Cross Reference: /forgerock/openidm-v4/openidm-zip/src/main/resources/samples/sample3/README

	README revision 64ca5d02a4179512c5d68956e5088aa9c6ccc287
/**
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2014 ForgeRock AS. All rights reserved.
 *
 * The contents of this file are subject to the terms
 * of the Common Development and Distribution License
 * (the License). You may not use this file except in
 * compliance with the License.
 *
 * You can obtain a copy of the License at
 * http://forgerock.org/license/CDDLv1.0.html
 * See the License for the specific language governing
 * permission and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL
 * Header Notice in each file and include the License file
 * at http://forgerock.org/license/CDDLv1.0.html
 * If applicable, add the following below the CDDL Header,
 * with the fields enclosed by brackets [] replaced by
 * your own identifying information:
 * "Portions Copyrighted [year] [name of copyright owner]"
 */

Sample 3 - Scripted SQL
-----------------------

This sample demonstrates an example configuration for a scripted SQL
connector, a connector that communicates with a database through configurable
SQL scripts. This example requires a fresh installation of OpenIDM.

For documentation pertaining to this example see:
http://openidm.forgerock.org/doc/install-guide/index.html#more-sample3

This sample also demonstrates the use of complex data types. Complex types
can be stored, retrieved and synced like any other property of an object. These
types can be mapped to your external data sources in any way you choose but are
generally stored in the managed data as JSON represented as a String. This may
be customized further to do additional work with or transformation on that data.

The sync.json script demonstrates the use of event hooks to perform an action. In
this example there are two hooks, one for the onCreate event and another for onUpdate,
both for the managed user to external repo user case. In both events this sample
will log a statement to OpenIDM's log file (see the logs directory) when a managed
user is created or updated in the external repo. In both cases the script is
explicitly included in the sync.json file but could just as easily have referenced
an external file for the script source instead. For more information see:

http://openidm.forgerock.org/doc/webhelp/integrators-guide/appendix-scripting.html

The scripted connector supports any number of custom scripted endpoints. These are
configured via the provisioner script and currently support only Groovy. See
provisioner.openicf-scriptedsql.json and tools/ResetDatabaseScript.groovy for the
sample implementation. Step 5b below executes this script.

CAVEAT: Because MySQL cannot "un-hash" user passwords there is no way for a recon
to retrieve and store the password in the managed user object in OpenIDM. This may
impact configurations that support multiple external repos insofar as passwords
will likely not be in sync immediately after a mysql -> managed recon. Despite
creating any missing users in the managed repo during recon their passwords are
empty so those same users synced into the other external repos will have blank
passwords. Some additional scripting may be required to handle this situation
depending on the requirements of your deployment.


To try the example, follow these steps.

    1. Copy the MySQL Connector/J .jar to the OpenIDM bundle/ directory.

    $ cp mysql-connector-java-5.1.18-bin.jar /path/to/openidm/bundle/

    3. Set up MySQL to listen on localhost:3306, connecting as root:password.

    4. Create the initial database OpenIDM will sync with.

    mysql> CREATE DATABASE hrdb CHARACTER SET utf8 COLLATE utf8_bin;

    5. Start OpenIDM with the configuration for sample 3.

    $ /path/to/openidm/startup.sh -p samples/sample3

    6. Populate the MySQL database with sample data. Use REST to execute a custom script that, in this case, resets
    and populates the database.  This script may be re-run at any time to reset the database.
       $ curl -k --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --header "Content-Type: application/json" --request POST "https://localhost:8443/openidm/system/scriptedsql?_action=script&scriptId=ResetDatabase"
       {
         "actions": [
           {
             "result": "Successfully reset the database"
           }
         ]
       }

       At this point the MySQL database should be fully populated.
       mysql> USE hrdb;
       Database changed
       mysql> SELECT * FROM users;
       +----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
       | id | uid    | password                                 | firstname | lastname | fullname      | email                     | organization | timestamp           |
       +----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
       |  1 | bob    | e38ad214943daad1d64c102faec29de4afe9da3d | Bob       | Fleming  | Bob Fleming   | Bob.Fleming@example.com   | HR           | 2014-10-30 08:55:41 |
       |  2 | rowley | 2aa60a8ff7fcd473d321e0146afd9e26df395147 | Rowley    | Birkin   | Rowley Birkin | Rowley.Birkin@example.com | SALES        | 2014-10-30 08:55:41 |
       |  3 | louis  | 1119cfd37ee247357e034a08d844eea25f6fd20f | Louis     | Balfour  | Louis Balfour | Louis.Balfor@example.com  | SALES        | 2014-10-30 08:55:41 |
       |  4 | john   | a1d7584daaca4738d499ad7082886b01117275d8 | John      | Smith    | John Smith    | John.Smith@example.com    | SUPPORT      | 2014-10-30 08:55:41 |
       |  5 | jdoe   | edba955d0ea15fdef4f61726ef97e5af507430c0 | John      | Doe      | John Doe      | John.Doe@example.com      | ENG          | 2014-10-30 08:55:41 |
       +----+--------+------------------------------------------+-----------+----------+---------------+---------------------------+--------------+---------------------+
       5 rows in set (0.00 sec)

       * Note that these passwords are hashed, and not available to be read into OpenIDM as cleartext.
       * sha1 is used to hash these passwords for compatibility reasons; in production, use more secure algorithms.

    7. Run reconciliation:

    $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemHrdb_managedUser"

    8. Retrieve the list of users from OpenIDM's internal repository:

    $ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/managed/user/?_queryId=query-all&fields=_openidm_id,userName,sn,givenName&_prettyPrint=true"
    {
      "result" : [ {
        "_id" : "5b8c0ea8-3f11-4588-97af-723a76c8ef40",
        "_rev" : "0",
        "userName" : "rowley",
        "sn" : "Birkin",
        "givenName" : "Rowley"
      }, {
        "_id" : "7de6b0f6-2930-43fc-8e66-c6dd79e37160",
        "_rev" : "0",
        "userName" : "john",
        "sn" : "Smith",
        "givenName" : "John"
      }, {
        "_id" : "6fc473c4-9837-43f0-af6f-6fb4aa13a666",
        "_rev" : "0",
        "userName" : "louis",
        "sn" : "Balfour",
        "givenName" : "Louis"
      }, {
        "_id" : "163237fd-934d-4160-878d-c59f32a3eec9",
        "_rev" : "0",
        "userName" : "jdoe",
        "sn" : "Doe",
        "givenName" : "John"
      }, {
        "_id" : "3bbc3706-b6e2-4013-960a-6d1beed582e1",
        "_rev" : "0",
        "userName" : "bob",
        "sn" : "Fleming",
        "givenName" : "Bob"
      } ],
      "resultCount" : 5,
      "pagedResultsCookie" : null,
      "remainingPagedResults" : -1
    }

    9. Query for an individual user (by userName):

    $ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/managed/user?_queryId=for-userName&uid=rowley&_prettyPrint=true"
    {
      "result" : [ {
        "mail" : "Rowley.Birkin@example.com",
        "sn" : "Birkin",
        "passwordAttempts" : "0",
        "lastPasswordAttempt" : "Wed Oct 22 2014 09:51:31 GMT-0700 (PDT)",
        "address2" : "",
        "givenName" : "Rowley",
        "effectiveRoles" : [ "openidm-authorized" ],
        "country" : "",
        "city" : "",
        "lastPasswordSet" : "",
        "organization" : "SALES",
        "postalCode" : "",
        "_id" : "ed8bbe46-08a1-4716-9d5f-3cc5d09e2a7c",
        "_rev" : "1",
        "cars" : [ {
          "make" : "BMW",
          "year" : "2013",
          "model" : "328ci"
        }, {
          "make" : "Lexus",
          "year" : "2010",
          "model" : "ES300"
        } ],
        "accountStatus" : "active",
        "telephoneNumber" : "",
        "roles" : [ "openidm-authorized" ],
        "effectiveAssignments" : null,
        "postalAddress" : "",
        "userName" : "rowley",
        "stateProvince" : ""
      } ],
      "resultCount" : 1,
      "pagedResultsCookie" : null,
      "remainingPagedResults" : -1
    }

    Note the "cars" list containing multiple objects.  This structure is displayed in the admin UI as well.  The name
    "cars" was used to help differentiate what matters to the complex type versus what is required by OpenIDM/OpenICF
    in the Groovy scripts.

    In the database the 'car' table joins to the 'users' table via the cars.users_id column.  The Groovy scripts are
    responsible for reading this data from MySQL and repackaging it in a way that OpenIDM can understand. Now with
    support for complex types this data is passed through to OpenIDM in the same form: as a list of 'car' objects.
    Likewise, data is synced from OpenIDM to MySQL in the same form.

    Group membership (not shown here) is maintained with a traditional "join table" in MySQL ('groups_users'). OpenIDM
    does not maintain group membership this way so the Groovy scripts do the work to translate between the two.  This
    demonstrates another form of complex object though the sky is the limit.  Complex objects may also be nested to any
    depth.

    10. Show paging results with page size of 2
    $ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/system/scriptedsql/account?_queryId=query-all-ids&_pageSize=2&_sortKeys=timestamp,id"
    {
      "result":[
        {
          "uid":"bob",
          "_id":"1"
        },
        {
          "uid":"rowley",
          "_id":"2"
        } ],
      "resultCount":2,
      "pagedResultsCookie":"2014-09-11 10:07:57.0,2",
      "remainingPagedResults":-1
    }

    11. Use the pagedResultsCookie from the result in step 9 for the next query to retrieve the next result set. Make sure you encode the date:time.
    $ curl -k -u "openidm-admin:openidm-admin" --request GET "https://localhost:8443/openidm/system/scriptedsql/account?_queryId=query-all-ids&_pageSize=2&_sortKeys=timestamp,id&_pagedResultsCookie=2014-09-11%2010:07:57.0,2"
    {
      "result":[
        {
          "uid":"louis",
          "_id":"3"
        },
        {
          "uid":"john",
          "_id":"4"
        }],
      "resultCount":2,
      "pagedResultsCookie":"2014-09-11 10:07:57.0,4",
      "remainingPagedResults":-1
    }

You can log in to the OpenIDM UI (https://localhost:8443/openidmui) with any of
the users that were created in the repository by the reconciliation operation.
Consult the values from "sample_HR_DB.mysql" to retrieve their clear text
passwords. Users can update their profiles or passwords. Any changes will be
automatically synchronized back to the MySQL database.