Legacy Product

Fusion 5.10
    Fusion 5.10

    Fusion Impersonation via a Service Account

    To securely access Fusion via Appkit, a user has several options. They can either adopt Appkit’s Fusion security provider making use of session cookies to send repeated requests back to Fusion, or they can access Fusion via a service account if they are planning to use query pipelines. In this section, we describe how to set up the latter.

    1 Set up a service account on the Fusion server

    If a user wants to query Fusion through a pipeline by impersonating another user via a service account, they must first ensure such an account has been set up on the Fusion server. This account should have access rights to the required resources.

    2 Add Security Trimming query stages to required pipelines

    Query pipelines can have additional security filtering applied to ensure specific users do or do not have access to specific resources. This filtering can be set up by adding a Security Trimming stage to the query pipeline via the Fusion UI. The User ID key that is used in the security trimming stage to filter on results is supported in Appkit via the user-id attribute, which is described in the next section.

    3 Update fusion.conf

    To query Fusion using this approach, this attributes must be added to the platform fusion.conf file in src/main/resources/conf/platforms/fusion/:

    impersonate: true
    userName: joebloggs
    password: password
    user-id: username

    Here, the impersonate attribute informs Appkit that users will be querying Fusion pipelines via a service account. Below that, both the userName and the password are the credentials for the service account that Fusion will authenticate against. The last attribute user-id is optional and by default takes the value of username. This is the parameter that will be appended to the query string and filtered on in the security trimming stage. For example, the complete query URL might appear as:

    http://localhost:8764/api/apollo/query-pipelines/test-default/collections/test/select?&wt=json&q=*:*&debug=false&fl=x,y,z&start=0&username=joe@bloggs.com'