That's not part of the schema, it's just a name given to the top level query, you can pick any names you want in that syntax as long as children queries are part of the graphql.
Original Message:
Sent: Oct 10, 2024 04:39 AM
From: Michael Mueller
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hi Francois.
Thank you very much for providing the collection and your comprehensive description.
I was hoping to get something which does a reverse dependency search for policyFragments to find services that are using these policies.
However, this example provides some great insides.
While writing this response and looking into the details how this collection is working, I am recognizing, that it easily can be enhanced to fulfill my request as well, due to the generic nature of the GraphQL based graphman API.
I already start thinking about an additional graphman-client command, which would provide the same kind of functionality.
I am wondering a little about that the API query named "depencySummary". It is not referenced in any of the public available schemas. And even when asking graphman for its schema it is not included. So obviously somehow a hidden feature ?
This collection will definitively help and support me , in building what I am looking for.
Thanks again.
Very much appreciated, as always :)
Kind regards
...Michael
Original Message:
Sent: Oct 09, 2024 02:52 PM
From: Francois Lascelles
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hi Michael,
Here's a tool to generate a report of reverse dependencies. The report is generated using a graphman query and a basic/extendable js. Those two things are packaged together in a postman collection but could be used outside postman in a different tool if you need. Created and tested against 10.1 cr4.
The output gives you a reverse-dependency report for encass and cwp. It lists all of them including ones that are used and unused, but could easily be tweaked to only show unused if you want to just focus on that. Please let me know if you have questions.
(this doc is copied from the attached collection collection)
Reverse Dependency Analyzer Sample
This Postman collection shows how to get a graphman summary from a L7 gateway and produce a reverse dependency analysis report for the following configuration entity types:
This has been designed for, and tested against gateway version 10.1 CR4
Out-of-scope:
Getting started
After importing the collection into your postman client, adjust the graphman target and credentials. Open the Analyze reverse dependencies "request" and substitute the default https://localhost:8443/graphman with the target of the gateway you want to analyze and select the Authorization tab and substitute the admin/7layer credentials to the admin credentials of the target gateway.
Understanding the output
This collection includes a graphman query with the relevant information to analyze. The resulting reverse-dependency report will render in the console output. The graphman response displayed in Postman itself does not contain the reverse dependency report but rather the graphman response including the forward dependency response. You can open the console using the shortcut Option-Command-C (on Mac).
In the output below, the report shows that the encapsulated assertion configuration "encasa" is used in the webApiServices rest1 and rest2, as well as the cluster wide property cwpa is also a dependency of the same two services.
Entities that don't have reverse-dependencies (that can safely be deleted) will show up in the report with an empty reverseDependencies property.
"reverseDependencies": {}
You can save this report from the console to a file in your workstation and search for an entity of interest to determine how it is included in services. You can also search {} to find all entities that are not included by any service (presumably to determine safe deletion).
Original Message:
Sent: Oct 08, 2024 11:46 PM
From: Michael Mueller
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hi @Ben Urbanski.
That's exactly what I was looking for. Thanks a million for this confirmation !
Yes please, I would be very interested in the script/procedure you mentioned to do a kind of reverse-dependency search.
Thanks in advance.
...Michael
Original Message:
Sent: Oct 08, 2024 01:02 PM
From: Ben Urbanski
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hello @Michael Mueller,
Yes, the XML representation of the v1 and v2 assertions is the same with the exception of the tag, and the fact that v2 can select a specific evaluator which would add an additional element not supported by v1. However, you should be able to convert from v1 to v2 by just changing the tag. And then, of course, do proper testing :)
Regarding reverse dependency searches, we have demonstrated something similar for specific entity types using Graphman and a script. We can share this example if you like.
------------------------------
Ben Urbanski
Product Manager, API Gateway
Layer7 API Management
Original Message:
Sent: Oct 07, 2024 02:38 AM
From: Michael Mueller
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hi @Ben Urbanski
RBAC based roles will help. Perfect advice !
I was already using the XML-code representation to identify policies and services to be migrated.
The current count of entities is 655. This number of affected code entities motivates us to look for different migration approaches, rather then doing it manually by Policy Manager.
I'd like o get a confirmation, if the XML-code representation of this assertion only differs in their surrounding XML - tag
Version 1 : EvaluateJsonPathExpression
Version 2 : EvaluateJsonPathExpressionV2
If so, we could do a simple string-replace exercise, and hence automate the migration.
In regards to the necessary regression tests. I would be interested in a kind of reverse dependency search.
Something like, find all services where a policy (e.g. policyFragment) is in use. A Referenced-by search ...
Any idea?
Thank you
Kind regards
...Michael
Original Message:
Sent: Oct 03, 2024 10:17 AM
From: Ben Urbanski
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Hello @Michael Mueller,
The only way to prevent a user from using the V1 assertion would be via RBAC. A role could be created that allowed all but that assertion. A user with that role would not see that assertion in the palette.
For migration of existing policies, I might suggest using Graphman with Policy as Code to identify all policies that use the V1 assertion. However, Policy as Code may not be ready for automatically switching the assertion to V2 (its initial scope was focused on a handful of assertions, and does not support the import of all assertions).
Knowing which policies have the V1 assertion, you could replace them with the V2 assertions using Policy Manager. In most cases, the configuration and behavior of both will be the same. However, you should regression test these policies after making the change to be sure.
Regards,
------------------------------
Ben Urbanski
Product Manager, API Gateway
Layer7 API Management
Original Message:
Sent: Sep 24, 2024 03:05 AM
From: Michael Mueller
Subject: Evaluate JSON Path Expression Assertion (V1) migration
Dear Team.
I hope this is not a duplicate post.
We recognized the announcement, that the Evaluate JSON Path Expression Assertion (V1) is flagged as deprecated in the release notes of Gateway version 11.1 here: Deprecated Features and Support (broadcom.com)
Additionally it is suggested to start using the "Evaluate JSON Path Expression Assertion (V2)" instead.
I am wondering about the best approach for:
- creating policies : Is there a possibility to prevent users from using the V1 assertion when editing new policies through the policy manager ?
- existing policies : What approach could be taken to migrate existing policies to use the new version V2?
Thank you and kind regards
...Michael