►
From YouTube: 20190313 - API Management Working Group Meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
B
My
definition,
working
definition
of
an
API
is
a
it's
a
client
facing
document
application,
interface,
that's
accessible
to
clients
via
API
specific
credentials
and
incorporates
a
name
set
of
API
operations
within
that
API,
and
this
matches
up
pretty
well
with
open,
API
and
and
your
PC
as
we'll
see
in
a
minute,
so
open,
API
specification,
very
quick
when
most
people
are
probably
familiar
with
it.
By
now,
it's
just
a
the
very
common,
it's
essentially
de
facto
industry
standard
way
of.
A
B
B
That's
a
good
question:
I,
don't
I,
don't
know
if
there's
a
standard
body,
that's
in
charge
of
it
right
now,
I
mean
it
that
and
I
think
completely
independent
standards
body.
It's
it's.
Definitely
it's
not
proprietary
yeah.
There
are
multiple
companies
working
on
it,
but
yeah
I
can't
answer
that.
Okay,.
B
He's
working
on
the
standard,
so
yeah,
just
a
quick
example
of
how
an
open,
API
document
looks
like
on
the
left
there
it
just
it's
a
camel
or
a
JSON
document.
It
just
documents
the
the
open,
API
standard,
some
information
about
it,
where
the
server's
the
paths,
the
operations,
each
operation
is
required
to
have
the
unique
ID
and
we'll
take
advantage
of
that.
So
between
the
pads
and
the
operations.
That's
what
we're
really
looking
for
at
this
point,
potentially
in
the
future,
there
may
be
opportunity
to
take
advantage
of
schema.
C
B
I
mean
it's:
that's
basically
going
to
be
a
question
of
linking
I.
Don't
have
that
SPECT
out
open
API
does
have
a
mechanism
to
allow
linking
to
other
documents
by
by
you
know
some
sort
of
ref,
okay,
so
you'd
end
up.
Creating
any
see
are
these
and
link
them
together.
Yeah
we
would
have
to
have
some
explicit
support
for
that
in
in
galley,
I
guess
and
the
limit
is
ten
megabytes
or
CDs.
I
did
I.
Think
I
think
the
defaults
a
little
bit
less
than
that.
B
B
B
B
Basically,
you
just
compile
it,
throw
it
in
the
descriptor
and
then
we
can
be
compile
it
later
or
introspect
it
or
you
know
whatever
we
need
to
do
so
so
that
defines
essentially
the
client
view
of
an
API
where
you
have
an
API.
You
have
a
client
app
I
mean
this.
This
obviously
expands
beyond
just
the
the
open
API
or
the
G
RPC
spec,
but
provides
the
context
around
it.
B
B
Yeah
we'll
see
how
that
works
as
well.
So
an
API
manifestation
then,
is
based
on
crank
the
client
credentials.
It
declares
the
backend
implementation
that
will
be
used
for
an
API,
so
it
has
to
provide
author,
sorry,
authorization
requirements,
any
necessary
policy
checks
and
a
workload
endpoint
of
how
it's
actually
going
to
be
the
functionality
be
implemented.
B
I
think
this
is
basically
how
we're
coming
down
on
this
is
that
everything
is
going
to
be
handled
within
Gally
instead
of
it
generating
CR
these
outside
of
Gally.
That
way,
Gally
can
take
advantage
of
separation
between
the
CR
DS
and
the
actual
protocol.
Sorry,
what's
the
name
of
the
protocol
that
the
galley
was
mCP.
D
B
B
A
A
So
that
might
push
us
towards
more,
like
don't
put
it
in
Gally,
but
to
address
the
problem?
If
not
putting
it
in
Gally
is
you
could
have
a
separate
controller
that
is
reading
the
original
CD
and
pushing
mCP
down
to
galley,
so
you're
not
pushing
stuff
back
into
the
API
server?
You
could
be
directly
pumping
into
Galilee
right.
B
B
D
Yeah,
I
think
I'm
going
to
kind
of
challenge,
that's
right,
because
okay,
so
if
you
can't
make
a
bit
more
modular
right
and
we
can
make
it
consume
MCP
but
I
think
you
end
up
creating
a
hole
in
the
system.
That
suspiciously
looks
like
galley,
so
any
replacement
implementation,
you
know,
will
be
80%
jelly
right.
So
if
you,
if
you
have
this
kind
of
modularity
to
begin
with
in
the
system,
I.
D
A
No,
that's
not
what
what
I
was
describing.
So
if
you
sue
in
a
system
that
has
galley,
do
we
want
to
augment
galley
by
having
API
management
functionality
in
it
or
try
and
keep
it
out
so
that
that
part
is
more
modular
that
somebody
that
wants
to
use
steel
security
features
is
not
paying
a
cost
for
having
API
management
in
there.
D
A
I
think
it's
largely
an
architectural
discussion
of
I
have
the
separate
box.
That
only
does
this.
It
doesn't
have
these
other
bits,
III
I'm,
more
worried
about
the
runtime
proxied
and
then
I
would
be
in
galley,
but
right,
but
in
an
ala
carte
model
that
I
could
pick
pieces
of
Visio
that
don't
include
that!
Don't
pull
in
other
things
and
I
don't
care
about
right.
So.
D
B
B
A
B
But
we
start
with
the
API
definition.
As
I
said
before,
looks
exactly
like:
you'd
expect
it
dropped
the
hello
world
stuff
into
the
API
definition,
and
so
we
have
a
path.
/Hello
an
operation
get
it
has
an
operation.
Id,
say
hello,
very
straightforward.
So
the
first
thing
that
has
to
happens
we
have
to
have
a
gateway
into
the
system.
B
B
B
B
Never
felt
right
and
so
we're
backing
away
from
that.
Instead,
this
do
operator
determines
exactly
how
the
Gateway
operates
still
so,
once
the
the
communication
would
be,
when
you
publish
an
API,
then
you
would
inform
the
operator,
but
once
it's
published,
you
have
full
control
of
it
within
the
API
definition.
B
Gally
would
generate
the
equivalent
of
a
virtual
service
right
and
this
would
be
taking
the
API
manifest
a
manifestation
information
of
the
gateways
and
hosts
and
basically
throw
it
in
there,
as
well
as
the
matching
information
for
the
URIs
for
the
pads,
and
it
would
basically
route
nowhere
and
we'll
see.
You
know
why
that
is
in
a
little
bit,
but
mostly
because
it
can't
route
anywhere
until
it
actually
knows
who's
making.
The
call.
B
So
speaking
of
who's
making
the
call
we
need
authentication
authorization
and
classification
of
the
API,
so
the
API
producer
is
going
to
declare
a
binding
to
the
gateway
for
the
API
binding
to
the
host
names
and
the
authorization
to
the
API.
Now
the
co
operator
maintains
the
authentication
part
declaring
which
authentication
methods
are
valid
for
sto,
and
then
the
API
producer
merely
takes
advantage
of
that
information.
B
The
the
claims
that
get
generated
from
that,
let's
see
how
that
goes
so
and
API
manifestation
as
part
of
its
author
authorization,
information
and
this
this
may
need
to
be
this
probably
a
good
place
for
additional
discussion
to
is
exactly
how
we
want
to
do
this
matching,
but
for
right
now
a
simple
example
is
to
do
it
allow
and
it
just
has
matches
for
claims.
So
the
claims
that
come
in
from
like
a
jot
token
and
an
API
key
will
be
the
same
kind
of
manner
will
issue
a
set
of
claims.
B
The
classification
filter
will
look
at
these
requirements,
so
if
it
requires
an
issuer
of
hello
world
calm
and
it
requires
a
scope
of
employee
read
if
it
matches
both
of
those
as
well
as
the
say,
hello,
operation,
information
which
is
you
know
that
path
and
host,
then
we
have
a
match
and
we
have
an
API
and
an
API
definition,
an
API
manases
manifestation
and
we
know
the
operation.
So
if
we
know
all
three
of
those
things,
then
we
can
go
up
forward
into
the
system.
B
So
the
co
operator
defines
the
authentication,
as
I
said,
this
is
very
familiar.
The
the
key
is
that
your
targets
have
to
match
the
information
it
has
to
match
both
the
incoming
whatever
the
incoming
host
is:
oh
I'm,
sorry,
this
is
authentication
I'll
get
to
the
gateway
in
a
minute,
so
it
matches
the
target
being
ingress
gateway,
so
it
can
do
the
gateway
and
then,
if
you're
going
to
do,
int
Ramesh,
which
you
can
do
with
this,
this
particular
scenario.
B
You
also
list
the
name
of
the
actual
service
that
you're
hitting.
So
by
doing
that,
it
will
require
that
a
jot
token
or
well.
In
this
case
the
jot
token
will
be
required
to
hit
that
service
in
every
instance
and
that
allows
them
the
the
API
management
system
here
to
do
its
work
and
as
I
said,
API
key
will
also
be
supported
that
there's
a
different
spec
out
for
that
that
allows
an
API
key
to
be
translated
like
a
jot
into
a
set
of
claims,
or
for
that
matter
any
opaque
token.
B
So
classification
itself,
API
definitions
can
have
overlapping,
hosts
and
paths.
They
can
do
that
because
we're
relying
on
the
API
manifestation
and
its
authorization
to
discriminate
between
them.
So,
for
example,
you
can
have
a
gold
and
a
silver
API.
They
could
share
host
and
some
paths,
but
then
they
have
separate
sets
of
policies
for
their
operations
that
are
set
up
by
by
how
you
authorize
those
and
then
the
final
discrimination
yeah
like
I,
said
it's
done
by
out
the
authorization
checks
and
basically
the
way
that
boils
down
is
the
host
the
URI.
B
B
B
Policies
very
simple,
actually
in
this
case
right
now
the
operator
maintains
the
policy
library
this
do
operator,
so
I'll
show
you
how
that
works
in
a
bit,
but
but
the
API
producer
merely
declares
that
it's
going
to
be
used
for
a
certain
operation,
so
the
API
manifestation
has,
in
a
policies
section
and
the
literally
keys
are
just
policy
names
that
the
operator
is
set
up
and
the
values
for
now
remain
undefined.
But
our
are
open
objects
so
that
we
have
opportunity
for
enhancement
there.
So.
A
B
B
B
Basically,
what
galley
will
do
then
or
whomever
it'll
take
this
rule
that
exists
and
it'll
fill
in
the
information?
It'll
say:
okay,
in
this
case
it
has
to
match
this
definition
this
manifestation,
this
operation,
for
it
to
take
effect.
Oh
and
it'll
change
the
name
to
they
don't
have
to
be
some
generated
name.
So
that's
a
little
bug
there,
but
so
it'll
generate
a
name
for
it
and
it
will
clone
and
add
a
match,
and
this
is
potentially
something
also
that
we
could
enhance
by
allowing
additional
match
is
to
be
done.
A
C
B
That's
it
for
policy
for
routing,
so
the
operator
is
still
in
charge
of
deploying
the
workload
C
services,
virtual
services
or
some
operator
is,
it
could
be
the
API
provider,
but
but
that's
all
low-level
SEO
stuff
that
has
to
be
deployed
and
then
or
yeah,
sto
and
or
kubernetes
or
whatever.
And
then
the
API
producer
merely
declares
the
routing
to
those
workloads
or
virtual
services.
B
This
is
part
of
the
manifestation
we
can
specify,
for
they
say
hello,
operation,
a
destination
of
hello
world,
a
path
of
slash
hello
world.
These
would
just
be
either
the
so
I
have
to
two
sections
there,
one
at
the
the
global
level.
It's
saying
that
in
general,
everything
goes
to
hell,
Oh,
service,
port
5000,
but
specifically
for
say,
hello.
I
want
to
override
the
standard
definition.
B
So
an
API
definition
remember
our
path
said:
/hello
was,
for
the
say,
hello
instead
I'm
going
to
reroute
it
to
the
slash
hello
world
in
the
hello
world
service
or
virtual
service.
If
that
makes
sense,
okay,
so
it's
just
it's
a
way.
You
can
override
another's
there's
a
one.
Little
thing,
I
have
to
talk
to
work
out,
and
that
is
path.
Templating.
B
The
idea
there
would
be
that
at
least
in
I
think
I
think
we
can
do
this
in
both
open,
API
and
G
RPC,
and
that
is,
if
you
have
have
named
items
in
your
path,
that
we
could
be
able
to
pull
those
and
then
put
them
back
into
the
path
here.
Now
it
only
matters
on
override,
because
if
it's
not
an
override
that
the
path
will
just
you
know
pass
through
and
you
don't
have
to
change
it,
but
we
may
have
to
figure
that
out
in
the
case
of
overrides,
when.
C
B
A
B
Okay,
yeah,
since
this
allows
routing
from
the
API
to
a
virtual
service.
You
can
you
have
complete
control,
you
can
do
everything
you
want
in
the
virtual
service
as
well,
so
you
can
have
it
go
to
two
different
virtual
services
depending
on
where
you
want
to
go,
and
so
it
could
be
a
hello
service,
old,
okay,.
B
B
The
the
that
the
trick
here
is
that
the
Gateway
does
have
two
lists
right:
the
host
so
for
it
to
come
through
the
Gateway.
You
have
to
have
the
host,
so
you
you
have
to
update
the
Gateway
again
to
include
this
host,
but
once
that's
done
it's
done
and
you
can
move
forward
and
that's
standard
is
to
you
as
well.
So
that's
not
an
add
or
remove
on
that
and
basically
the
way
this
works
is
so
we
already
did
our
classification.
We
have
our
attributes
the
definition
manifestation
operation,
those
come
into
the
destination
filter.
B
B
So
all
that
is
kind
of
here
in
this
logical
flow.
There
shouldn't
be
anything
surprising
in
this.
It's
basically
just
goes
through
off
policy
selection.
All
right,
sorry,
yeah,
that's
mislabeled
so
goes
through
off
through
classification,
broad
selection
and
then
policy
enforcement
of
course
happens
on
the
target
and
then
hits
the
workload.
B
A
B
A
B
No,
you
do,
and
so
they
they
are
they're
out.
There
are
sto
filters
because
they
have
to
access
the
attribute,
so
there's
two
things:
they
do
produce
attributes
and
they
consume
attributes
right.
So
the
attributes
from
authentication
the
claims
come
through
as
attributes
so
I
have
to
access
those
in
classification
and
then
in
classification
produces
those
three
attribute.
So
basically
it
kind
of
operates
as
an
extension
of
authentication.
In
that
that
sense,
and
then
the
the
routing
part
has
to
also
access
the
three
attributes
that
are
created.
Okay,
the
API
attributes
could
be
done.
A
To
ever
sorry,
go
ahead.
I
will
want
to
figure
out
how
to
make
this
modular,
because
I
think.
Ultimately,
all
this
stuff
is
going
to
be
written
down,
compile
down
to
wasm
yeah,
and
we
just
need
to
figure
out
how
to
inject
this.
So
it's
not
present
on
people
and
systems
that
don't
want
it
I
think
is
achievable.
B
Yeah
I
mean
I
expected
that
it
would
basically
do
like
gali
does
or
pilot
does
today
and
that
if
you're
not
using
it,
it
doesn't
inject
it
right.
So
if
you
don't
use,
authentication
authentication
filter,
isn't
there
so
it'd
just
be
the
same
thing
now
eventually
with,
like
you
said,
with
mixer
v2,
things
may
be
changed
around
a
bit,
but
you
know
in
the
current
architecture,
I
would
view
it
as
its
operating
exactly
the
same
either.
Either
the
filter
is
injected
or
it's
not
yeah.
B
B
So
this
is.
This
is
what
I
kind
of
showed
you
before.
This
is
an
API
definition
right
and
now
I
say
I
want
to
set
up
a
gold
and
a
silver,
so
I'm,
gonna,
say:
I'll,
show
you
silver
first,
so
in
the
silver
manifestation
right,
I
have
an
issuer.
That's
coming
from
hello,
calm,
that's
actually
not
correct,
but
and
I
have
a
destination.
B
B
Okay,
good
silver,
so
it's
it's
bound
to
this
gateway.
Has
this
API
that
HelloWorld
comm
is
the
host
that
we're
hitting?
This
is
the
the
target
that
we
want
to
hit.
This
is
a
virtual
service
so
that
we've
set
up
and
the
path.
Now,
if
I
instead
have
a
gold
level
privileges
which
means
I,
have
the
scope.
That's
hello,
world
gold
instead
I
want
to
set
it
I
want
to
send
it
to
HT
t
bin
dot-com
host
with
a
path
of
headers,
so
I'm
rewriting
everything
about
it,
and
it's
really.
Basically
what
I
said
there.
B
B
This
is
the
API
hello.
World
comm
is
the
incoming
host
and
the
other
two
are
outgoing
posts
they
have
to
actually
set
up.
You
know
the
hell
rolled
itself:
it's
just
a
simple
deployment
service.
This
is
straight
out
of
the
examples
for
miss
do
same
with
HDD
bin
HTTP
bin.
It's
the
same
thing:
it's
a
deployment
and
service.
What
I've
set
up
is
a
couple
of
virtual
services,
so
I
set
up
this
virtual
service
to
be
accessible
from
the
gateway.
B
It's
the
end
to
the
mesh,
in
fact.
So
this
is
that
hellworld,
the
hello
world,
hello,
world,
vs
and
I
would
say
this
is
its
name.
You
have
to
use
a
fully
qualified
name
for
routing
like
that
and
where
it
matches
that
matches
hello
and
goes
to
hello,
world
HTT
p--
in
HTTP
bin
is
the
same
thing.
It's
basically
it's
a
standard
virtual
service.
B
Only
I'm
saying
it's
going
to
be
called
at
this
host
and
then
authentication
is
set
up,
and
in
this
case
we
have
the
targets
so
for
it
to
especially
for
right
now
for
it
to
work.
I
I
actually
have
this
working
as
a
prototype,
but
I
use
headers
everywhere,
so
especially
for
it
to
work
for
headers.
I
actually
have
I
must
do
the
the
claims
work
on
the
target
as
well,
but
the
benefit
of
doing
that
is,
if
I'm
doing
it,
both
on
the
gateway
and
at
the
target.
B
Then
it
works
intra
measu,
as
well
as
through
the
Gateway,
which
is
pretty
cool
so
once
I
have
that
set
up.
Basically,
what
would
get
generated
then
is
going
to
be
something
like.
So
this
is
the
policy
and
which
is
exactly
what
we
saw
a
second
ago.
In
fact,
actually
there'd
be
two
policies.
This
is
one
of
the
policies
assumed
that
there
would
be
a
hello
world
silver
as
well.
B
Because
I
included
in
both
of
the
API
manifestations
and
then
the
virtual
service
that
we
talked
about,
would
look
basically
like
this
there's
API
world,
hello,
comm,
it's
it's
on
the
Gateway
it's
available
in
the
mesh
at
this
host
and
it
routes
hello
to
nowhere
and
then
the
way
it
works
is
the
way
I.
Have
it
working
right
now.
I'll
just
show
you
it's
just
Lua
scripts,
but
this
is
just
a
very
simple
mechanism.
B
So
this
is
the
class
classification
bit
and
I'm
just
hard
coding
this
for
now,
but
I
basically
check
the
authority,
the
path,
the
issuer
and
scopes
and
I'm
creating
headers
for
these
things,
instead
of
attributes
for
gold
and
silver,
so
I
have
a
hello
world
gold
here
by
the
hello
world
silver
here
so
that
gets
added
to
the
headers.
Then
in
the
destination
part
I'm,
saying:
okay!
Well,
now,
I
have
these
these
attributes.
B
B
B
B
This
is
a
token
I'm
going
to
show
you
what
the
token
might
look
like
this.
Has
you
know
basic
information
I'm
just
using
a
PG
to
generate
this
token
and
it's
part
of
it.
So
you
also
show
you
the
gold
I'll,
show
you
how
it's
different,
real,
quick.
The
difference
is,
we
have
whoops
should
have
scopes
yet
okay
scopes
and
we
have
the
claim
that
I
said
would
be
the
difference
between
the
silver
and
gold.
B
Okay,
that's
gonna
work,
okay,
so
there's
gold
and
there's
silver
and
that's
basically
it
there's
no
difference
other
than
your,
your
authentication
and
it's
any
new,
completely
different
place.
It's
providing
different
attributes,
so
those
will
be
reported
in
telemetry
and
can
be
checked
in
policy
and
voila
as
they
say
in.
B
Right
now,
if
you
do
it
the
way,
I
did
it,
we
can
do
it
through.
We
don't
have
to
send
editors
because
it
actually
checks
the
the
job
in
both
places
right
and
even
if
it's
coming
through
the
Gateway,
it
just
automatically
gets
forwarded,
and
so
it's
available
as
the
destination
as
well,
and
so
it
can
go
and
check
the
job
again
and
get
the
that
it
needs.
There
is
no
mechanism
right
now
in
sto
to
securely
deliver
anything
from
the
Gateway
to
the
destination,
so
the
only
this
is
the
only
safe
way
to
do.
B
It
is
to
actually
evaluate
the
job
both
places
and,
as
I
said,
it's
also
available
that
way
to
interim
ash.
So
if
you
have
service
to
service,
so
if
you
can
use
the
same
api's
and
it
will
enforce
the
same
information
which
is
like
I,
said
a
pretty
cool
feature,
the
we've
we've
talked
about
kind
of
what
it
might
take
to
securely
pass
attributes
along
from
the
Gateway
to
the
destination.
B
B
You
know
that
have
to
come
through
and
claims
that
that's
a
big
simplification,
because
it
means
that
you
can
use
any
rules
you
want
to
to
determine
which
API
is
used.
The
other
biggest
simple
of
simplification
of
it
was
to
punt
on
the
authorization
and
say
that's
that's
part
of
the
co-operators
job,
but
I
think
that's
fair.
It
really
is
so.