Authentication mechanism for Intelligent Data Store

Access to the Intelligent Data Store uses the security mechanisms as defined in IMPACT IoT.

Note:

Query APIs filter out any devices that the user does not have access to. This sometimes results in an empty result set even if the device data exist in Intelligent Data Store and is accessible to other tenants.

If authentication is successful, the user gets access to the user name, tenant ID, license validity, tenant hierarchy, and role details.

Authentication steps

Perform the following steps to authenticate the API users as a trusted and valid user.
Note: Valid users of IMPACT IoT with ids.user permissions are authorized in Intelligent Data Store.
  1. As a pre-requisite, ensure the IMPACT IoT administration servers are up and running.
  2. Create roles in IMPACT IoT.
    For example:
    • IDS_DATA role with ids.user permission to access data APIs.
    • IDS_RULE_MANAGER role with ids.ruleManage permission to access Rules engine APIs.
  3. Select the authentication scheme as Basic Authentication.
  4. Provide the user credentials to enable Basic authentication in the clients.
  5. Set the Basic authentication token in the Authorization header to validate the user when calling IMPACT IoT APIs.
  6. Assign the user with
    • Global-Admin role to use all (ADMIN, DATA, Rule Engine) APIs
    • IDS_DATA role to access DATA APIs
    • IDS_RULE_MANAGER role to use Rule Engine APIs
    • Tenant-admin role to use DATA and Rule Engine APIs
    Intelligent Data Store users are authenticated and authorized to use the APIs only when the details obtained from IMPACT IoT have the tenant information and the IDS headers are set in.

IMPACT IoT Rest APIs

  • http://<cdphost:port>/rest/me

    To fetch the user details so that the user trying to log in is present in CDP and has the tenant information.

  • http://<cdphost:port>/tenant/childrentenants

    To fetch the children tenants of the current user. This is used to validate whether the tenant information provided in the Intelligent Data Store tenant header is allowed to impersonate. The tenant must be in one of the allowed hierarchical tenant trees which is obtained from CDP.

Configurations

Configure helm in the values.yaml for IMPACT IoT URL.
authentication:
    idmUrl: "localhost:port"     # sample configuration à idmUrl: “cdp:8080”
Note:

Usage in cluster is to use the cdp:8080 service URL of CDP. http is not required.

Sample Intelligent Data Store Request

curl --location --request POST 'http://impact-connect-edge-01/ids-admin-api/v1/enterprises/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic c3VwZXJhZG1pbjpzdXBlcmFkbWlu' \
--data-raw '{
    "group_name": "tempco",
    "keyspace_password": "Temp#$234",
    "keyspace_user": "tempco",
    "partitioning_policy": "DAY",
    "retention_period_in_days": 10
}'

Success Code

Response Code: 200

Error Code

400: Bad Request

401: Unauthorized

404: Not Found