Solved: REST API query is not aligned with SAS Viya credentials

idziemianczyk · Posted 02-17-2021 06:34 AM

The problem:

I can't create jobDefinition using REST Api in the location without direct credentials.

What we have:

Folder: dataprep

User: Ivan Dziemianczyk

User group: D_ACT_DataBuilders

Scenario 1.

User "Ivan Dziemianczyk" is a member of group D_ACT_DataBuilders. Each "dot" has direct Grant permission. There are no prohibit permission, so there are no other groups to overwrite the credentials

Using SASJobExecution I can create and modify the Job. Everything looks good.

Scenario 2. The same permission as Scenario 1.

When I try to add Job to a folder using REST Api I have ERROR:

POST https://<server_name>/jobDefinitions/definitions?parentFolderUri=<folder_uri>

Header:

Content-Type: application/vnd.sas.job.definition+json

Accept: application/vnd.sas.job.definition+json

Authorization: Bearer eyJhbGciOiJSUzI1Ni…

Body:

{

"version":2,

"name":"Simple proc print4",

"description":"Show the contents of sashelp.class using PROC PRINT",

"type":"Compute",

"parameters":[

{

"version": 1,

"name": "_contextName",

"defaultValue": "SAS Job Execution compute context",

"type": "CHARACTER",

"label": "Context Name",

"required": false

}

],

"code":"ods html style=HTMLBlue;\nproc print data=sashelp.class; run; quit;\nods html close;"

}

Response:

{
    "errorCode": 0,
    "message": "Unable to add job definition to parent folder. Http status: 403.",
    "details": [
        "correlator: 6d35216d-8113-464f-9091-fa8e1b1df6d5",
        "traceId: 7c188723adc0f193",
        "path: /jobDefinitions/definitions"
    ],
    "errors": [
        {
            "errorCode": 403,
            "details": [
                "path: /folders/folders/cc993804-82e2-477c-ad4e-d5039a441554/members"
            ],
            "links": [],
            "version": 2,
            "httpStatusCode": 403
        }
    ],
    "links": [],
    "version": 2,
    "httpStatusCode": 400
}

Scenario 3. The same permission as Scenario 1 + extra direct access to user "Ivan Dziemianczyk" to "Add(convey)" to the folder dataprep.

When we expand this dot we can see the same "Grant" access from 2 groups + 1 direct access.

After assigning direct credentials to user and run the same POST query from Scenario 2 the Job created properly.

Response

{
    "creationTimeStamp": "2021-02-17T11:09:44.677Z",
    "modifiedTimeStamp": "2021-02-17T11:09:44.677Z",
    "createdBy": "dki",
    "modifiedBy": "dki",
    "version": 2,
    "id": "96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
    "name": "Simple proc print7",
    "description": "Show the contents of sashelp.class using PROC PRINT",
    "type": "Compute",
    "parameters": [
        {
            "version": 1,
            "name": "_contextName",
            "defaultValue": "SAS Job Execution compute context",
            "type": "CHARACTER",
            "label": "Context Name",
            "required": false
        }
    ],
    "code": "ods html style=HTMLBlue;\nproc print data=sashelp.class; run; quit;\nods html close;",
    "links": [
        {
            "method": "GET",
            "rel": "self",
            "href": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "uri": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "type": "application/vnd.sas.job.definition"
        },
        {
            "method": "GET",
            "rel": "alternate",
            "href": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "uri": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "type": "application/vnd.sas.summary"
        },
        {
            "method": "PUT",
            "rel": "update",
            "href": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "uri": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "type": "application/vnd.sas.job.definition",
            "responseType": "application/vnd.sas.job.definition"
        },
        {
            "method": "DELETE",
            "rel": "delete",
            "href": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d",
            "uri": "/jobDefinitions/definitions/96be9f78-0c7c-4d3d-a138-b04fcd55fa2d"
        }
    ],
    "properties": []
}

I repeated the same steps a few times and the result is the same. I can't create Job using REST Api without direct "Add(convey)" access.

Do you have any ideas what could be wrong and why it happens?

The goal to use REST API without direct access to a folder.

Regards,

Ivan

gwootton · Posted 02-17-2021 09:37 AM

I mentioned this in response to your other topic, but this is likely because of the scope defined for the client used to get your authentication token.

https://communities.sas.com/t5/Administration-and-Deployment/Copy-Job-Definition-using-REST-API-or-C...

If the scope isn't * or specifies the group granting permission to the folder, it won't be included in the token, so permissions honored will only be those directly assigned to the user (like those of My Folder).

You can do a GET on {{baseurl}}/SASLogon/oauth/clients/{client-id} to see the scope. For example, here's the output from my client named "app":

{
    "scope": [
        "openid",
        "*"
    ],
    "client_id": "app",
    "resource_ids": [
        "none"
    ],
    "authorized_grant_types": [
        "password",
        "refresh_token"
    ],
    "autoapprove": [],
    "access_token_validity": 36000,
    "authorities": [
        "uaa.none"
    ],
    "lastModified": 1605891337791,
    "required_user_groups": []
}

--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

gwootton · Posted 02-17-2021 09:37 AM

I mentioned this in response to your other topic, but this is likely because of the scope defined for the client used to get your authentication token.

https://communities.sas.com/t5/Administration-and-Deployment/Copy-Job-Definition-using-REST-API-or-C...

If the scope isn't * or specifies the group granting permission to the folder, it won't be included in the token, so permissions honored will only be those directly assigned to the user (like those of My Folder).

You can do a GET on {{baseurl}}/SASLogon/oauth/clients/{client-id} to see the scope. For example, here's the output from my client named "app":

{
    "scope": [
        "openid",
        "*"
    ],
    "client_id": "app",
    "resource_ids": [
        "none"
    ],
    "authorized_grant_types": [
        "password",
        "refresh_token"
    ],
    "autoapprove": [],
    "access_token_validity": 36000,
    "authorities": [
        "uaa.none"
    ],
    "lastModified": 1605891337791,
    "required_user_groups": []
}

--
Greg Wootton | Principal Systems Technical Support Engineer

REST API query is not aligned with SAS Viya credentials

Re: REST API query is not aligned with SAS Viya credentials

Re: REST API query is not aligned with SAS Viya credentials