PAT settings

Dear all,
I’m trying to change the max. time a PAT is valid.
Following the documentation: Personal Access Tokens - openBIS Documentation Rel. 20.10 - Confluence
do I understand correctly, that the file referred to by:
“To configure it please use AS service.properties:”
is openbis/servers/openBIS-server/jetty/etc/service.properties

Since the configuration files also contain many options that are commented out (but this allows us to find them easily) - but this is not one of them, I just wanted to double-check if the lines should be added here:

# personal access tokens feature
personal-access-tokens-enabled = true
 
# change the default location of the JSON file that stores personal access tokens (default: personal-access-tokens.json file in the main openBIS folder)
personal-access-tokens-file-path = MY_FOLDER/personal-access-tokens.json
 
# set maximum allowed validity period (in seconds) - personal access token with a longer validity period cannot be created (default: 30 days)
personal-access-tokens-max-validity-period = 2592000
 
# set validity warning period (in seconds) - owners of personal access tokens that are going to expire within this warning period are going to receive email notifications (default: 5 days)
personal-access-tokens-validity-warning-period = 259200

many thanks
Ulrich

Dear Ulrich,

this is the correct file.

1 Like

Dear Caterina,

many thanks - using the PAT seems to work, however, I do get an error message if I follow the steps on the pyBIS documentation?

pat_name = os.environ['OPENBISPAT']
pat = oBis.get_or_create_personal_access_token(sessionName=pat_name)
oBis.set_token(pat, save_token=True)

results in

/home/kerzel/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/things.py:240: FutureWarning: iteritems is deprecated and will be removed in a future version. Use .items instead.
  ].iteritems():
Output exceeds the size limit. Open the full output data in a text editor---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
Cell In[8], line 6
      4 pat_name = os.environ['OPENBISPAT']
      5 pat = oBis.get_or_create_personal_access_token(sessionName=pat_name)
----> 6 oBis.set_token(pat, save_token=True)

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:4389, in Openbis.set_token(self, token, save_token)
   4387 if not token:
   4388     return
-> 4389 if not self.is_token_valid(token):
   4390     raise ValueError("Session is no longer valid. Please log in again.")
   4391 else:

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:4365, in Openbis.is_token_valid(self, token)
   4359     return False
   4361 request = {
   4362     "method": "isSessionActive",
   4363     "params": [token],
   4364 }
-> 4365 resp = self._post_request(self.as_v3, request)
   4366 return resp

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:1234, in Openbis._post_request(self, resource, request)
   1230 def _post_request(self, resource, request):
...
    178     """
--> 179     raise TypeError(f'Object of type {o.__class__.__name__} '
    180                     f'is not JSON serializable')

TypeError: Object of type PersonalAccessToken is not JSON serializable

Many thanks
Ulrich

Dear Ulrich,

The documentation is not correct. The correct way to do this currently is:

pat = o.get_or_create_personal_access_token(sessionName=“Project A”)
o.set_token(pat.permId, save_token=True)

In the next pyBIS version both ways to set the tokens will be accepted.

Dear @cbarillari,

many thanks and apologies for the slow reply.

Hm, I guess maybe I misunderstand something about the PAT… I had, perhaps naively, assumed that I can refer to the PAT via the associated session name (as a short name)

however, when I do:

oBis = Openbis(server_url, verify_certificates=True)
pat = oBis.get_or_create_personal_access_token(sessionName=session_name)

I get the error message:

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
Cell In[7], line 5
      1 ##
      2 ## create connection to openBIS server
      3 ##
      4 oBis = Openbis(server_url, verify_certificates=True)
----> 5 pat = oBis.get_or_create_personal_access_token(sessionName=session_name)

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:1983, in Openbis.get_or_create_personal_access_token(self, sessionName, validFrom, validTo, force)
   1981 session_token = self.token
   1982 if not is_session_token(session_token):
-> 1983     session_token = self.session_token
   1984 if not session_token:
   1985     session_token = get_token_for_hostname(
   1986         self.hostname, session_token_needed=True
   1987     )

AttributeError: 'Openbis' object has no attribute 'session_token'

which, perhaps, isn’t too surprising as I haven’t logged in with a session token or the long PAT value with $pat-…
However, I thought (maybe naively) that I could use the short session_name instead?

All the best
Ulrich

Dear Ulrich,

After creating the Openbis object you need to set the session_token.

For this you have several options:

  1. Login using API.
  2. Get the PAT after login and then set it.
  3. Set session_token property with a valid session token or PAT.

There is no magic around it.

Best,
Juan

Dear Juan,

many thanks - I think that was due to my (mis-)understanding of the relationship between session_token at PAT, in particular that one cannot create a PAT from a PAT.

Best wishes
Ulrich

Dear Caterina,

many thanks - we’ve recently upgraded to pyBIS 1.36.3, openBIS 20.10.7.1.

I tried to come back to PAT, but I’m stuck (again or still…)
Could you kindly take another look?

When I log in with a session_token, I can create the PAT:

pat_name = 'PAT_20231024_T01'
pat = oBis.get_or_create_personal_access_token(sessionName=pat_name)
oBis.set_token(pat, save_token=True)

It also gets created:

attribute         value
----------------  ------------------------------------------------------------------
permId            $pat-ulrichkerzel-2...
sessionName       PAT_20231024_T01
validFromDate     2023-10-24 09:26:17
validToDate       2023-11-23 08:26:17
accessDate        2023-10-25 07:44:16
owner             ulrichkerzel
registrator       ulrichkerzel
registrationDate  2023-10-24 09:26:46
modifier          ulrichkerzel
modificationDate  2023-10-24 09:26:46

which is the same information as in personal-access-tokens.json.

But then when I try to use it:

oBis = Openbis(server_url, verify_certificates=False)
pat = oBis.get_or_create_personal_access_token(sessionName='PAT_20231024_T01')

I get the following exception:

{"method": "createPersonalAccessTokens", "params": ["$pat-ulrichkerzel-2<removed for security>", {"@type": "as.dto.pat.create.PersonalAccessTokenCreation", "sessionName": "PAT_20231024_T01", "validFromDate": 1698213754425, "validToDate": 1703402107466}], "id": "2", "jsonrpc": "2.0"}

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:2043, in Openbis.get_or_create_personal_access_token(self, sessionName, validFrom, validTo, force)
   2042 try:
-> 2043     resp = self._post_request(self.as_v3, request)
   2044 except ValueError as exc:

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:1249, in Openbis._post_request(self, resource, request)
   1246 """internal method, used to handle all post requests and serializing / deserializing
   1247 data
   1248 """
-> 1249 return self._post_request_full_url(urljoin(self.url, resource), request)

File ~/.cache/pypoetry/virtualenvs/openbis-qARisZC2-py3.10/lib/python3.10/site-packages/pybis/pybis.py:1296, in Openbis._post_request_full_url(self, full_url, request)
   1295     print(json.dumps(request))
-> 1296     raise ValueError(resp["error"]["message"])
   1297 elif "result" in resp:

ValueError: Personal access tokens cannot be used to manage personal access tokens.

During handling of the above exception, another exception occurred:

NotImplementedError                       Traceback (most recent call last)
/home/kerzel/Repositories/openbis/openbis/test_pat.ipynb Cell 3 line 5
      1 ##
...
   2047     )
   2048 try:
   2049     return self.get_personal_access_token(resp[0]["permId"])

NotImplementedError: Your openBIS instance does not support personal access tokens. Please upgrade your server and activate them.

Admittedly, I’m a bit confused.
When I log in via the session ID, there is a PAT (also in the json),
the first part of the output (with the method) also seems to return the PAT as it’s in the params - but there is still an exception?

Any help would be greatly appreciated,
many thanks
Ulrich

As an addendum,
it seems to work if I use oBis.set_token(pat-permID) directly, i.e. without using the session name to get the permID of the PAT.
I had, perhaps naively assumed that I can use the session name for the PAT to retrieve the permID of the PAT, i.e. I don’t have to store or remember the permID of the PAT but only the session name?

Many thanks
Ulrich

Dear Ulrich,

For security reasons, using a personal access token to create a new personal access token is not allowed (only regular sessions can create new personal access tokens).

The exception you are getting is thrown exactly because of this limitation (see “Personal access tokens cannot be used to manage personal access tokens.” error message).

In order to call “get_or_create_personal_access_token” method you need to use a regular session token (not a PAT).

All the best,
Piotr

We recently got a request/suggestions from one of our users that it would be great to create “read-only” PATs with limited rights (e.g., only Obersever rights) in order to create automated analysis workflows that should not be able to edit anything in openBIS (as a safeguard).

@piotr.kupczyk and @juanf: Is that something that you could envision for the a future version of openBIS/pyBIS?

An admin could already create an Observer user and create a PAT for him, then use that in your pipeline.

But yeah, standard users cannot do that, what adds to the administrative burden.

@juanf
Would it help to offer the users the options to create fine-grained PATs? This is e.g how Github and Gitlab solve the creation of PATs: users can select what rights to assign to different PATs, as well as the scope of a PAT, e.g a specific space or project.

It would help, but it would mean an extension to the rights management system since users would need to be able to create a virtual account under them with as many rights or less than them.

The amount of effort needed to make it happen is considerable, so probably not for the next mayor version.

I would suggest for now request your admin to create such accounts for you

Thanks a lot for the quick feedback and explanation! We use our LDAP service for user management (including group affiliation), so creating extra users isn’t really an option which is why we would prefer another solution.

I understand this requires more effort, but long-term it seems the best way to reduce the administrative burden. I’d consider this solution as it would solve many related problems