Fusion Impersonation via a Service Account
To securely access Fusion via Appkit, a user has several options. They can either adopt Appkit’s Fusion security provider making use of session cookies to send repeated requests back to Fusion, or they can access Fusion via a service account if they are planning to use query pipelines. In this section, we describe how to set up the latter.
1 Set up a service account on the Fusion server
If a user wants to query Fusion through a pipeline by impersonating another user via a service account, they must first ensure such an account has been set up on the Fusion server. This account should have access rights to the required resources.
2 Add Security Trimming query stages to required pipelines
Query pipelines can have additional security filtering applied to ensure specific users do or do not have access to specific resources. This filtering can be set up by adding a Security Trimming stage to the query pipeline via the Fusion UI. The User ID key that is used in the security trimming stage to filter on results is supported in Appkit via the user-id
attribute, which is described in the next section.
3 Update fusion.conf
To query Fusion using this approach, this attributes must be added to the platform fusion.conf
file in src/main/resources/conf/platforms/fusion/
:
impersonate: true
userName: joebloggs
password: password
user-id: username
Here, the impersonate
attribute informs Appkit that users will be querying Fusion pipelines via a service account. Below that, both the userName
and the password
are the credentials for the service account that Fusion will authenticate against. The last attribute user-id
is optional and by default takes the value of username
. This is the parameter that will be appended to the query string and filtered on in the security trimming stage. For example, the complete query URL might appear as:
http://localhost:8764/api/apollo/query-pipelines/test-default/collections/test/select?&wt=json&q=*:*&debug=false&fl=x,y,z&start=0&username=joe@bloggs.com'