Platform On-PremDeveloper guide

Broker principal config setting

The Itential Platform supports building principal objects via broker calls to a local AAA adapter. The brokerPrincipal configuration setting can be found within the authenticationProps of an active profile. It allows an AAA adapter to define a buildPrincipal function — that is, to create principal objects — instead of the Session Manager module.

Sample profile schema for brokerPrincipal

1"brokerPrincipal": {
2    "$id": "#/properties/authenticationProps/properties/brokerPrincipal",
3    "type": "boolean",
4    "description": "When brokerPrincipal is set to true, the AAA adapter will be responsible for creating a principal.",
5    "title": "Broker Principal",
6    "default": false,
7    "examples": [false]
8}

Use the broker principal setting

To use this feature when developing a custom auth adapter:

1

Add the buildPrincipal function to your Local AAA adapter

Add the following code at the end of the file before the export statement, and change the console log level to debug.

$const buildAnonymousPrincipal = function () {
>  return {
>    id: 9999,
>    provenance: 'Pronghorn',
>    username: 'anonymous',
>    firstname: 'anonymous',
>    groups: [],
>    roles: [],
>    allowedMethods: [],
>    allowedViews: [],
>    routes: [],
>  };
>}
$
$/**
$ * Make sure a principal is stashed in redis
$ * @param {string} accountId
$ */
$local_aaa.prototype.buildPrincipal = async function (accountId, callback) {
>  const promised = new Promise((resolve, reject) => {
>    console.log('START!')
>    setTimeout(() => {
>      console.log('I did a thing to build principal');
>      resolve();
>    }, 3000);
>  });
>
>  await promised;
>  callback(buildAnonymousPrincipal());
>}
2

Restart Itential Platform

Restart Itential Platform with the code changes.

3

Log in as admin

Log in to Itential Platform as admin.

5

Enable broker principal

Check the Broker Principal box and save the profile.

6

Restart and verify

Restart Itential Platform, then log in as admin. Upon login, you should have no permissions, as you are using the equivalent of an anonymous principal. This confirms the local AAA adapter buildPrincipal function is being called.