Technology Blog Posts by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automizing authentication with SAP Datasphere CLI via OAuth 2.0

Anton_HH
Associate
Associate
3 weeks ago
638

Introduction

This blog is intended to provide you with a guide on how you can automate the process of authenticating commands executed through the SAP Datasphere CLI (command line interface) by using an OAuth 2.0 client.

Adopting this approach will facilitate your workflow significantly, when performing tasks in SAP Datasphere via the CLI.

Prerequisites

Before getting started, please make sure that you have the latest version of the SAP Datasphere CLI installed on your local machine.
If you have not installed the CLI yet, you can follow this description: Command-Line Interface (CLI) for SAP Datasphere.

Furthermore, you need the DW Administrator role to be able to create a new OAuth 2.0 client for your SAP Datasphere tenant.

Setting up your OAuth 2.0 client

Please take the following steps in order to set up your OAuth 2.0 client.
For deeper explanations, also have a look at the official SAP Datasphere CLI documentation.

1. Creating an OAuth 2.0 client in your SAP Datasphere tenant

To create a new OAuth 2.0 client, please click the “System” button in the bottom left corner on your side navigation bar and select “Administration”.

OAUTHLOCATION.png

Navigate to the “App Integration” tab and click "Add an OAuth client".

OAUTHCREATE.png

Choose a meaningful name for your client and specify the Redirect URI.
By default, the Redirect URI should be set to http://localhost:8080.

Note down the authorization URL, token URL, client ID and client secret (carefully save the secret, as it is only accessible once in the process of creating your OAuth 2.0 client!).

Please consider that steps 2. - 5. need to be repeated, depending on the lifetime (max. 720h) you define for the refresh token.

2. Login to the CLI

On your local machine, now open the terminal and log in to the CLI via the following command, providing the tenant URL, client ID and client secret.

datasphere login --host <your tenant url> --client-id <your client id> --client-secret <your client secret>

3. Revealing the tokens

After you have successfully logged in to your tenant, use the command

datasphere config secrets show --host <your tenant url>

to reveal the access token and refresh token the CLI retrieved from the tenant during step 2.

SECRETS SHOW.png

4. Creating the secrets-file

Now you have all the necessary information to create a so-called secrets-file in form of a JSON as mentioned on this section of the SAP Datasphere CLI documentation.

In your secrets-file, include the information highlighted in the screenshot above.
Please pay attention that all the properties are separated by commas and the spelling of the property names is exactly the same as in this template:

{
  "client_id": "...",
  "client_secret": "...",
  "authorization_url": "<your tenant URL>/oauth/authorize",
  "token_url": "<your tenant URL>/oauth/token",
  "access_token": "...",
  "refresh_token": "..."
}

5. Making your secrets-file accessible

Copy the secrets-file to the directory where you have the CLI installed or respectively to the server where you want to execute commands in a headless environment, so that the CLI, or the process running the CLI commands, can read it.

Now you've successfully set up your OAuth 2.0 client and created a secrets-file for that client, which allows you to get rid of manual authentication by passing the secrets-file to the CLI. 

Executing commands from an automation script

Usage of an OAuth 2.0 client also allows you to bundle workflows in SAP Datasphere, so you can automatically execute multi-step tasks where each single step normally would demand manual authentication.

For authenticating your SAP Datasphere CLI commands by using an OAuth 2.0 client, call the commands via the CLI in your automation script and always attach the option “--secrets-file /path/to/your/secrets-file.json”.

You can also pass the access token and refresh token directly to the CLI, which might make sense depending on your scenario and allows you to omit the login step by using the following command:

datasphere cache init --host <your tenant URL> --access-token <your access token> --refresh-token <your refresh token>

When running a script in a Node.js environment, follow the instructions mentioned on the official npm documentation for the SAP Datasphere CLI.

The following code is a simple example of a Node.js script, that automatically logs in to the defined tenant and then runs a Task Chain:

import { getCommands } from "@sap/datasphere-cli";
const source_tenant = "<your tenant URL>";
const secrets_file = "/path/to/your/secrets-file.json";

const loginOpt = {
  "--secrets-file": secrets_file,
  "--host": source_tenant,
  "--verbose": true
};

const taskChainOpt = {
    "--space": "<your space>",
    "--object": "<your task chain>",
    "--host": source_tenant,
    "--verbose": true
};

(async () => {
  try{
  const commands = await getCommands(source_tenant);
  await commands["login"](loginOpt); 
  await commands["tasks chains run"](taskChainOpt);
}

catch (err){
  console.error(err);
}
})();

For running the script, use the terminal to  execute it with the command:

Node /path/to/your-script.js

TERMINALCALL.png

After running the example script, you can switch to the Data Integration Monitor in SAP Datasphere to check, that the task chain got triggered automatically by the Node.js script, that we ran from the terminal.
If you compare the correlation IDs highlighted in both screenshots, you can see it belongs to the same task:

MONITORNEW.png

Note

Sometimes when you execute commands via the CLI from a script, the output or server response will not show up in the console, as it does when you execute the same command manually.
For a workaround, you can save the server response in a variable that you then can use for further steps in your automation script.
Some commands also allow to directly create an output file by adding „--output-file /path/to/your/output-file.json“ after your command.
By adding “-h” to any command, the CLI manual will show up and display, which options you can add to that specific command. This way you can check, if the opportunity of creating an output-file exists for your command.

Conclusion

Using an OAuth 2.0 client for authenticating your commands processed via the CLI will make your interaction with SAP Datasphere much more convenient, especially when you want to automize processes.
The approach described in this article can be used to automate user authentication via CLI, although it requires repeating the process after the refresh token expires.
We're actively developing support for technical user access, which will eliminate this limitation and enable complete automation.
Stay tuned for updates as we continue to enhance your user experience!

Further reading

For more information on the possibilities that come with the SAP Datasphere CLI please also have a look at this blog overview.

Since this is my first blog post, I’d be happy to hear your feedback and thoughts.
Very special thanks to my colleagues @hozumi  and @FlorianN who have given me excellent support in creating this blog!

 

 

 

 

2 Comments
Labels in this area
Popular Blog Posts