Skip to content

Working With a Technical User

The SEAL Operator server component supports working with a single technical user who can manipulate resources on behalf of a real user.

Caution - not supported by all repository

While the technical user is supported for all SEAL Operator-internal resource types (tasks and panels), it depends solely on the repository with repositories.

Configuration

The following configuration steps are required for enabling a technical user with SEAL Operator:

Configure the Roles and Permissions

At least two roles are required. One for the regular users and one for technical users with additional permissions. Note that every user has to have at least one of these two roles enabled in his JWT token.

Example - role to permission mapping

This configuration contains two roles: seal-print-client-user without additional permissions and techuser with the impersonate permission. Both roles are configured for the OAuth 2.0 client seal-print-client. For more information, refer to ALLOWED_OIDC_CLIENTS.

{
  "seal-print-client": {
    "roles": {
      "seal-print-client-user": {},
      "techuser": {
        "set-all": {
          "views": ["ALL"],
          "permissions": ["impersonate"]
        }
      }
    }
  }
}

Configure the Roles Property

Configure the name of the JWT token property containing the role(s) with JWT_ROLES. The property name depends on the used identity provider.

Example - JWT token for a technical user with role techuser role. The name of the property containing the roles is roles.

{
  "name": "seal-admin",
  "preferred_username": "seal-admin",
  "given_name": "john",
  "family_name": "doe",
  "email": "info@sealsystems.de",
  "azp": "seal-print-client",
  "roles": [
    "techuser"
  ],
  "iat": 1613990837,
  "exp": 1645548437,
  "iss": "https://localhost:32769/auth/realms/SEAL",
  "sub": "c68f1f41-3566-4d9e-a4cf-09189a176c95"
}

Configure the User Identifier

Configure the name of the JWT token property containing the unique identifier for the user. For more information, refer to IMPERSONATE_TOKEN_OWNER. The property name depends on the used identity provider.

Example - JWT token of a regular user containing only the seal-print-client-user role. The name of the unique identifier property used in the examples below is email.

{
  "name": "johndoe",
  "preferred_username": "johndoe",
  "given_name": "john",
  "family_name": "doe",
  "email": "johnd@nowhere.com",
  "azp": "seal-print-client",
  "roles": [
    "seal-print-client-user"
  ],
  "iat": 1613990837,
  "exp": 1645548437,
  "iss": "https://localhost:32769/auth/realms/SEAL",
  "sub": "3cd619b3-59e7-43b8-9d1a-3030a36ab6e7"
}

Create Resources

After the configuration, an action can be impersonated by adding the users unique identifier as HTTP header element x-owner to each POST request.

Bash

Creating a task for the johnd@nowhere.com user. The only difference to the Create a Task script example is the OWNER setting. The token has to contain the techuser role.

#!/bin/bash

if [ -z $1 ]; then
  echo "Please call with href as parameter"
  exit 0
fi

# !Assuming $TOKEN contains a valid JWT access token!
AUTH="Authorization: Bearer $TOKEN"
JSON="Content-Type:application/json"
OWNER="x-owner:johnd@nowhere.com"

# create print task for operator-p4 service
TASK=$(jq -c -n '{
  "name":"My Task",
  "metadata": {
    "description": "Print task",
    "Printer": "LocalPrinter"
  },
  "lists": {
    "input": {
      "embedded": {
        "listItems": [
          {
            "href": "/v1/services/operator-fileupload/repo/'$1'"
          }
        ]
      }
    }
  }
}')
RES=$(curl -k -s -X POST -H "$AUTH" -H "$OWNER" -H "$JSON" -d "$TASK" "https://localhost:3008/v1/services/operator-p4/tasks")
TASKID=$(echo "$RES" | jq -r '.tid')
echo "Created task with taskId $TASKID"

JavaScript

Creating a task for the johnd@nowhere.com user. The only difference to the Create a Task function example is the owner parameter. The token has to contain the techuser role.

'use strict';

const request = require('request-promise-native');

const createTask = async function(token, href, owner) {
  // create print task for operator-p4 service
  let req = {
    url: 'https://localhost:3008/v1/services/operator-p4/tasks',
    headers: {
      Authorization: `Bearer ${token}`,
      'x-owner': owner
    },
    body: {
      name: 'My Task',
      metadata: {
        description: 'Print task',
        Printer: 'LocalPrinter'
      },
      lists: {
        input: {
          embedded: {
            listItems: [
              {
                href
              }
            ]
          }
        }
      }
    },
    resolveWithFullResponse: true,
    json: true,
    strictSSL: false
  };
  let res = await request.post(req);
  const taskId = res.body.tid;
  console.log(`Created task with taskId ${taskId}`);
};
Back to top