- Palo Alto Networks Cloud Python SDK version: v1.5.0
- Python version: 2.7, 3.5+
- Operating System: any
Description
There are two scenarios where the concept of region is relevant:
- The
region extracted from the base64 params provided by the Cortex Hub redirect which is used by the get_authorization_url() method, e.g. americas or europe.
- The region specified in the API gateway URL, e.g.
api.us.paloaltonetworks.com or api.eu.paloaltonetworks.com (currently defaults to us).
The first is relevant to the identity provider while performing authorization whereas the second determines what regional datacenter to direct API requests to (which should correspond to where the Cortex data lake tenant, et al. reside).
Currently, pancloud is missing a way to set or define a default region that could be used to determine which regional datacenter to direct API requests to. With the current API, you're forced to supply the full API gateway url to direct API requests to a region other than api.us.paloaltonetworks.com, which is the default.
Proposals
- Add a
default_region kwarg to the HTTPClient class. The value provided, e.g. us or eu, could be used to construct the default url used in all API requests made with that HTTPClient() object. Note that default_region would not be applicable to the Credentials class.
- Add support for a
PAN_DEFAULT_REGION environment variable. The behavior would be similar to proposal 1 except that the default_region constructor argument would take precedence over the envar.
- Add support for a
default_region or region to the credentials.json file or credentials store. This one feels a bit out of place, since the region would not necessarily be applicable to Credentials. Again, the region used by get_authorization_url() should normally be extracted from the base64 params passed by the Cortex Hub. It's worth noting that AWS boto3 credentials allow for specifying region. Note that the PAN_DEFAULT_REGION envar would take precedence over this value.
Other considerations
Another interesting approach would be to leverage a custom JWT claim to determine the regional URL, since the IdP would ostensibly have prior knowledge of the region used during authorization. The challenge with such an approach would be sharing the region across multiple instances of HTTPClient() since the value would, ostensibly, be extracted from the access_token in the fetch_tokens() or refresh() response (an operation performed within the scope of a single Credentials() object).
Another thing to note is that it is quite easy for an app to implement its own "region selector," since an application would also have knowledge of what region was used during authorization. This is the current recommended way to handle regional selection of url in the absence of default region support.
Description
There are two scenarios where the concept of
regionis relevant:regionextracted from the base64paramsprovided by the Cortex Hub redirect which is used by theget_authorization_url()method, e.g.americasoreurope.api.us.paloaltonetworks.comorapi.eu.paloaltonetworks.com(currently defaults tous).The first is relevant to the identity provider while performing authorization whereas the second determines what regional datacenter to direct API requests to (which should correspond to where the
Cortexdata lake tenant, et al. reside).Currently,
pancloudis missing a way to set or define a defaultregionthat could be used to determine which regional datacenter to direct API requests to. With the current API, you're forced to supply the full API gatewayurlto direct API requests to a region other thanapi.us.paloaltonetworks.com, which is the default.Proposals
default_regionkwarg to theHTTPClientclass. The value provided, e.g.usoreu, could be used to construct the defaulturlused in all API requests made with thatHTTPClient()object. Note thatdefault_regionwould not be applicable to theCredentialsclass.PAN_DEFAULT_REGIONenvironment variable. The behavior would be similar to proposal1except that thedefault_regionconstructor argument would take precedence over the envar.default_regionorregionto thecredentials.jsonfile or credentials store. This one feels a bit out of place, since the region would not necessarily be applicable toCredentials. Again, theregionused byget_authorization_url()should normally be extracted from the base64paramspassed by the Cortex Hub. It's worth noting that AWSboto3credentials allow for specifyingregion. Note that thePAN_DEFAULT_REGIONenvar would take precedence over this value.Other considerations
Another interesting approach would be to leverage a custom JWT claim to determine the regional URL, since the IdP would ostensibly have prior knowledge of the
regionused during authorization. The challenge with such an approach would be sharing theregionacross multiple instances ofHTTPClient()since the value would, ostensibly, be extracted from theaccess_tokenin thefetch_tokens()orrefresh()response (an operation performed within the scope of a singleCredentials()object).Another thing to note is that it is quite easy for an app to implement its own "region selector," since an application would also have knowledge of what
regionwas used during authorization. This is the current recommended way to handle regional selection ofurlin the absence of default region support.