Perun remote interfaces
Perun Interfaces
Interface for Humans
You can log in to Perun's classic graphical web interface using three different authentication methods:
- using MetaCentrum Kerberos - https://perun.metacentrum.cz/krb/gui/
- using Federation identity - https://perun.metacentrum.cz/fed/gui/
- using IGTF Certificate - https://perun.metacentrum.cz/cert/gui/
You can use Perun's new web interfaces that use OIDC and OAuth 2 at:
- Administration - https://perun.e-infra.cz/
- User profile - https://profile.e-infra.cz/
RPC Interface for Machine Access
RPC is an interface for remote access to Perun using standard HTTP/HTTPS calls. It is intended for calling by programs. The RPC interface is described using machine-processable document in OpenAPI format, so you can generate client libraries in many programming languages using OpenAPI Generator.
Or you can write a client library by hand. However the RPC interface contains more than 700 operations, so it can be time consuming.
RPC OpenAPI Description
The OpenAPI document describing Perun RPC is available here:
https://github.com/CESNET/perun/tree/master/perun-openapi
There are prepared clients in several languages:
- Python - https://github.com/CESNET/perun/tree/master/perun-cli-python
- Java - https://github.com/CESNET/perun/tree/master/perun-cli-java
- PHP - https://github.com/CESNET/perun/tree/master/perun-cli-php
The server API is located at https://perun-api.e-infra.cz/ and supports the following authentication methods:
- HTTP basic auth or Kerberos ticket - https://perun-api.e-infra.cz/krb/rpc/
- OAuth 2 access token - https://perun-api.e-infra.cz/oauth/rpc/
The HTTP basic auth method needs to use e-INFRA.cz login and password.
The Kerberos ticket needs to be from the EINFRA realm, you can use your personal one.
For obtaining an OAuth 2 access token you need a registered OAuth client, and to use an appropriate grant flow.
- For command-line clients, we recommend using Device Code grant flow, an example in Python is available in perun-cli-python/perun/oidc/__init__.py
- For javascript Single Page Applications (SPA) we recommend Authorization Code grant flow with PKCE
- For server-side web applications we recommend Authorization Code grant flow
RPC Description for Human Programmers
RPC expect you to use GET type of requests for read only methods and POST type of requests for any state changing method (create, update, delete,...).
URL structure of each RPC call is following:
https://base_url/authz_type/perun_component/data_exchange_format/managerName/methodName?param1=value¶m2=value&listParam[]=value1&listParam[]=value2
RPC server location + authz
Following base URLs are provided, each uses different authentication method to log you in. Please note, that if you run your own Perun instance, base URL is different.
https://perun.metacentrum.cz/krb/rpc/ (using Kerberos from realm @META/@EINFRA) https://perun.metacentrum.cz/krbes/rpc/ (using Kerberos from realm @EINFRA-SERVICES) https://perun.metacentrum.cz/fed/rpc/ (using credentials from your federation IdP) https://perun.metacentrum.cz/cert/rpc/ (using IGTF certificate)
Data exchange formats
Following formats are supported for data exchange: JSON, JSONP and VOOT (soon). You can specify format in URL following example:
https://perun.metacentrum.cz/krb/rpc/json/ https://perun.metacentrum.cz/krb/rpc/jsonp/ https://perun.metacentrum.cz/krb/rpc/voot/ (not yet deployed)
JSONP uses padding before and after data to help you match call and it's response. Then, all requests must contain parameter callback=matcher and returned value is in a format: matcher(standard_json_data);. If callback matcher is not provided, then null(standard_json_data); is returned instead. If parameter is empty, then (standard_json_data); is returned. If returned value is not an object, but single value like: string, number or boolean, then matcher(value); is returned (e.g. matcher(false); or matcher("text");).
Calling a method
In order to call any method you must provide manager's and method's name in request URL. Both of them use CamelCase in their names.
List of available methods can be found in RPC's javadoc.
https://perun.metacentrum.cz/krb/rpc/json/vosManager/getVos # will give you list of your VOs in JSON format
You must use POST for calling state changing methods (create, add, assign, update, delete, remove,...). You can use GET (or POST) for all other methods, which just reads data from Perun (get, find, list,...). Exception is thrown if HTTP request is of different type than method accepts.
Passing parameters to methods
GET
Location: All parameters must be present in HTTP request URL. Request body is ignored.
Accept: string, integer and list (of strings and integers)
Format: First parameter in URL starts with ?, others with &. List parameters uses [] after parameter's name and parameters are repeated for every value of list: ?listParam[]=value1&listParam[]=value2.
https://perun.metacentrum.cz/krb/rpc/jsonp/vosManager/getVoById?callback=call1&id=123
# will give you VO by it's ID = 123 in JSONP format
# response like: call1({"name":"vo_name_value","shortName":"vo_short_name_value", "id":123, "beanName":"Vo", ...other vo params... });
POST
Location: All parameters must be passed in HTTP request body.
Accept: any type of correctly defined data / objects
Format: defined by data_exchange_format Please note, that JSONP also expect JSON data, since padding definition is part of the request URL.
For JSON/JSONP to pass set of parameters simply create empty JSON object and fill it with properties with names mathing method's parameters and values matching method parameter's types. When passing whole object to method, some of it's properties might be ignored (and not required to be present). E.g. beanName which is property defining object type. It is contained in objects returned to you, but not required when posting object back to Perun.
URL: https://perun.metacentrum.cz/krb/rpc/jsonp/vosManager/addAdmin?callback=call2
DATA: {"vo":123, "user":1234}
# if method requires simple integer parameters with names 'vo' and 'user' like method vosManager/addAdmin
# response like: call2(null); (since method doesn't return anything)
Error handling
When using JSON or JSONP data exchange format, all calls ending with an error are returned as OK (HTTP return code 200). This allow you to process returned exception serialized in expected format (otherwise browsers throw away error responses and your application wouldn't know what's wrong).
e.g. callbackPost({"name":"exception_name", "message":"exception_message", "errorId":"1428f68a462" ...other optional parameters... });
JavaScript Library
For using you will need configuration.js, where will be specificated rpc_url.
More about rpc_url here.
Configuration = {
RPC_URL : "https://perun.metacentrum.cz/fed/rpc/jsonp/",
}
In order to call any method you must provide manager's and method's name to url. Both of them use CamelCase.
List of available methods can be found in RPC's javadoc.
$.ajax({
url : Configuration.RPC_URL + "groupsManager/getGroupRichMembersWithAttributes",
data : {
group : 817
},
success : function(data, textStatus, jqXHR)
{
if(typeof data.errorId !== "undefined")
{
alert(data.errorText);
}else{
//definition of table
var table = PerunTable.create();
table.addColumn("user.id", "ID");
table.addColumn("user.firstName", "First name");
table.addColumn("user.lastName", "Last name");
// adds the values to the table
table.add(data);
//create html from table
var tableHtml = table.draw();
//add table to specific div element
$("specificDiv").html(tableHtml);
}
},
dataType: "jsonp",
type : "get"
})
Class PerunTable is easy way to visualize accepted data.
Synchronization a group with external resource
SQL query returning column firstName, lastName, login. Optionally middleName, titleBefore, titleAfter. SQL query could return columns with names of concrete attributes. Due to size restriction, attribute names must be shorten, where x:y:z means:
| x | meaning |
| m | member |
| u | user |
| f | facility |
| r | resource |
| g | group |
| v | vo |
| h | host |
| mr | member_resource |
| uf | user_facility |
| gr | group_resource |
| y | meaning |
| d | def |
| o | opt |
Examples:
m:d:address -> urn:perun:member:attribute-def:def:address u:d:login-namespace:mu -> urn:perun:user:attribute-def:def:login-namespace:mu
- Example groupMembersQuery for external resource SQL database cz.metacentrum.perun.core.impl.ExtSourceSql
select name as first_name, surname as last_name, login, mail as "m:d:mail", telephone as "m:d:phone" from someTable
- Example groupMembersQuery for external resource LDAP cz.metacentrum.perun.core.impl.ExtSourceLdap
TBA
- Example groupMembersQuery for external resource ISMU cz.metacentrum.perun.core.impl.ExtSourceISMU
https://is.muni.cz/auth/export/skupina_osob.pl?format=csv&kodovani=utf-8&skup_zkratka=1433:15
How to create a synchronized with external resource PERUNPEOPLE type SQL with five minute interval:
./setGroupAttribute --groupId 123 --attributeName 'urn:perun:group:attribute-def:def:groupExtSource' --attributeValue PERUNPEOPLE ./setGroupAttribute --groupId 123 --attributeName 'urn:perun:group:attribute-def:def:groupMembersQuery' --attributeValue 'select name as first_name, surname as last_name, login, mail as urn:perun:member:attribute-def:def:mail, telephone as urn:perun:member:attribute-def:def:phone from someTable' ./setGroupAttribute --groupId 123 --attributeName 'urn:perun:group:attribute-def:def:synchronizationEnabled' --attributeValue true ./setGroupAttribute --groupId 123 --attributeName 'urn:perun:group:attribute-def:def:synchronizationInterval' --attributeValue 1
Manual synchronization
./synchronizeGroup --groupId 123