Looks Great - and I can see how this could be usefull (for example, comparing Users/Resources and other security settings amongst Mirror Members).
I was going to say that a good extension would be for the ability for users to define their own Entity/Queries to submit to the servers, but - that would be a huge security risk and obvious SQL injection.
True !!
Great article - thanks for putting it together..!
I've been trying something similar but with a different approach. I start with an application idea, using Figma to mock it up, then something like Replit to build the front end with mock data and mock API backend.
Once built, I asked AI to generate a swagger spec for all APIs, which I then import into IRIS to generate the .disp,.impl and .spec classes.
The backend logic I then did myself, but I can see how if I persisted, I could have used AI for that too.
My project was to build an app that selected patients from the backend database, and existing observations on file, plotting their the values over time.
I found my issue. which was unrelated to JWT., but related to a security check imposed in my Dispatch class/ the Privilage check there, does not (rightly so), insert an entry in the Security audit log.
all good now.
David,
In your example above - does the user 'APIUser' have any other privilges other than those needing to read/write to the underlying database(s) of the namespace the application is tied to ? Can you confirm that user does not carry %All ??
I'm finding I have a missing some permissions, and only users with %All can get to subsequent API Calls - but - the Security Audit Log does not report any errors - I just get a 401. There is something failing for me in the CSP plumbing which is decrypting the token, on the way in and setting up the user context. - my dispatch class code is not invoked.
have you encountered this or have any low-level debugging tips ?
Thanks -
Happy Birthday DC !!
Thank you for all the articles, posts, comments, contests and code...
What a great asset..I don't know where we'd be without you
Thanks for this article.
I struggled to discover the rsa PUBLIC KEY, to add to my IAM Consumer, when the OAuth server was an IRIS OAuth Server. This is what I did:
I invoked the IRIS OAuth Server's jwks_uri, to retrieve the JWKS's in a browser. (the url will typically be by default, the IRIS OAuthServer issuer endpoint followed by /jwks).
You will see a list of keys, in the jwks collection returned. I was after the RSA 256 key, mine was located as the first json object in the collection and looked (in my case) something like this (which I abbreviated for this post):
I imported this JSON object into a %DynamicObject, (represented by jsonJWK variable below) and called the function to convert this to an RSA Public key:
The variable out, populated by the function above, was the RSA Public key I needed to add into IAM.
As this stands, isn't it possible for developers to accidentally SET the CreatedAt property?. I think it is best if this was read only, to avoid bad code accidentally corrupting this field.
Hi Luiz, yes - I ran into this too and implemented a similar approach, however - the last thing I do is then remove the license key from the image.
This is because I do not want (in my case at least), to build images which hold valid keys. Especially if posting this the image to a public registry.
I would expect consumers of the image would bring their own license key.
Congrats ! Well Deserved !
Hi,
I believe your issues may be because you are using the EnsLib.FTP.InboundAdapter in your Business Operation, not the EnsLib.FTP.OutboundAdapter.
Please investigate the outbound adapter, which should also allow you to retrieve files.
- Steve
Hi,
Note that if you are running a recent release of iris, that is not the community edition, and, does not deploy the personal web server - chances are your docker-compose defines 2 services, one for iris and one for the webgateway.
So for VS Code to reach iris, I have had to change the docker objectscript.conn entries in the original post to:
{
...
"docker-compose": {
"service": "webgateway",
"internalPort": 80
}
...
},
where 'webgateway' is the name of the iris-webgateway service as named in the docker-compose file.
Steve
Hi,
My understanding is that these classes: HS.FHIR.DTL.vR4.Model.Resource.*
Are internal for DTL purposes only, and not to be used for serialisation or creation of some type of repository of resources. For that, one should use the FHIR Repository, (and FHIR SQL Builder for SQL query of resources).
Happy for product management/developers to chip in here and confirm.
Steve
Hi,
You could build your own Business Operation and Business Service that is based on the TCP Outbound and Inbound adapters respectively.
They will allow you to send any stream if data from on machine to another over a known (and open) port.
Steve
Hi,
Can you please publish a temporary license key (eg in the Community build) that allows for the preview of the FHIR SQL Builder ? It seems the keys (available with the Community Build, and available through the WRC), do not have this bit enabled.
Thanks..
Also
The FHIR QUICKSTART online learning content here https://learning.intersystems.com/enrol/index.php?id=1492
Shows you how to do just what you want.
Steve
Great Article - Thanks Vlad !.
Hi Ron,
Do you have an example of doing the reverse ?... that is, have IRIS extract data from Google Big Query ?
Thanks
Interesting ... Jean - do you have equivalent instructions to connect to IRIS instead of Cache' ?
Steve
I tracked this issue to $System.OBJ.Load() only apparent on IRIS 2021.2. after upgrading to IRIS 2022.1, this issue went away.
Hope this helps others.
I have logged an issue with the ZPM community on github now as this happens when I install any ZPM module, not just git-source-control.
ok... Update: This definitely looks like a Microsoft bug.
Setting up the same classes/data in a new namespace on the same IRIS instance, and created a fresh DSN in ODBC to use works fine.
I even create a new namespace and global/package mapped all data from the original failed namespace, and created a fresh DSN in ODBC to use works fine too.
So - it's not the class/package/data definition in IRIS, or the IRIS version. There is something Power BI is holding onto, which is related to the original DSN Name used, that is causing grief.
I'm sorted for now.
Well Done !! Thanks for your contribution to the Community !
Hi Stefan,
I wonder what led you to determine that the DTL is being drawn by using InterSystems CSP AutoForm (%CSP.Util.AutoFormGenerator), because, I added the XDATA block to the child class to include only the child class's properties as suggested, (and omitting the inverse property):
{
<field property="childPropA"/>
<field property="childPropB"/>
...
}
but the inverse property, in the DTL, still appears. (also confirmed defining XMLPROJECTION="NONE' on the inverse relationship property also has no effect)
looking at %CSP.Util.AutoFormGenerator, I see my XDATA block definition is being checked, and honored, returning as it should, the list of properties for a form - but this does not seem to end up effecting the DTL Wizard.
Steve
I didn't actually,.. , because, whenever I've used persistent classes with relationship properties and projected instances in code (using the XML.Adaptor) - I've never seen the inverse property show up in the XML.
I could try it though...
Hi Louis
Firstly, I don't think there is anything wrong with the code above.. but can you verify that the x509 certificate you created includes reference to the Certificate Authorities (the entire CA chain) that issued the sender's public key .
Steve
Hi Henrique
Following your instructions in OpenExchange to start a container with this iiris-kaggle-socrata-generator, has resulted in the following error for me:
iris_1 | terminate called after throwing an instance of 'std::runtime_error'
iris_1 | what(): Unable to find/open file iris-main.log
With the container failing to start.
Also - Installing ZPM, and then running zpm "install iris-kaggle-socrata-generator", in the USER namespace of a freshly installed instance of IRIS, just hangs.
Do you have any clues as to what might be going wrong here in either of the above ?
Thanks -
Hi Prashanth, you do need to import these classes into the IRIS cloud instance's database. (VSCode then accesses the cloud instance and pulls the code locally for editing in a local folder, or, access IRIS remotely for editing there).
To use VSCode, the VSCode connection to IRIS uses the IRIS SuperServer port to access IRIS in order to compile classes. Therefore, this port must be open from the cloud instance.
With this open SuperServer port, a local instance of IRIS Studio could be started, connected to IRIS, and then used to perform the import. Studio menu: Tools -> Import Local...
If you do not have Studio installed locally on your desktop yet, you can use the Management Portal, by going to the menu System Explorer-> Classes -> Import (after selecting your desired namespace). On the dialog window asking for a file, you should be able to specify 'My Local machine' and the browser will look locally for the XML file to import into the instance.
Alternatively, you need to copy the XML file to the cloud instance, (using ftp, or other means), and from an IRIS Session, use the ##CLASS(%SYSTEM.OBJ).Import utility to import the XML file from the command line.
Steve
Hi Tom. The REST API definition itself within IRIS is not where TLS is negotiated and terminated (and hence not where mTLS is defined) between client and server.
Requiring https over http, and, insisting on mutual authentication is defined in a Web Server layer which then in turn, communicates with IRIS on a seperate port and protocol.
You need to first install a supported web server, and then add the IRIS Web Gateway (see docs) to it. Prove that regular http request of the API work.
Then, on the web server, enforce HTTPS and mutual authentication. See your chosen web server's documentation for how to do this. (InterSystems does not provide this of course). IIS, Apache and NGINX are supported.
Once that's done, clients can only access the IRIS Rest API over https, which is negotiated/terminated against the web server, which can also insisted on client authentication (mTLS).
Hopefully this post sets you on the right path.
Sincerely,
Steve.
Hi,
As this is git support for shared development, multiple developers log into and share the same, remote server - are they still individually able to create GIT branches ? How will the server's local git repository identify one users items from another's ? I guess I'm struggling to see how this would actually with branches.
Should the IRIS users log in as their own IRIS user account ? Is this required ?
Thanks - Steve