If module need system user to communicate with other modules then it's required to create the system user on enabling for tenant. To do so you should:
- Extend
TenantServicefrom folio-spring-base - Inject
PrepareSystemUserServicebean to the class - Override
afterTenantUpdateand usesetupSystemUser()from injected service - Inject
SystemUserServicebean to the class - Call
authSystemUser(SystemUser user)for login with RTR-based approach
Requirements:
- Prepare file with permissions that should be assigned to the user (one permission per line)
- Set-up application properties:
- folio.okapi-url (suggested to pass it from environment variables)
- folio.system-user.username (suggested to have the same name as module name)
- folio.system-user.password (suggested to pass it from environment variables)
- folio.system-user.lastname (suggested to set it to
System) - folio.system-user.permissionsFilePath (path to prepared permissions-file in resources folder)
- Add
spring-boot-starter-cachedependency to module if you want to cache system user authentication data - Update ModuleDescriptor with modulePermissions for
POST /_/tenantendpoint:- users.collection.get
- users.item.post
- login.item.post
- login.item.delete
- perms.users.get
- perms.users.item.post
- perms.users.assign.immutable
- perms.users.assign.mutable
- Update ModuleDescriptor with requires interfaces:
- login
- permissions
- users
If system user was created during enabling for tenant, then the system user could be used to make request
to other modules. To do so SystemUserScopedExecutionService could be used.
Setting property folio.system-user.enabled=false will disable system user functionality:
- all actions called using
SystemUserScopedExecutionServicewill be performed inDefaultFolioExecutionContext X-Okapi-Tokenheader won't be populated with system user JWT token value- All unused Spring components will be excluded from Spring context, including:
AuthnClientPermissionsClientUsersClientSystemUserService