cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ESP WSP, how to configure a user that can only access one project?

former_member214945
Explorer

on ‎09-16-2015 2:11 PM

0 Kudos

Hello Colleagues,

we are implementing a web-tracking project, in which the web events are captured and immediately sent from the web browser to the ESP WSP, via POST request with json format.

part of the json payload is the connection credentials:

{

    "connectionDetails": {

        "clusterName": "mycluster",

        "port": "9091",

        "authentication": {

            "type": "user",

            "data": "user:password",

            "sslEnabled": "false"

        }

    },

    "content": {

         "action_name": "Piwik tracking site",

          "idsite": "1",

          "rec": "1",

          "r": "494617"

    }

}

Because this request is sent directly from browser, this credential part is hard-coded on the user browser via code snipert injection. To minimize security risk, how do I create a user which can only access this one project, cannot do anything else with ESP?

We have a single node cluster for now.

Thanks and best regards,

Tao

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

RobertWaywell
Product and Topic Expert
Product and Topic Expert
‎09-16-2015 8:11 PM
0 Kudos

Hi Tao,

Streaming user permissions are managed with the "streamingclusteradmin" tool which is documented in the Utilities Guide:

streamingclusteradmin - SAP Event Stream Processor: Utilities Guide - SAP Library

I would suggest working with the streamingclusteradmin tool in Interactive mode while you are figuring out exactly which permissions to grant for your project. Within that section, specifically look at the grant perm <priv> [<privtype>] [on [any] <resourcetype> [<resource>]] to user|role <name>

portion.

You will need to grant write permissions on the workspace, project, and stream for the particular stream you are writing to. That will take multiple grant statements.

As a starting example, the grant statement to grant write permissions on the workspace could look like this:

grant perm write workspace on workspace default to user my_streaming_user

The important thing to note in that example is that "workspace" is both a <privtype> and a <resourcetype>. The same will be true for your grant statements for the project and stream as well.

Show replies
Show replies
former_member214945
Explorer
‎09-29-2015 5:28 PM
0 Kudos

Hello Robert,

thanks a lot for the explanation. I understand the part with granting permissions. However, I do not know how to create a user. Currently we use by default the operating system user. Since this user name is posted as part of the post request, we do not want it to be an operating system user, while it could lead to security breach. I know there are other ways to create users, but I did not find documentation for it.

Could you please advise how to create such a technical user?

Thanks and regards,

Tao

RobertWaywell
Product and Topic Expert
Product and Topic Expert
‎09-29-2015 10:22 PM
0 Kudos

Hi Tao,

ESP relies on integration with a 3rd party user authentication system to define user ID's and passwords. This can be the native OS user authentication as you are using now or it can be any of a number of different options including LDAP or SAP BI. Here is a link to the section on configuring authentication:

Authentication - SAP Event Stream Processor: Security Guide - SAP Library

Ask a Question