Fusion Impersonation via a Service Account
To securely access Fusion via Appkit, a user has several options. They can either adopt Appkit’s Fusion security provider making use of session cookies to send repeated requests back to Fusion, or they can access Fusion via a service account if they are planning to use query pipelines. In this section, we describe how to set up the latter.
If a user wants to query Fusion through a pipeline by impersonating another user via a service account, they must first ensure such an account has been set up on the Fusion server. This account should have access rights to the required resources.
Query pipelines can have additional security filtering applied to ensure specific users do or do not have access to specific resources. This filtering can be set up by adding a Security Trimming stage to the query pipeline via the Fusion UI. The User ID key that is used in the security trimming stage to filter on results is supported in Appkit via the
user-id attribute, which is described in the next section.
To query Fusion using this approach, this attributes must be added to the platform
fusion.conf file in
impersonate: true userName: joebloggs password: password user-id: username
impersonate attribute informs Appkit that users will be querying Fusion pipelines via a service account. Below that, both the
userName and the
password are the credentials for the service account that Fusion will authenticate against. The last attribute
user-id is optional and by default takes the value of
username. This is the parameter that will be appended to the query string and filtered on in the security trimming stage. For example, the complete query URL might appear as: