[RBAC] [BeAPI] Only API Gateway Admin role can 'import API from topology'
Problem
API Manager > BeAPI > New API > Import API from Topology. Unable to import API from Policy Studio project when using an account that does not have 'API Gateway Administrator' role.
How can API Manager 'Import API from Topology' be done by a non admin role user. (such as 'Policy Developer' or 'API Gateway Operator' roles)
Node Manager trace may contain:
"ERROR RBAC check failed for role(s) <user roles>: on management service : [GET] /api/router/service/instance-1/api/discovery/rest]."
Instance trace may contain:
"ERROR java exception: org.glassfish.jersey.message.internal.MessageBodyProviderNotFoundException: MessageBodyReader not found for media type=text/html, type=interface java.util.List, genericType=java.util.List<com.vordel.apiportal.api.portal.model.swagger.v11ex.Swagger>. at org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$TerminalReaderInterceptor.aroundReadFrom(ReaderInterceptorExecutor.java:231) [...] at com.vordel.apiportal.api.portal.controller.PortalController.getGatewayServices(PortalController.java:998) at com.vordel.apiportal.api.portal.v1_2.APIPortalServices.getGatewayServices(APIPortalServices.java:559)"
Resolution
The following modification has to be done by respecting the JSON syntax of the files.
The file to modify is located under {apiagteway_home}/conf/
In this example, we want to add a capability to an existing role that will be able to import an API Manager BeAPI using option Import API from Topology.
In acl.json, in section "roles" find the non admin role you want to add the capability too.
ex: find "API Server Operator".
Inside the brackets add additional permission "discovery" to the end of the list, (be sure to add an additional comma)
Restart node manager to apply modification, then try the import from topology operation using a user that has the modified role.