/
ODS API SIG - Meeting #3 - 2022-12-08

ODS API SIG - Meeting #3 - 2022-12-08

Dec 13, 2022

Attendees

First Name

Last Name

Organization

Marcos

Alcozer

Ed-Fi Alliance

Brito

Augustine

EdWise Group

Rosh

Dhanawade

Education Analytics

Katie

Favara

Texas Education Agency

Stephen

Fuqua

Ed-Fi Alliance

Jean-Francois

Guertin

EdWire

Jesse

Kaser

Education Analytics

Vinaya

Mayya

Ed-Fi Alliance

Jeremy

Perkins

Instructure

Tom

Reitz

Education Analytics

Audrey

Shay

Wisconsin DPI

Mark

TenHoor

Education Analytics

Support

Ann Su - Ed-Fi Governance Support

Materials

Agenda and Notes

  • SIG Recap - Features and prioritization discussed at last meetings

    • Dynamic Profiles and Apply profile without requiring special content type in the request

    • Composites

    • Deployment modes and routing

    • API Logging

  • API connection for Read Replica

    • Education Analytics - Open ticket requesting implementing ODS-5648

      • Most of our projects are in writing stage

      • Once in steady state, more people will want to read data out

      • Will be helpful to have separate database for read access

    • Stephen

    • EdWire

      • We implement read and write replicas by using Azure stackers

      • Azure has SQL pool that allows read and write out-of-box

      • We implement this currently with separate API containers

        • One connects to read and write

        • Other connects to read replica

      • Just need to change connection string to access the read only replica

        • Routing needs to specify districts read-only

      • Education Analytics - This exists in AWS also

      • EdWire - We have used read replicas (not with the API) with SQL managed instances for reporting purposes

      • Vinaya

        • Switch to read replica connection needs to happen at the request level, while SQL reads to hydrate nHibernate model during a write operation should connect to the primary read-write database.

        • We need to investigate the memory footprint with two nHibernate object models.

    • Education Analytics

      • Even with two separate containers Memory cost would increase.

      • Vinaya - How is the connection string different?

        • Pretty much same with ‘ro’ inserted somewhere in the connectionstring

  • Key Rotation

    • Vinaya -  It was brought up in an earlier meeting that key rotation is difficult in large implementations, is there any tooling that could help with that?

    • Education Analytics

      • No technical limitation on deploying ODS instructure for 1 year

      • Complexity is with roll-over process and coordination for a new school year and the change of key and secrets. As the number of applications the districts want to connect grows, coordination effort grows.

    • EdWire

      • Why do you need to create a new Admin and Security every year? These databases don’t change much between different API versions. Security database mostly contains even same data.

      • Investigate Admin & security schema for multi instance and multi tenant

    • Marcos

      • API key/secret work across years, I think that is ok but the Admin App UI gives an impression that it is meant for one year. For me it is UI change AA-1617 and not change Ed-Fi ODS platform.

    • Wisconsin

      • We built a portal for districts to self-serve credentials. We have 1400 districts that connect to it. We have about 2700 different API keys and secrets.

      • We discussed forcing yearly key rotation. However it would be a huge effort to ensure all 1400 districts have the correct key and secret for the correct year.

      • Stephen - Maybe need a self-service portal to retrieve your new key

    • Education Analytics

      • Consider adding a ExpirelyDate on the key/secret so that Hosts can set it according to contract end or on yearly basis ODS-5678

    • EdWise

      • Consider wrapping admin and security into one Ed-Fi database to reduce cost

    • Wisconsin -  ODS-1368

    • EdWire - make admin database single one to be more efficient

      • Combine security and admin and use single one for multiple yearly ODSs

      • We currently recreate all three databases every year to keep security data segregated. If that kind of segregation is built into the schema it would simplify management and reduce hosting cost.

    • Education Analytics

      • Agree with combining Admin and Security databases. Not sure if a multi-instance/multi-year solution would be helpful due to removal of upgrade support. Now we redeploy full infrastructure with new version, if Admin or Security schema changes between versions - muti-year/multi instances support wouldn't work

    • EdWise

      • Admin database and security database schema have minor changes as compared to the old ODS. If re-architected, it will stay for a while.

  • OAuth Implementation

    • EdWire - Should we consider including claims inside the token, so that the token has information on what access it has?

    • Vinaya -

      • Including claims in the token would probably help in avoiding cache issues with security metadata.

      • Increases token size

    • Stephen

      • Meadowlark is using Json web token

        • Everything for authorization data is in the token

      • I would like to see this happen, but we need to careful about token size

    • EdWire

      • Don’t have to have everything in the token, we can investigate existing open source implementations.

      • https://solliance.net/products/policyserver

      • I am looking for the ability to plugin in a alternative OpenID implementation

Action Items

  • Vinaya will post a report out

  • SF - host future Meadowlark SIG cross-feature presentation