Whats the best way to go about building the following (I'm new to azure so not sure about what approach to take).
I want a user to be able to start a long running (1-60 minute) 'service' on the server which they
can then interact with via a web interface.
The instance of the service will be specific to the user, and live as long as the user
maintains a connection to it.
The service has complex state which changes in response to commands given by the user.
The user will also be able to request state data from the service.
Most of the time the service will just be waiting for a user
request.
Once the user closes the connection to the server it should cease to be.
Related
I have made a Java ExtLib XPage custom REST service (CustomServiceBean) database basing on this solution: https://setza-projects.atlassian.net/wiki/spaces/RS/pages/363593730/IBM+Domino
I modified it though to use NotesCalendar class to create, update and delete events & resource reservations (so everything in fact is processed by the calendar, I'm only using raw documents for reading $Rooms in names.nsf and $Reservations in the reservations database). Everything works fine so far, it uses current session to open the calendar. I have some concerns regarding the permissions though.
What I want (and need):
Ability to create calendar events & reservations as SPECIFIC users, I don't want just one "main" user that will create everything. I want each IBM Lotus user to be able to login with their credentials and create or update their calendar events.
This database with XPage will be deployed on our client's servers, so I don't want to require some special configuring for each user in order to be able to access my REST service.
I set up a new local installation of Lotus Server and created a new application using my XPage database as template, and I couldn't access the API neither with admin account or other accounts:
HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /db.nsf/services.xsp/api - HTTP Code: 403. For more detailed information, please consult error-log-0.xml
As soon as I added my admin account to Server configuration -> Security -> Sign or run unrestricted methods and operations, it started working again. Not only for the admin account, but also for other accounts that were just created with an internet password and weren't assigned any specific roles or permissions. I didn't even sign the database.
So my question is, is this enough in order to get it working on client's production server? It kind of makes no sense to me, but it worked on my local server so I'm not sure, I'm new to IBM Lotus and I'm just doing an integration REST service.
If not, how could I do it, so I wouldn't really need to put the end client (Lotus server owner) into the hassle of configuring each user, while still being able to access the API as any Lotus user (providing the username and password)? I can either log-in as each indepentend user, or perform some impersonation with a "main" privileged account (create entries in someone else's calendar as him), although I think there is no way to do it in Java, because .getCalendar is a method of the Session class, I tried using createSession(), but I wasn't able to.
Every notes application needs to be signed by an administrator with an ID known to the customers environment. The Id which is used to sign the db must have the appropriate rights, through the security tab in the server document. If the app is not signed properly, the app won't run. Once the app is signed, it runs in the authorized users session with the users rights.
I have setup a private cloud which has 2 computes and the back end is working successfully. OpenStack and Horizon is used to create and manage instances.
Basically, Horizon would be used on an administrator level and not by the user. So for the user to enter inputs like RAM, Disk Storage, Image etc, i want to create a frontend (ReactJS, NodeJS) website though which they can provide the details for VM creation.
The flow would be:
User provides all details through an HTML form.
Those details go to the Administrator sitting who will check the details and then approve the request.
Once the request is approved, VM is created and user can manage the VM.
I want to achieve somewhat like the above.
The goal is to not allow access for the user to create, manage VM instances through horizon.
Any help ?
EDITS
The flow should be the following :
Login to the front end user dashboard.
Allow user to create a flavor by accepting the values.
Store the values into MySQL DB.
Admin would get the request inn his login. An 'Accept' and 'Decline' button would be there on each flavor entry. If admin accepts, using shelljs the openstack flavor creation command is run and the output is saved in db.
The user could get the accepted flavor on his side.
The user would create a VM instance by selecting the flavor which he recieved above.
Using openstack create server command, the VM would be created and a token url would be generated which will be displayed to the user.
8.When user clicks on the url, VM is launched.
So the above is the goal to be achieved using React, NodeJS and MySQL.
The difficult parts would be:-
Running the openstack cli commands using shelljs
Generating a token url.
I hope there might be a way to do this.
Thanks
Not sure how to help you on this. Some ideas:
You will need a python backend unless you want your backend to talk to the OpenStack REST API directly. Similarly to Horizon, using the Django Python web framework will save you some time with using the python client APIs
Then you can build a frontend app with ReactJS and BackboneJS. Since ReactJS itself will not let you communicate with the HTTP Response generated by your backend. Also, you should look into Redux to deal with the data flow.
Here is an open source project which does what you want mostly: https://github.com/cyverse/atmosphere/
HTH
I'm trying out the new model for unified app authentication using passport-azurea-ad from this reference https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-devquickstarts-node-web
The integration is successful,but every time I do login,I get redirected to a page where I get to choose from my existing microsoft accounts or add a new one.
Why is the session or account not getting picked up automatically, if the user is already logged into his azure or microsoft account?
My requirement is user session should be picked up automatically(not for the first time where he gives consent) if he is logged into his azure account or micrososft account
this page needs to be avoided , if he is already signed in
The reason is a technical limitation. Let me see if I can explain briefly:
When a request comes to the v2 endpoint (login.microsoftonline.com), the v2 endpoint can not detect the presence of an existing consumer account session (login.live.com).
Therefore, the v2 endpoint must make a query (via an iframe hosted on the login.microsoftonline.com page) to login.live.com to detect if a consumer session exists or not.
If a consumer session exists, the v2 endpoint should show the user an 'account selection' screen, like the one you depict in the question.
If a consumer session does not exist, and the user only has one business session, it could auto-login the user with that business account. However, by this time the user has likely already been waiting for a second or so for the query to login.live.com to complete. It might be a strange user experience if the page auto-completed after a second.
The v2 endpoint could definitely show a loading spinner or something to hold the user until the decision can be made, but it was decided that having the user click a tile was an acceptable alternative.
App A is communicating to database X through web service Y. Service Y enables insert, update and delete operations to data in database X. Many authorized people can use app A and connect to database X through service Y.
Developer Q wants to create a database trigger to log some information about the entries and updates on a table in database X including device id or IP. Can developer Q access some device identity through the established connection to database X through service Y?
If he/she can't, is there a workaround?
Short answer yes. The how is a bit more involved. You did not include what language the web service is written in so keeping it high level and focusing on the implementation agnostic way first.
Most languages used to code web services capture request information - device info, web client info, ip address (not reliable though), authentication identification (if not anonymous access), etc. So one typical way to track this data is create a session table in the database that you write all the pertinent request data to for web service session. Then derive a key for each session. Finally add a column for the session key to each table you execute DML on. Alternate approach is to have an operational table (what you already have) and a matching log table. the operational table doesn't have a session key column, but the logging table does. There are other ways to log activity, these are just some to demonstrate the point.
Another way, OO example, is to create a derived connection class that you add in web service session info to. This can then be accessed at the database command execution, usually done via a command object, and instead of writing triggers you programmatically do the logging.
In your particular case, the latter approach seems more appropriate than triggers since triggers could fire when someone does DML on the database directly, or another interface instead of the web service. In which case there would be no request info to begin with.
While going through the openAm document I found that when a session is invalidated by admin, openAm notifies the agent about this, but suppose I have multiple copy of my application which are situated in geographically distributed location sitting behind a load balancer, how will the particular agent will be notified in case of a session invalidation happening, I guess sticky session wont help in this scenario as no request is going from my application side.
Every instance of your application has to be protected by an agent and ever agent has a separate agent profile where the unique notification URL has to be specified. Create an agent group and add all agents to that group, only keep the notification URL unique. If OpenAM can not reach the notification URLs , agents have to be configured in polling mode (minimal polling time ... one minute).