[NOTE: With the release of Valence 2.0 the information in this post is obsolete (though the explanation of "current user" versus "job user" still holds true). With Valence 2.0, user switching is mostly automatic. See the Valence 2.0 user manual for further details].
Hello all,
As of today, with release 1.1, you can now have Valence override the current user on the CGI job processing user requests.
First, a quick explanation of this concept... If you go to WRKACTJOB and look at the Valence instances running under QHTTPSVR, you'll see something like this:
The default user for all Apache CGI jobs is QTMHHTP1, and this is what you'll typically see for the "Current User" in WRKACTJOB as users click their way through programs with Valence. You can change this default global user to whatever you want in your Apache server configuration settings, but for most intents and purposes QTMHHTP1 works fine.
That said, for various reasons you may need to use something other than a global default for the user ID. For example, if you're journaling files and would like to be able to see which user added, changed or deleted a particular record, seeing "QTMHHTP1" in the receiver data isn't going to give you much of a clue (other than that it likely wasn't done through a green screen program).
Likewise, if you have any 10-character fields in your legacy database files that are used to store the User ID of the person maintaining a record (or the last person that made a change), RPG programs updating these records with the user ID from the program status data structure (SDS) will also be plugging "QTMHHTP1" (or whatever value is your default global user).
There are also cases where security settings on your system will require "real" user profiles with specific authorities in order to access certain database files, sometimes making QTMHHTP1 problematic.
So how to address this? There are various options available for you to get your Apache jobs to override the user ID on the back-end CGI jobs servicing front-end requests, such as using Enterprise Identity Mapping (EIM), Lightweight Directory Access Protocol (LDAP), etc. But because Valence already handles user login security and session control, you will typically find it more efficient (and more seamless to the user) to allow Valence to handle the user swapping as well. With version 1.1, that is now an option for your programs by simply including three extra lines of code.
If you have a "System i User" defined for your Valence User IDs, then Valence can be set to override the current user to the appropriate value every time someone takes an action on the front-end. To do this, you must first activate the feature in the Apache configuration file for your Valence instance. Find the "OVERRIDE_JOB_USER" text in the file and change it as follows:
Doing this will instantly make all Valence programs switch the current user of your CGI jobs to the value specified as the System i User in the Valence User Master. Note that whenever a Valence user has no System i user specified, or the System i user specified is invalid or inactive, the current user on the CGI job will defer back to the global default.
For your own programs to switch the current user as they're executed, you must include a few extra lines in your source. First, you will want the following compiler directive at the top of your program:
Then you will need to include the following copy source two more times (for a total of three) in your code -- once at the start of your executable lines (C specs) and then once again at the end of your program (you should already have this line in your D specs):
This will automatically include the source code necessary to invoke the current user override procedure at the start of your program, and then "undo" the user override at the end of the program.
Note that this user override procedure retrieves the System i User ID from the session variable data structure. Therefore, it assumes you have the session ID named "sid" in your front-end javascript. If that's not the case, you must populate the global variable vvSessID in your RPG program immediately prior to the VVDEVELOP copy source at the start of the executable portion of your program, as follows:
...And that's all there is to it!
To achieve this user swapping, Valence uses the QSYSGETPH, QWTSETP and QSYRLSPH APIs to retrieve, change and release profile handles. You can read up on these on the IBM System i website for more details.
Hello all,
As of today, with release 1.1, you can now have Valence override the current user on the CGI job processing user requests.
First, a quick explanation of this concept... If you go to WRKACTJOB and look at the Valence instances running under QHTTPSVR, you'll see something like this:
Code:
Work with Active Jobs S100DB6A
07/11/08 11:02:23
CPU %: .3 Elapsed time: 00:05:51 Active jobs: 358
Current
Opt Subsystem/Job User Type CPU % Function Status
QHTTPSVR QSYS SBS .0 DEQW
ADMIN QTMHHTTP BCH .0 PGM-QZHBMAIN SIGW
ADMIN QTMHHTTP BCI .0 PGM-QZSRLOG SIGW
ADMIN QTMHHTTP BCH .0 PGM-QLWISVR JVAW
ADMIN QTMHHTTP BCI .0 PGM-QZSRHTTP SIGW
ADMIN QSECOFR BCI .0 PGM-QYUNLANG TIMW
VALENCE11 QTMHHTTP BCH .0 PGM-QZHBMAIN SIGW
VALENCE11 QTMHHTTP BCI .0 PGM-QZSRLOG SIGW
VALENCE11 QTMHHTTP BCI .0 PGM-QZSRLOG SIGW
VALENCE11 QTMHHTTP BCI .0 PGM-QZSRHTTP SIGW
VALENCE11 QTMHHTTP BCI .0 PGM-QZSRHTTP DEQW
VALENCE11 QTMHHTP1 BCI .0 PGM-QZSRCGI TIMW
VALENCE11 QTMHHTP1 BCI .0 PGM-QZSRCGI TIMW
That said, for various reasons you may need to use something other than a global default for the user ID. For example, if you're journaling files and would like to be able to see which user added, changed or deleted a particular record, seeing "QTMHHTP1" in the receiver data isn't going to give you much of a clue (other than that it likely wasn't done through a green screen program).
Likewise, if you have any 10-character fields in your legacy database files that are used to store the User ID of the person maintaining a record (or the last person that made a change), RPG programs updating these records with the user ID from the program status data structure (SDS) will also be plugging "QTMHHTP1" (or whatever value is your default global user).
There are also cases where security settings on your system will require "real" user profiles with specific authorities in order to access certain database files, sometimes making QTMHHTP1 problematic.
So how to address this? There are various options available for you to get your Apache jobs to override the user ID on the back-end CGI jobs servicing front-end requests, such as using Enterprise Identity Mapping (EIM), Lightweight Directory Access Protocol (LDAP), etc. But because Valence already handles user login security and session control, you will typically find it more efficient (and more seamless to the user) to allow Valence to handle the user swapping as well. With version 1.1, that is now an option for your programs by simply including three extra lines of code.
If you have a "System i User" defined for your Valence User IDs, then Valence can be set to override the current user to the appropriate value every time someone takes an action on the front-end. To do this, you must first activate the feature in the Apache configuration file for your Valence instance. Find the "OVERRIDE_JOB_USER" text in the file and change it as follows:
Code:
# Override CGI job to System i user active
SetEnv OVERRIDE_JOB_USER Y
PassEnv OVERRIDE_JOB_USER
For your own programs to switch the current user as they're executed, you must include a few extra lines in your source. First, you will want the following compiler directive at the top of your program:
Code:
/define OVERRIDE_JOB_USER
Code:
/copy qcpylesrc/vvDevelop
Note that this user override procedure retrieves the System i User ID from the session variable data structure. Therefore, it assumes you have the session ID named "sid" in your front-end javascript. If that's not the case, you must populate the global variable vvSessID in your RPG program immediately prior to the VVDEVELOP copy source at the start of the executable portion of your program, as follows:
Code:
**----------------------------------------------
** program start
**----------------------------------------------
/free
vvSessID =vvHttp_in('sid');
/copy qcpylesrc,vvDevelop
To achieve this user swapping, Valence uses the QSYSGETPH, QWTSETP and QSYRLSPH APIs to retrieve, change and release profile handles. You can read up on these on the IBM System i website for more details.
Comment