Authorization of scheduled reports

A scheduled report contains information regarding its author. When it's time for the report to be printed and sent, the ASAB Pyppeteer microservice impersonates the author, ensuring the report is created from the specific user's perspective and access level.

To configure BS-Query (Exports), SeaCat Auth, and ASAB Pyppeteer correctly to allow complete communication between services, follow these steps:

1. ASAB Pyppeteer configuration

Make sure the ASAB Pyppeteer instance can access SeaCat Auth.

[seacat_auth]
url=http://localhost:3081

2. SeaCat Auth configuration

Make sure SeaCat Auth configuration allows creating machine-to-machine credentials.

[seacatauth:credentials:m2m:machine]
mongodb_uri=mongodb://localhost:27017
mongodb_database=auth

3. Create ASAB Pyppeteer Credentials

Refer to the user manual for instructions on creating and assigning credentials, resources, roles, and tenants.

First, create a resource authz:impersonate and a global role with this resource (named e.g. "impersonator").

Then, create new machine credentials with <pyppeteer_username> and <pyppeteer_password> and assign it the "impersonator" role and relevant tenants.

4. Enter pyppeteer credentials to BS-Query configuration

[pyppeteer]
url=http://localhost:8895
username=<pyppeteer_username>
password=<pyppeteer_password>

Warning

Be aware that ASAB Pyppeteer cannot impersonate a superuser. Therefore, a user with a superuser role cannot create scheduled reports unless they are explicitly assigned a role with the bitswan:report:access resource.