4 Replies Latest reply on Nov 14, 2018 8:05 PM by vkaufmann

    Authentication in Web API Batch Requests Using Service Account

    mrosiak

      I am using a service account to access PI AF using the Web API.  In my HTTP client batch request, I specify a user/password, but I suspect that the credentials aren't being passed along to each of the requests in the batch.  The account has full access to the AF database, and DisableWrites is False in the Web API configuration. I am attempting to do an Attribute Update (PATCH).

       

      When I examine the response, I see the error message: "Cannot complete the operation because the user does not have rights to write to Element 'A-123' with UniqueID ...

       

      Do I need to include the authentication in each request in the batch, and if so, what is the syntax for doing so?  Is there something else that may be amiss?

       

      Thanks!

      Mike

        • Re: Authentication in Web API Batch Requests Using Service Account
          mrosiak

          Adding on ... it appears as if it is using anonymous authentication, despite setting the authentication header to use basic with my service account's user/password.  If I change the user to something unknown, it behaves the same way, instead of sending back a generic http "Unauthorized" message.

            • Re: Authentication in Web API Batch Requests Using Service Account
              vkaufmann

              Hi Mike,

               

              Can you share the response from this endpoint on your PI Web API instance? Also, what version of PI Web API are you using?

               

              /piwebapi/system/configuration

               

              --Vince

                • Re: Authentication in Web API Batch Requests Using Service Account
                  mrosiak

                  I turned off anonymous authentication, as I saw in the documentation that this overrides the other methods.  I'm still running into the same issue though.  I know that the basic authentication service account is being used, because if I change the credentials, I get a 401 Unauthorized message on the parent batch request.

                   

                  Here is the configuration response:

                   

                  {

                  "AuthenticationMethods":
                  [
                  "Kerberos",

                   

                  "Basic"

                  ]
                  ,

                  "CorsExposedHeaders": "Allow,Content-Encoding,Content-Length,Date,Location",

                  "CorsHeaders": "content-type,requestverificationtoken,x-requested-with",

                  "CorsMethods": "GET,OPTIONS,POST",

                  "CorsOrigins": "",           // REDACTED //

                  "CorsSupportsCredentials": true,

                  "DisableWrites": false,

                  "EnableCSRFDefense": false,

                  "SearchBoosts":

                  [
                  1,

                   

                  0.8,

                  0.5,

                  0.5,

                  0.5,

                  0.5,

                  0.5

                  ]
                  ,

                  "SearchPointAttributes":

                  [
                  "pointsource",

                   

                  "instrumenttag",

                  "location1",

                  "exdesc"

                  ]
                  ,

                  "SearchScanInterval": 180,

                  "XFrameOptions": ""

                  }

                    • Re: Authentication in Web API Batch Requests Using Service Account
                      vkaufmann

                      Hi Mike,

                       

                      The authentication should only be needed with the initial POST of the batch request. I would take a look at the permissions of that specific element to confirm that you do in fact have permissions on it as they may deviate from what is recorded at the higher levels. Also what does the /piwebapi/system/userinfo report as the authenticated user? Does this match with what you think you are authenticating as? What is your version of PI Web API?

                       

                      --Vince