10

We are currently using basic authentication in our python connectors to SAP HANA. In our current connection string, we use SQLAlchemy and it looks something like this:

def get_engine(host_name):
    return create_engine('hana://{user}:{password}@{host_name}:{port}/HUP'.format(
        user=request.json['username'],
        password=base64.b64decode(bytes(request.json['password'], encoding='utf-8')).decode('utf-8'),
        host_name=host_name,
        port=current_app.config['HANA_PORT']
    )
    )

We now need to transition into using HANA Oauth so it's no longer necessary to input the username and password into the connection string. Ideally, there should be a way to input the JWT into the connection details. I can't find much in the way of resources online that really illustrate how to create a Python based connector with HANA that uses Oauth. Any help here would be greatly appreciated.

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
Riley Hun
  • 2,541
  • 5
  • 31
  • 77

1 Answers1

4

I set it up like so..

Using the lib. below -- you will need to pass those attributes from the Identity Provider (IdP) to the Database. Your json config via xs-security will allow for scope of permissions.

  1. First download the Python: sap_xssec lib. It should allow you to get at attributes for JWT token.

  2. Second, setup your Service & security

//import these lib. after downloading
from sap import xssec
from cfenv import AppEnv

// get your env.
myEnv = AppEnv()
// get your UAA service
myService = myEnv.get_service(name='<uaa_service_name>').credentials 
// now your JWT access token for
contextWithAccessToken = xssec.create_security_context(access_token, myService)

Next configure your xs-security file

Example xs-security.json File
{
  "xsappname" : "node-hello-world", 
  "scopes"     : [ { 
                    "name" : "$XSAPPNAME.Display", 
                    "description" : "display" }, 
                   { 
                    "name" : "$XSAPPNAME.Edit", 
                    "description" : "edit" }, 
                   { 
                    "name" : "$XSAPPNAME.Delete", 
                    "description" : "delete"  } 
                 ], 
  "attributes" : [ { 
                    "name" : "Country", 
                    "description" : "Country", 
                    "valueType" : "string" }, 
                   {
                    "name" : "CostCenter", 
                    "description" : "CostCenter", 
                    "valueType" : "int" } 
                 ], 
  "role-templates": [ { 
                       "name"                : "Viewer", 
                       "description"         : "View all books", 
                       "scope-references"    : [ 
                                               "$XSAPPNAME.Display" ], 
                       "attribute-references": [ "Country" ]  
                      }, 
                      {
                       "name"                : "Editor", 
                       "description"         : "Edit, delete books", 
                       "scope-references"    : [ 
                                               "$XSAPPNAME.Edit", 
                                               "$XSAPPNAME.Delete" ], 
                       "attribute-references" : [ 
                                                "Country", 
                                                "CostCenter"] 
                      } 
                     ] 
}

// Get the user values ready for your env. XS_APPLICATIONUSER or $env.user.value

  1. Setup you @sap/hana-client call With the connection.session.XS_APPLICATIONUSER = <JWT TOKEN>;

  2. Dont forget to setup sap-jwt/py-jwt library for validation of the jwt token

Just set

USE_SAP_PY_JWT = true

You are done!

Transformer
  • 6,963
  • 2
  • 26
  • 52