Use a proxyuser to run a ViPR REST API script
This article applies to EMC ViPR 2.0.
The proxy token feature allows a user to retrieve a persistent security token from ViPR, then pass that token to a special user called proxyuser, who runs the script. The proxyuser is a built-in user in ViPR. This user has the PROXY_USER role, and is the only ViPR user that can have that role.
The proxyuser cannot perform any security-related operations. For example, a proxy user cannot register an authentication provider, or do role assignments for a user. The proxyuser is best used for monitoring and provisioning operations.
Before you begin
You can use a proxy token from a built-in user, such as root, or a user from your authentication provider repository who is mapped to a tenant in ViPR
The EMC ViPR REST API Reference provides a description and complete list of parameters for the REST API methods used in this article.
The examples in this section are written in curl, and formatted for readability.
Authenticate with the ViPR REST API provides examples of authentication without cookies and additional information concerning authentication with cookies.
ViPR delivers a standard ViPR authentication token. (This token has an 8 hour timeout.)
- Retrieve your user’s proxy token. Each
ViPR user has one – and only one – proxy token.
The user's proxy token is contained in the header X-SDS-AUTH-PROXY-TOKEN.
- Schedule your script to run - say, once every 12 hours. You can use standard scheduling software provided by your platform operating system to do this. For example, CRON is available for most LINUX workstations.
- Pass the proxy token - X-SDS-AUTH-PROXY-TOKEN - for your user to the proxyuser. How you do this is specific to your application. One method is to save the token to a file that is accessible by the proxyuser.
- Authenticate the proxyuser with the
ViPR REST API.
The authentication token for the proxyuser is contained in the header X-SDS-AUTH-TOKEN.
- Run the REST calls in the script using the X-SDS-AUTH-TOKEN for the proxyuser, and your user's proxy token. In this example, a GET /user/whoami request is sent.
As this example shows, even though the authentication token for the proxyuser was passed with the REST call, the script is actually being run as the user whose proxy token was passed in with the request, firstname.lastname@example.org. The proxy token does not age out. The script can run repeatedly for an indefinite amount of time.
If a non built-in user no longer exists in the authentication provider repository when ViPR is re-validating their proxy token, then that proxy token is automatically deleted by ViPR.