7 Replies Latest reply on Mar 4, 2016 4:49 PM by kduffy

    PI Web Api-Error while calling batch api

    Arpit

      Hi All,
      I have configured PI Web Api 2015 R3 on a remote server but when i am trying to call batch api (GET Streamset/value call for multiple Webid's - to be more precise) from my machine, it is showing an error - Data writes are disabled in this service.
      Could it be because of the Read-Only configuration item set to true? if it is the case, what will be the impact on my pi points and their data and the remote server on which PI Web Api is configured if i change the Read-Only item to Read-Write in PI Web Api configuration?


      Kindly help!
      Thanks.

        • Re: PI Web Api-Error while calling batch api
          jyi

          Hi Arpit,

           

          This is by design. You need to look into the Configuration database> OSIsoft>PI Web API > System Configuration | DisableWrites.

           

          This needs to be set to False and as a checked configuration item. If else, please change this parameter and check-in.

           

          Best,

          Jin

          1 of 1 people found this helpful
            • Re: PI Web Api-Error while calling batch api
              Arpit

              Thanks Jinmo Yi for your reply!
              Now my concern is, if i set "DisableWrites" property to false, what will be the impact on my pi points data and the server on which PI Web Api is configured?

               

              Thanks.

                • Re: PI Web Api-Error while calling batch api
                  jyi

                  When set to false, PI Web API will get the service's write methods (POST, PUT, PATCH) enabled. However it does not mean anything to your PI Data Archives/ to your Points and to your PI Asset Framework servers.

                  Your WebAPI service still needs write access to each of your PI Points Data security, and write access to your attributes within AF structure.

                  2 of 2 people found this helpful
                  • Re: PI Web Api-Error while calling batch api
                    kduffy

                    Hi Arpit,

                     

                    To expand a bit on what Jinmo Yi and Balamurugan Veldurai are saying, if you disableWrites then the search crawler will not function, but you would be adding a layer of security to your data such that no one can use the PI Web API to change anything.

                     

                    With disableWrites set to false, you then use whatever security you have configured. If it's Kerberos or Basic, then the user credentials being sent still have to resolve to someone with permission to make the data write call that is being attempted. It's no different than if you had PI System Management Tools or PI System Explorer running as that user; if they don't have permission to write values there then they won't have permission to write them from the PI Web API.

                     

                    If your PI Web API is configured to use anonymous authentication, then we STRONGLY recommend you disable writes. At that point, anyone can change any data they want.

                     

                    Kelsey

                     

                    EDIT: It looks like your coworker Suganya posted the same thread here: Getting "Data writes are disabled in this service." error when calling batch API

                    It has a good response from Barry Shang, one of our development support engineers. You may want to read that one over too.

                    1 of 1 people found this helpful
                      • Re: PI Web Api-Error while calling batch api
                        Arpit

                        Well, coworkers helping out coworkers. couldn't get any better than this. Many thanks Kelsey Duffy and Barry Shang for your help.
                        What i have concluded from the thread is (please correct me if i am wrong) that if the authentication is set to Anonymous then DisableWrites has to be set to true, otherwise if it's basic or kerberos, there's no such threat to my PI System.. Right?
                        And one more thing i would like you to clarify, please excuse my lack of understanding here i am very new to PI Web API, now my authentication is basic (somehow i was not able to get kerberos working), so if i set DisableWrites as false, other users will still only be able to read the data from my PI Points but will not be able modify/have any other impact on the same.

                         

                        Thanks.

                          • Re: PI Web Api-Error while calling batch api
                            kduffy

                            Hi Arpit,

                             

                            No problem at all with "lack of understanding", that's what we're all here for

                             

                            First off, if your authenticationMethod is set to anonymous, DisableWrites isn't required to be true, but it's strongly recommended since you are no longer in control of who has write permissions to your PI system.

                             

                            If you're using Basic or Kerberos, it's not that there's no threat to the PI system, per se, it's that the permissions that a user has to change things using the PI Web API is the same permissions that this user has in PI System Management Tools, PI System Explorer, Excel macros, etc. It's just using their Windows credentials to see if they have access to make that specific change.

                             

                            When it's set to anonymous, someone not allowed to make changes using PI System Explorer now has permission to make changes using PI Web API. That's why we say Basic and Kerberos are recommended with DisableWrites set to false; they don't introduce a security hole like anonymous does.

                             

                            As for the last question: the settings for the PI Web API are global. Meaning, if you make disableWrites = false, then every connection allows writes. Every connection will be independently authenticated using the Windows credentials passed in the Basic or Kerberos call, so that user still has to have permissions to change things for the write call to work.

                             

                            The best method, in my opinion, is to set disableWrites=false in the WebAPI, use Basic (or Kerberos; if you need help getting that working, feel free to start another thread) authentication, and lock down the security at the PI AF Server/Database/Element/Attribute level and the PI Data Archive level. Then, all applications being used will have consistent permissions for each user.

                             

                            Lastly, it was noted in the other thread so I'll mention it here. The Batch execute action is treated as a POST command, regardless of what is contained within the batch. So even if all of the calls are GET commands, since it's coming in as a batch POST, it's treated as a write command, and it's blocked when in read-only mode. To get around this, you'll need to either allow writes, or break each of these commands into standalone GET commands.

                             

                            Kelsey

                            1 of 1 people found this helpful
                    • Re: PI Web Api-Error while calling batch api
                      bala

                      From the PI WEB API user guide :

                      PI Web API supports a read-only mode, whereby the ability to modify your PI System is completely disabled. This is especially desirable if PI Web API will be configured for Anonymous authentication.

                       

                      When the configuration item DisableWrites is set to true, only read access is enabled in PI Web API. The default setting is false. Read-only mode prevents the Indexed Search crawler from updating search indexes, which prevents Indexed Search from working properly.

                       

                      I am not sure why it throws Data writes are disabled in this service error for Get requests.

                      1 of 1 people found this helpful