Accessing the Web Service API through a proxy
One of our customers have an environment with the following configuration:
- Yellowfin is installed in Docker containers.
- The yellowfin environment is accessible through a Traefik Proxy.
- To access Yellowfin, you first have to login to the proxy. Then you can login into Yellowfin.
- For the end-users, Yellowfin sso is enabled.
This works fine for the end-users, they can login into the proxy and then use Yellowfin.
We now want to use the Web Service API to automise some processes. In order to access the API, we first have to login to the proxy, and then the proxy will forward the request to Yellowfin. The authentication of the proxy is possible by using the authentication header "Authorization", which works fine. But then we have to authenticate to Yellowfin, which also requires the "Authorization" header. It isn't possible to send 2 authorization headers in the request (one for the proxy and one vor Yellowfin), so we cannot use the API at this moment.
Are there other possibilities to authenticate to the API? Maybe by sending the authorization header with an other name, or using a cookie, or something else?
HI Haro,
Thanks for reaching out to support with your question.
So this type of integration assistance would be out of scope for support technically; we can provide personalized help here with our consulting partners, I can reach out to an account manager on your behalf to set something up if you'd like.
That said, this does sound like a potential dev request, i.e "Yellowfin Web Service API calls don't work with traefik authentication, due to identical header parameters" - does this sound right? I may be able to get this logged and tested, maybe you have screenshots or documentation that better illustrates this conflict?
What I could also do is request an update to our Docker documentation that includes API / proxy configuration details -
https://wiki.yellowfinbi.com/display/yfcurrent/Install+And+Deploy+Yellowfin
Would this be something you'd be interested in?
If the issue is these 2 identical headers not working, maybe there's a way to "combine" the SSO so only 1 "authentication" header gets passed? I'm not an integration specialist, but that would be a potential path forward here I believe. Maybe you can find a traefik feature to "delegate" this.
https://doc.traefik.io/traefik/middlewares/http/forwardauth/
You also may have success with a API change, JSAPI versus SOAP for example. Let me know how you'd like to proceed with this.
Thanks,
Eric
HI Haro,
Thanks for reaching out to support with your question.
So this type of integration assistance would be out of scope for support technically; we can provide personalized help here with our consulting partners, I can reach out to an account manager on your behalf to set something up if you'd like.
That said, this does sound like a potential dev request, i.e "Yellowfin Web Service API calls don't work with traefik authentication, due to identical header parameters" - does this sound right? I may be able to get this logged and tested, maybe you have screenshots or documentation that better illustrates this conflict?
What I could also do is request an update to our Docker documentation that includes API / proxy configuration details -
https://wiki.yellowfinbi.com/display/yfcurrent/Install+And+Deploy+Yellowfin
Would this be something you'd be interested in?
If the issue is these 2 identical headers not working, maybe there's a way to "combine" the SSO so only 1 "authentication" header gets passed? I'm not an integration specialist, but that would be a potential path forward here I believe. Maybe you can find a traefik feature to "delegate" this.
https://doc.traefik.io/traefik/middlewares/http/forwardauth/
You also may have success with a API change, JSAPI versus SOAP for example. Let me know how you'd like to proceed with this.
Thanks,
Eric
Hi Haro,
Thanks for the reply here, what I can do is have a quick discussion about this with my consultant friend Edgar at our meeting next week, he should have an idea or a definitive answer at least. My hunch is that this will require a little legwork in the end though.... do you know whether there is any extended service time available in your contract? You can reach out to an account manager and possibly schedule a meeting on this if so.
Thanks,
Eric
Hi Haro,
Thanks for the reply here, what I can do is have a quick discussion about this with my consultant friend Edgar at our meeting next week, he should have an idea or a definitive answer at least. My hunch is that this will require a little legwork in the end though.... do you know whether there is any extended service time available in your contract? You can reach out to an account manager and possibly schedule a meeting on this if so.
Thanks,
Eric
Hi Haro,
Apologies for the delay here, I forgot my consultant meeting occurred on a US holiday last week. I can follow up on this later this week, let me know if you're able to schedule ES time on this as well.
Thanks,
Eric
Hi Haro,
Apologies for the delay here, I forgot my consultant meeting occurred on a US holiday last week. I can follow up on this later this week, let me know if you're able to schedule ES time on this as well.
Thanks,
Eric
Hi Haro,
Just wanted to check in to see how things went with this.
Thanks,
Eric
Hi Haro,
Just wanted to check in to see how things went with this.
Thanks,
Eric
Hi Haro,
I'm going to go ahead and mark this question as Answered due to inactivity at this time. Feel welcome to reach out in the future.
Thanks,
Eric
Hi Haro,
I'm going to go ahead and mark this question as Answered due to inactivity at this time. Feel welcome to reach out in the future.
Thanks,
Eric
Replies have been locked on this page!