Open jbcintra opened 3 years ago
After putting more debugging into the auditing... I'm seeing 404 response for Rover service, which is not installed. Does that first 404 mean Rover does not exist anywhere in the tenancy? The code has then continued to scan RoverClusters/Entitlements/Nodes for 10 compartments in one customer.
For Waas, Vulnerability Scanning etc I get a zero data returned, rather than a 404.
So for all compartments I'm having to scan all elements of all services, which is quite a waste of resource if I could instead know that a single 404 for a service component means it does not exist in the tenancy...
Or preferably, after creating the service client, or at the tenancy level, be able to see if a service exists - configured or not... to then skip entire sections of auditing without risk of missing data, where a service might be in compartment-b, but not compartment-a ... so I have to scan them all, and all components of a service just to be sure.
@jbcintra Thanks for your feedbacks and those are very interesting points. Now in reality, how does SDK determine if a tenancy has subscribed to a particular service? Who makes such judgement? SDK obviously doesn't know anything from the client side. From the service side, I don't believe OCI has a service registry that does book-keeping of service-tenancy mapping on subscriptions. I'm not aware of other companies doing this either (AWS, Azure, etc.) Essentially it's the tenancy admin's job to keep track of what services are subscribed. if you don't have a particular service in a tenancy, you may get back 404 not found, which makes sense to me, most probably because the service endpoint rejects your request because you don't have access to it. unfortunately there's no good/simple solution to your particular scenario. You will need to work with your tenancy admin to get a list of services for each tenancy.
Hi @buzhidao77, I'm not expecting the SDK to know, rather an API accessible to the SDK, which can be queried to know if optional services are enabled in the tenancy. To save on scanning & error handling hundreds of calls for components that don't exist. Barring a 404 which isn't definitive for the Tenancy itself, then a new API call to check on those optional services, e.g. outside of Core, DB etc.
I'll run it past product management to see if anything is on their radar, as it's not in the current API/SDK set.
Regards,
Justin.
There's not such a service/API, unfortunately.
Hi, I'm auditing multiple tenancies.. so have a mix with CloudGuard, DataSafe, MySQL deployed or not. Is there a preferred first query to see if the service is enabled in the tenancy, rather than having code looping through all LIST methods?
There are cases where some components are deployed & configured, and some not.
And there are cases where the permissions haven't been correctly applied, so I'd expect a 401/403 response.
But an initial method to query (a) is the service deployed, and (b) do I have access (read or above) would be very handy. Also let wasted load on the API servers.
Any pointers on a best method to start with, to try & exit, or if such an API call can/will be implemented to check first?
Thanks,
Justin.