Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt

Use this file to discover all available pages before exploring further.

Introduction

The Atoti Server Application Starter automatically sets up an Atoti Server application to work with Atoti Python SDK. It is added on top of any Atoti application, completing it with the necessary services to ensure the operability of Atoti Python SDK.

Installation

See this how-to guide to learn how to add the Atoti Server Application Starter to your project.

Considerations

The Atoti Python SDK is a complete API to configure an Atoti application. Thus, it must be considered like an open door to the application as much as any system allowing to run Java code on the server. As such, while there are ways to control the access to the API, it is not recommended to expose such a feature in a production environment.
Atoti Python SDK also relies on a combination of REST calls and the use of a GraphQL API and the special socket between the client and the server. The main point for security is the socket. More details can be found in the next section. Regarding HTTP endpoints, these are secured using standard Spring security, so more secure by default. Moreover, Atoti Server Application Starter does not provide any backup system for the changes made to the application. All changes are made on the fly on the application and will be lost when the application is restarted.

Py4J communication

Atoti Server Application Starter opens a Py4J socket to control to the JVM running the Atoti application. By design, Py4j allows access to all methods of the JVM. With a Py4J, it is possible to call the carefully crafted methods of Atoti Server. Or call any method of the JVM itself, like System#gc or System#exit. While Atoti Python SDK does not publicly expose the handle, resourceful developers can gain access to this handle. A Py4j socket can be secured with a token. The Py4j socket server will only accept connections opened with the correct token. However, beyond this socket protection, there is no restriction on the methods that can be called.
By default, Atoti Server Application Starter enables security, generating a random token at each startup, printed to the logs. Moreover, the socket is bound to the local network preventing any connection from the outside. See this configuration section below to modify the default settings.

Technical user

Atoti Server Application Starter exposes a technical user to Atoti Python SDK. These user credentials are passed for all operations involving HTTP calls.
This user must be specified in the starter configuration, so developers control the privileges granted to this technical user. Yet, Atoti Python SDK requires some advanced permissions to perform the necessary administrative operations, generally the role ROLE_ADMIN. So gaining access to this token is a way to basically gain full access to all services. And resourceful developers will find a way to get this token out of Atoti Python SDK. See this section below for more details.

Configuration

The Atoti Server Application Starter requires very few elements to bind with an Atoti application. It expects single beans for the IActivePivotManager, the IDatabase defined by the project. It also retrieves the IJwtService and Atoti own security service IUserDetailsService, though these are delivered out of the box by the Atoti Starter. Some additional mandatory configuration is required to set up the technical user performing all operations executed by Atoti Python SDK, as well as the security for the connection between Atoti Python SDK and the Atoti application.
Refer to the how-to guide for a guided integration in a project.

Configure the Py4J socket

Atoti Server Application Starter automatically enables Py4J token protection. If no token is provided by the application configuration, a token is generated and printed to the logs, under the logger with key atoti.server.application-starter.
Users can pass their own token with the property atoti.server.application.py4j.auth-token. The entire security can be disabled for dev environment with the property atoti.server.application.py4j.enable-auth=false. By default, the socket listens to the local network only. To open the socket to a larger network, configure the property atoti.server.application.py4j.bind-address with the desired network gateway interface. Finally, the socket listens to a specific port. This port is set to 25333 by default. To change this port, use the property atoti.server.application.py4j.java-port.

Defining the technical user

Atoti Server Application Starter requires a user name to impersonate for all administrative operations. This user must be granted the role ROLE_ADMIN and ROLE_USER.
The user name is passed to the starter through the property atoti.server.application.technical-user.name. Atoti Server Application Starter will automatically retrieve the required information about this user from the IUserDetailsService bean.

Known caveats

GraphQL manual configuration

Atoti Server Application Starter exposes an internal GraphQL API to support parts of the operations from Atoti Python SDK. At the moment, to correctly work with Spring, a project must manually re-exposes the GraphQL schema in the final application. See this step for setup instructions.