-4768-9307-e30c4367bf18%40googlegroups.com.

[David Van Geest]

Prateek, thanks very much. I have just discovered the same thing. It's working for me!

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CAB880W%3DBA7-mJRu9%3DxqRgfFg-4pj8%3DcZouLay6bAiKousMemQw%40mail.gmail.com.