API Connect

 View Only
  • 1.  Context variable or policy to get authenticated ldap user

    Posted Wed April 06, 2022 08:45 AM

    In version 10.0.1.6 IBM Added APAR(https://www.ibm.com/support/pages/apar/IT38254) that sanitizes the authorization header before sending it to the analytics endpoint. it is good that sensitive information like credentials is not visible on analytics but we would like to see the username information.

    I do not find any context variable storing this information. Does anyone have any idea on how to get the authenticated user for the requests into analytics?



    ------------------------------
    Arjun Pilli
    API Specialist
    DSV
    Johannesburg
    +27 0840611655
    ------------------------------


  • 2.  RE: Context variable or policy to get authenticated ldap user

    Posted Mon May 02, 2022 11:25 AM
    Hi @Arjun Pilli - did you mean to post this in the DataPower group?


    ------------------------------
    Jina K
    ------------------------------



  • 3.  RE: Context variable or policy to get authenticated ldap user

    Posted Tue May 03, 2022 04:29 PM
    Edited by Steve Linn Tue May 03, 2022 04:30 PM

    Hi Arjun,

    The authorization request header may be sanitized in the APIC analytics data, but within the API, it is still in the request headers.  To test, I did a simple GatewayScript in my API and enabled the GatewayScript debugger:

    1:let auth = context.get('request.headers.authorization');
    =>2:debugger;
    (debug) p auth
    Basic bXl1aWQ6bXlwd2Q=

    (debug) p Buffer.from(auth.slice(6), 'base64').toString()
    myuid:mypwd

    Regards,

    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 4.  RE: Context variable or policy to get authenticated ldap user

    Posted Wed May 04, 2022 02:38 AM

    Thank you Steve,

     

    If I understand correctly, I will need to extract username in API's and send it to analytics right. If we want  username in logs ?

     

    Best regards,
     
    Arjun Pilli, External, API Specialist

    EXT.Arjun.Pilli@dsv.com  |  Office +27 102480076  |  Mobile +27 0840611655  |  www.dsv.com

     






  • 5.  RE: Context variable or policy to get authenticated ldap user

    Posted Thu May 05, 2022 12:57 PM
    Logging that part would not be possible in Analytics, what you can do is create specific log target for this, also transaction-id log. You can log it to Datapower logs.

    ------------------------------
    Jayprakash Yadav
    ------------------------------



  • 6.  RE: Context variable or policy to get authenticated ldap user

    Posted Thu May 05, 2022 02:10 PM

    Hi Arjun,

    In API Connect v10 you have a lot more control over the analytics record than you did in v5.  You can provide a log action on your assembly which will populate within the API Gateway context the log data (ie, context.log) with the current analytics record based upon your activity-log settings (activity, headers, payload).  You can then add your custom data using a GatewayScript policy but updating the context.log object to contain your custom data, in this case, the username.  From my discussion with the analytics developer, if you only want to see this in your analytics data, that's all there is to it.  If you wanted to search your analytics data based on this custom property, that would require what was described as a "hacky and not recommended" process today, although an enhancement is on the books to allow a "custom" element which would be indexed and query-able.  No commitment on when that will be implemented or exactly what it will look like, but perhaps you might add a property named "custom", ie, context.log.custom, and within that object, add your userid.

    Regards,

    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------