You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Scripted Authentication can be enabled for a connection by providing a command line to run in the 'Auth Script Command' field. This command will be triggered by RED when it needs to authenticate with this connection for the first time and then again whenever the 'Auth Expires After' minutes is exceeded.

Typical Script Based Authentication Workflow

When RED executes the 'Auth Script Command' this is the typical workflow: 

  1. RED UI
    1. Save the current RED Profile to disk and provide access to this Profile file and the connection name requiring authentication via environment variables.
    2. Run the 'Auth Script Command'
  2. Authentication Script
    1. Reads the RED Profile and retrieves any required Connection details from it.
    2. Perform the required authentication workflow for the connection.
    3. Updates the RED Profile on disk with refreshed Auth Tokens, Expires After mins and other Auth Configuration values as required. 
  3. RED UI
    1. Merges the updated RED Profile file back into memory.
    2. Completes the authentication process for the connection.
    3. Resets the internal expiry for the connection based on 'Auth Expires After' mins. 

Auth Script Environment Variables

RED will set the following Environment Variables for the Auth Script Command execution.

These are the minimum set that can be relied on, but the usual WSL_TGT_* and WSL_META_* variables will also be provided if available for the scenario. WSL_TGT_* vars are set to the context of the connection being authenticated to. If your script relies on other variables to be set it is best to fall back to extracting from the Profile file when these are not set in the environment.

Environment VariableValueDescription
WSL_TGT_CONNAME

The name of the connection being refreshed.

Not set for the Metadata Repository connection.

Determines which connection requires authentication and the node to update in the profile file.

When not set then authenticate the Metadata Repository which is at the root node of the profile. 

WSL_RED_PROFILEThe path to the RED Profile file.Used to read and then update the RED Profile file, as required, for the particular authentication flow
WSL_BINDIRThe path to the RED installation directory.Useful if your scripts utilize any RED command line tooling.

Auth Script Output Protocol

RED relies on Exit Code only, it is expected the script will report any errors to the user interactively or via it's own logging mechanisms.

Exit Codes

  • 0 = Success, this signals to RED that it should continue with the authentication attempt.
  • Non-Zero = Failure, this signals to RED that it should abort the current authentication attempt.

Script Output 

  • All Auth Script output streams are currently ignored by RED

Auth Script Command Usage - PowerShell Examples

The examples here use the following sample PowerShell project, which can be unzipped to a local directory on a system running RED.

ws_auth.zip

In one of your connections in RED you can test the Scripted Authentication process by setting an Auth Script Command and a non-zero Auth Expires After setting, then browsing the connection to initiate the authentication process.

The sample PowerShell based authentication project has a main script and a set of modules, the main script can be extended with your own authentication types as required.

Script name and parameters

Name:

  • ws_auth.ps1

Parameters: 

  • AuthType - from: "Snowflake-MFA", "Snowflake-KeyPair", "Test-mode" [Default if not specified]

  • LogLevel - from:  "DEBUG", "INFO", "WARN", "ERROR", "FATAL" - Defaults to INFO

Logging:

This script produces logging based on the LogLevel setting, the log file will be created in the current user's temp directory with the name 'ws_auth.log'. This location can be found in Windows by typing %TEMP% in an explorer window.

Example script commands


LogLevel "DEBUG" will print the script environment variables to the log file ws_auth.log which may expose passwords in plaint text. DEBUG should not be set in production.
1- The actual path in these commands should be changed to reflect the location where you unpacked the ws_auth.ps1 script and modules.
2- Ensure you also set an initial non-zero value for the Auth Expires After setting
3- NOTE: You can not currently change a connection string via a Profile update, therefore connection string is non-editable in these Auth UI's.

ws_auth Test-mode

Auth Script Command = 

PowerShell -ExecutionPolicy bypass -f "c:\temp\ws_auth\ws_auth.ps1" -AuthType "Test-mode" -LogLevel "DEBUG"

When executed by RED's authentication process this mode produces a dialog which provides the ability to change all possible fields.



  • No labels