allow machine clients to access /manage/* OAuth2 protected web services
The creation of the lucene indexes can not be triggered from Jenkins jobs or from the dataportal settings pages, since the /manage/ web services requires authentication.
The best solution to this problem is to allow the definition of global management user accounts which apply to any cdm-remote instance started by a system user.
These users credentials must therefore not be stored in the cdm databases. To store them independently from the cdm instances a configuration file located in
$HOME/.cdmLibrary is the preferred storage solution.
Old issue description:
The authorization problem in the dataportal will be solved as soon as the oauth2 client capabilities are implemented into the data portal module: #6332. In case of jenkins it is not possible to provide proper cdm user credentials for each of the instances to be indexed. In this case another grand type is needed.
For this service endpoint it must me possible to authorite via the OAuth2 grant type 'client' (https://tools.ietf.org/html/rfc6749#section-4.4).
- enable grant type 'client' for /manage/
- check for valid clients based on a key. The allowed keys are stored in $USER_HOME/cdm-remote-client-keys` each in a separate line. A key must conform to a md5 hash (or UUID?).
- provide script for jenkins to authenticate --> subticket
- implement client authentication into the dataportal. This should be doable by making use of the OAuth2 plugin available for Drupal7, see #6118 --> subticket
ref #6248 disabling authorization restriction on /manage/ as temp workaround
#4 Updated by Andreas Kohlbecker over 4 years ago
- Subject changed from allow OAuth2 grant type 'client' for /manage/ web services to allow machine clients to access /manage/* OAuth2 protected web services
- Description updated (diff)
oauth2 with grant type 'client' is not really needed. It would require that the client can authenticate with username and login in order to get a token from the oauth2 token service. But ability to login alone would be sufficient to solve the initial issue of this ticket.
I am changing the ticket subject and description accordingly.