The Atoti Runtime Starter
Introduction
The Atoti Runtime Starter automatically sets up an Atoti Server application to work with Atoti Python API. It is added on top of any Atoti application, completing it with the necessary services to ensure the operability of the Python API.
Installation
See this how-to guide to learn how to add the Atoti Runtime Starter to your project.
Considerations
The Atoti Python API is a complete API to configure an Atoti application. Thus, it must be considered like an open door to the application as much as any system allowing to run Java code on the server. As such, while there are ways to control the access to the API, it is not recommended to expose such a feature in a production environment.
The Python API also relies on a combination of REST calls and the use of a GraphQL API and the special socket between the client and the server. The main point for security is the socket. More details can be found in the next section. Regarding HTTP endpoints, these are secured using standard Spring security, so more secure by default.
Moreover, Atoti Runtime starter does not provide any backup system for the changes made to the application. All changes are made on the fly on the application and will be lost when the application is restarted.
Py4J communication
Atoti Runtime Starter opens a Py4J socket to control to the JVM running the Atoti application.
By design, Py4j allows access to all methods of the JVM. With a Py4J, it is possible to call the carefully crafted methods of Atoti Server. Or call any method of the JVM itself, like System#gc or System#exit. While the Python API does not publicly expose the handle, resourceful developers can gain access to this handle.
A Py4j socket can be secured with a token. The Py4j socket server will only accept connections opened with the correct token. However, beyond this socket protection, there is no restriction on the methods that can be called.
By default, Atoti Runtime Starter enables security, generating a random token at each startup, printed to the logs. Moreover, the socket is bound to the local network preventing any connection from the outside. See this configuration section below to modify the default settings.
Technical user
Atoti Runtime Starter exposes a technical user to the Python API. These user credentials are passed for all operations involving HTTP calls.
This user must be specified in the starter configuration, so developers control the privileges granted to this technical user. Yet, Atoti Python API requires some advanced permissions to perform the necessary administrative operations, generally the role ROLE_ADMIN. So gaining access to this token is a way to basically gain full access to all services. And resourceful developers will find a way to get this token out of the Python API.
See this section below for more details.
Configuration
The Atoti Runtime Starter requires very few elements to bind with an Atoti application.
It expects single beans for the IActivePivotManager, the IDatabase defined by the project. It also retrieves the IJwtService and Atoti own security service IUserDetailsService, though these are delivered out of the box by the Atoti Starter.
Some additional mandatory configuration is required to set up the technical user performing all operations executed by the Python API, as well as the security for the connection between the Python API and the Atoti application.
Refer to the how-to guide for a guided integration in a project.
Configure the Py4J socket
Atoti Runtime Starter automatically enabled Py4J token protection. If no token is provided by the application configuration, a token is generated and printed to the logs, under the logger with key atoti.server.runtime-starter.
Users can pass their own token with the property atoti.server.runtime.py4j.auth-token.
The entire security can be disabled for dev environment with the property atoti.server.runtime.py4j.enable-auth=false.
By default, the socket listens to the local network only. To open the socket to a larger network, configure the property atoti.server.runtime.py4j.bind-address with the desired network gateway interface.
Finally, the socket listens to a specific port. This port is set to 25333 by default. To change this port, use the property atoti.server.runtime.py4j.java-port.
Defining the technical user
Atoti Runtime Starter requires a user name to impersonate for all administrative operations. This user must be granted the role ROLE_ADMIN and ROLE_USER.
The user name is passed to the starter through the property atoti.server.runtime.technical-user.name. Atoti Runtime Starter will automatically retrieve the required information about this user from the IUserDetailsService bean.
Known caveats
GraphQL manual configuration
Atoti Runtime Starter exposes an internal GraphQL API to support parts of the operations from the Python API. At the moment, to correctly work with Spring, a project must manually re-exposes the GraphQL schema in the final application.
See this step for setup instructions.