Difference between revisions of "I2Rest Advanced Setup"

From i2Rest
Jump to: navigation, search
Line 11: Line 11:
  
  
=Request authorization=
 
Most of requests to i2Rest Sever require authorization. Such requests as [[I2Rest_API#run_command_API|IBM i command call]], [[I2Rest_API#run_program_API|API call]] (except anonymous API call) and [[I2Rest_API#Management_APIs|management api call]] will not be served without OAuth2 token with appropriate [[I2Rest_scopes|scope]]. There is a [[OAuth2_object|OAuth2 object]], representing built-in authorization model. [[OAuth2_object#Settings_for_built-in_implementation|i2Rest built-in authorization model]] configuration options on example.<br>
 
<div id="Oauth2_obj_template">
 
    "OAuth2":
 
  {
 
      "scopes": {"management_functions" : {"description":"i2Rest management APIs call"},
 
                "run_program"          : {"description":"Run *PGM and *SRVPGM"},
 
                "run_command"          : {"description":"Run CL command"}
 
  },
 
      "users":
 
      {
 
        "<span style="color:red;">USRX</span>":{"description":"<span style="color:red;">John Johnes</span>","valid_clients":{"<span style="color:red;">TSTCLNT</span>":{"scopes":["management_functions"]}}}
 
      },
 
      "clients":
 
      {
 
        "<span style="color:red;">TSTCLNT</span>":{"redirect_uri":"<span style="color:red;"><main gate URL></span>/oauth2/redirect",
 
                    "description":"Test client",
 
                    "valid_scopes":["management_functions"],
 
                    "valid_grant_types":["authorization_code"]}
 
      },
 
      "tokens": {"type":"token"},"codes":{"type":"code"}
 
  }
 
<div> 
 
The snippet above shows us  In general worlds i2Rest authorization model is something like '''WHAT''' is allowed and to '''WHOM''', and '''HOW''' it realized. '''WHAT''' parameters - are the "scopes", '''HOW''' parameters - "tokens", '''WHOM''' parameters - "users" and "clients" (built-in authorization model implies that both "users" and "clients" has to be registered as an IBM i users). So we can see that user '''USRX''' using client '''TSTCLNT''' is allowed to do some actions within '''"managment_functions"''' scope. And these are exactly the settings of Oauth2 object that we need to perform a Мanagement api call.<br>
 
  
==Мanagement API call==
 
So, what you have to do before we can test Мanagement API call to i2Rest Server:
 
:a) Register two users on IBM i - one for a "сlient" parameter and one for a "user" parameter.
 
:b) Fill the [[I2Rest_Advanced_Setup#Oauth2_obj_template|OAuth2 object template]] above with IBM i users values. Then add the snippet to your [[I2Rest_quick_config|basic server configuration]](with or without ssl protection) and put your new *.json anywhere on IBM i IFS.
 
:c) Restart server to apply your new configuration *.json.   
 
Now let's test the configuration obtaining [[Auth_profile_SoapUI|Oauth2 token with SoapUI]], and than proceed to [[Manage_API_SoapUI|Management api authorized call]].
 
  
 
== run_program API call==
 
== run_program API call==

Revision as of 14:04, 29 June 2020

This section describes configuration options of i2Rest Server. Basic configuration allows only demo server functionality, and must be extended to supply full functional server instancence. Combining examples bellow you can achieve server functionality that suits your requirements.



run_program API call

Unlike anonimous API call we performed in our basic guide, authorized API call requires Oauth2 token with "run_program" scope and *local Session System defined. So that's how we will change your basic server configuration (with or without ssl protection) to perform authorized run_program API call:

a) Add the snippet bellow to the session systems object:
{
      "name": "*LOCAL",
      "submit": SBMJOB JOB(I2RESTS) USER(${user})
                   CMD(CALL I2REST PARM(
                      '-session'
                      '-url' '${surl}'
                      '-uid' '${uid}'
                      '-user' '${user}'
                      '-init' 'ADDLIBLE I2REST'))
                      '-dcm_client_id' 'MYCLIENT'))"
},
b) Register two users on IBM i - one for a "сlient" parameter and one for a "user" parameter.
c) Fill the OAuth2 object template above with IBM i users values and add to your *.json.
d) Add the "run_program" scope to scopes object.
e) Change the pscms object as follows:
   "pcmls":
   [
      {
         "pcml_mount"         : "echo",
         "pcml_file"          : "<complete name of i2restecho.pcml on IFS (for example /tmp/PCML/i2restecho.pcml)>", 
         "valid_in_anonymous" : false
      }
   ]
f) Restart server to apply your new configuration *.json.

Now you can update your SoapUI ECHO test project with Authorization profile and perform your authorized API call.

Retrieved from "https://www.i2rest.com/index.php?title=I2Rest_Advanced_Setup&oldid=1433"