Topic
  • 7 replies
  • Latest Post - ‏2013-10-24T13:47:47Z by bruce,adams
jwmurphy
jwmurphy
2 Posts

Pinned topic Performing a search via REST or SOAP API

‏2013-10-15T21:10:39Z |

Trying to federate DE search results into another interface to merge with search results from another engine.  Is there anyway we can perform a search on behalf of a user, either using REST or SOAP? (i.e. a search for results allowed for User A, when we are authenticated as User B, assuming that User B has sufficient authority).

  • bruce,adams
    bruce,adams
    5 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-17T13:56:25Z  

    Data Explorer Engine provides several mechanisms for issuing queries. See Integrating Data Explorer Engine with Other Software for a good starting point in the documentation.

    One mechanism is the Data Explorer Engine API. The same API is available via either REST or SOAP. The main search API function is query-search, see Data Explorer Engine API Reference for the query-search function. query-search has an optional parameter authorization-rights:

    • string authorization-rights - Newline separated list of security groups (the target collections are expected to have acls using the same groups).

    To use the authorization-rights parameter, the caller must gather all of the relevant group memberships for the end user.

  • jwmurphy
    jwmurphy
    2 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-21T15:40:26Z  

    Data Explorer Engine provides several mechanisms for issuing queries. See Integrating Data Explorer Engine with Other Software for a good starting point in the documentation.

    One mechanism is the Data Explorer Engine API. The same API is available via either REST or SOAP. The main search API function is query-search, see Data Explorer Engine API Reference for the query-search function. query-search has an optional parameter authorization-rights:

    • string authorization-rights - Newline separated list of security groups (the target collections are expected to have acls using the same groups).

    To use the authorization-rights parameter, the caller must gather all of the relevant group memberships for the end user.

    Posted on behalf of Richard Knott / Huron Consulting

    Is there a way I can query DataExplorer for the user's group memberships? it's a complex source so getting the groups list isn't as easy as pulling it out of AD
    Thanks

    Richard Knott

    Manager

  • bruce,adams
    bruce,adams
    5 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-21T18:59:07Z  
    • jwmurphy
    • ‏2013-10-21T15:40:26Z

    Posted on behalf of Richard Knott / Huron Consulting

    Is there a way I can query DataExplorer for the user's group memberships? it's a complex source so getting the groups list isn't as easy as pulling it out of AD
    Thanks

    Richard Knott

    Manager

    No. Data Explorer Engine depends on external systems for user authorizations. When the external systems are complex, then the DE Engine setup for authorization is also complex. DE Engine is not designed to provide authorization information via its APIs.

    User queries to DE Engine typically come through a single sign-on system (such as Tivoli Access Manager or CA SiteMinder) which provides authentication and (at least some) authorizations. Might your use of DE Engine be able to impersonate a user into whatever single sign-on system you have in place? By impersonating the user, the normal DE Engine security mechanisms will be used.

    (Queries to DE Engine can specify that they want a simple XML response instead of a formatted web page. Your client application can probably consume XML fairly easily.)

  • RKnott
    RKnott
    2 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-22T11:05:30Z  

    No. Data Explorer Engine depends on external systems for user authorizations. When the external systems are complex, then the DE Engine setup for authorization is also complex. DE Engine is not designed to provide authorization information via its APIs.

    User queries to DE Engine typically come through a single sign-on system (such as Tivoli Access Manager or CA SiteMinder) which provides authentication and (at least some) authorizations. Might your use of DE Engine be able to impersonate a user into whatever single sign-on system you have in place? By impersonating the user, the normal DE Engine security mechanisms will be used.

    (Queries to DE Engine can specify that they want a simple XML response instead of a formatted web page. Your client application can probably consume XML fairly easily.)

    Unfortunately the system I'm using in multi tier, and uses it's own security tokens rather than passing the user's sign on to the backend services.  This token will contain the user's windows logon ID and their group memberships from the systems it deals with, not the systems DE is dealing with.

    So how does DE do it with it's front end? When the user's clicks search, it will have the user's logon userID, and the search criteria, how does it then get the authorization-rights  to pass this to the index?

    Thanks

  • bruce,adams
    bruce,adams
    5 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-22T13:59:30Z  
    • RKnott
    • ‏2013-10-22T11:05:30Z

    Unfortunately the system I'm using in multi tier, and uses it's own security tokens rather than passing the user's sign on to the backend services.  This token will contain the user's windows logon ID and their group memberships from the systems it deals with, not the systems DE is dealing with.

    So how does DE do it with it's front end? When the user's clicks search, it will have the user's logon userID, and the search criteria, how does it then get the authorization-rights  to pass this to the index?

    Thanks

    DE Engine has it's own configuration language, really a programming language, based on XML and XSL.

    The main way that DE Engine gathers a user's group memberships is through an authentication macro, which is documented in this large page Data Explorer Engine Management. The authentication macro can do whatever it needs to. Typically it looks at HTTP headers set by the single sign-on system for the user id and group memberships. In more complex environments, the authentication macro also queries one or more systems for the user's group memberships.

    For some source content systems, usable group information is not available and Data Explorer has to check user access rights for some documents at search time. Internally, Data Explorer first gathers an unrestricted set of search results, then for each document, asks the source content system if the current user is permitted to see the document.

  • RKnott
    RKnott
    2 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-24T13:20:13Z  

    DE Engine has it's own configuration language, really a programming language, based on XML and XSL.

    The main way that DE Engine gathers a user's group memberships is through an authentication macro, which is documented in this large page Data Explorer Engine Management. The authentication macro can do whatever it needs to. Typically it looks at HTTP headers set by the single sign-on system for the user id and group memberships. In more complex environments, the authentication macro also queries one or more systems for the user's group memberships.

    For some source content systems, usable group information is not available and Data Explorer has to check user access rights for some documents at search time. Internally, Data Explorer first gathers an unrestricted set of search results, then for each document, asks the source content system if the current user is permitted to see the document.

    Hmmm.

    Ok, so maybe we can add a macro like the example in the document to achieve this.  I used to work with the HP Autonomy Worksite intergration to DataExplorer a few years ago and could use that as a template

    <macro name="authentication">
      <call-function name="authenticate-user-without-password">
        <with name="username">
          <value-of select="viv:str-to-lower(viv:value-of('REMOTE_USER','env'))"/>
        </with>
      </call-function>
    </macro>
    
    Thanks
    
  • bruce,adams
    bruce,adams
    5 Posts

    Re: Performing a search via REST or SOAP API

    ‏2013-10-24T13:47:47Z  
    • RKnott
    • ‏2013-10-24T13:20:13Z

    Hmmm.

    Ok, so maybe we can add a macro like the example in the document to achieve this.  I used to work with the HP Autonomy Worksite intergration to DataExplorer a few years ago and could use that as a template

    <pre class="programlisting" dir="ltr"><macro name="authentication"> <call-function name="authenticate-user-without-password"> <with name="username"> <value-of select="viv:str-to-lower(viv:value-of('REMOTE_USER','env'))"/> </with> </call-function> </macro> Thanks </pre>

    Yes. Something along these lines should work. You'll want to be sure that some other security mechanisms are in place around the instance of Data Explorer with this kind of authentication setup. You don't want an arbitrary user to be able to impersonate any other user for searching. One possible mechanism would be a network firewall limiting where search requests can come from.