Active IQ Unified Manager Discussions

WFA - Workflow Approval

markrob
6,576 Views

I have a storage decomission workflow.  It has several approval points i.e. an approval point before deleting the SnapMirror destination and another approval point before removing the snapVault destination etc...

 

I need to make sure that the user that executes the workflow is not able to resume the approval points.  This is so that a single user cannot accidentally or maliciously remove the primary, SnapMirror and SnapVault volumes as part of running a decomission workflow.

 

I know that it is possible to pervent operators from approving workflows and to only allow admins/architects but that isn't what i am looking for unfortunaltey.  I need operators to be able to execute and approve workflows but the operator who executed the workflow should not be able to resume an approval point for the workflow that they executed.

 

if anyone has any suggestions on how I might go about doing this I'd appreciate it:-)

 

Many Thanks,

 

Mark

7 REPLIES 7

geringer
6,397 Views

Mark,

 

  You may be able to create a workflow that approves WFA jobs.  If so, you could create a custom command that checks the WFA "userId" for the approval workflow and compares that to the WFA "userId" for the job that needs approval.  If they are the same, throw and error and stop the workflow before it gets to the WFA job approval custom command.  I have not looked at the new powershell commandlets that access WFA db in 3.0, so I would start there.

 

Mike

markrob
6,385 Views

Hi Mike,

 

Thansk for the response.

 

A command that checks the userID was my intial though.  There is a user input $_WFAUser that we could use as part of the inital execution to log which user started the workflow.

 

The problem would then we working out which user approves the workflow.  I tried using ReST API calls to /rest/users but failed as the command runs as the user that WFA is running as and not the user that approves the workflow.

 

But as you say, if the user that approves the workflow is logged in the DB and there are commands to acces it that may work. Do you have any more information about the PowerShell commands that you mention please?

 

Cheers,

 

Mark

sinhaa
6,379 Views

       The Powershell cmdlet being discussed above is Invoke-MySqlQuery which can be used to connect to WFA DB , run query and fetch you the required data. By defalt it uses the WFA login user/password i.e. wfa/Wfa123 and that doesn't have access permissions to WFA's internal tables which have the information about the jobs etc. So it can't get you what is being looked for. This cmdlets is mainly to get data at command execution time from the content schema like cm_storage, storage etc. and not from WFA internal DB schema. 

 

There is no programatic interface available to know who has Approved the workflow. It shows in the Job history in GUI, but this info is not available via any API or cmdlet. I'm just looking to see if somthing can be obtained from WFA logs in this regard.

 

sinhaa

 

 

 

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mteeuwen
5,933 Views

Hi,

 

I need a similar functionality. Is there any way to do this besides granting the wfa user select privileges on the tables containing the job execution data?

 

Kind regards,

Marco Teeuwen

abhit
5,874 Views

Filed an RFE for the same. BURT number 974803.

 

 

-Abhi

mbeattie
4,835 Views

Hi,

 

Whilst this is an old thread the issue has not yet been resolved. For the benefit of customers who require a WFA operator to be denied access to resuming a workflow that has been rejected\canceled by an approver, here an example of a WFA command that will ensure the workflow fails if the execution ID was previously canceled by an approver.

 

Param(
   [Parameter(Mandatory=$True, HelpMessage="The WFA Server hostname")]
   [String]$Hostname
)
#'------------------------------------------------------------------------------
#'Enumerate the MySQL root user credentials from the registry.
#'------------------------------------------------------------------------------
Try{
   [Array]$options   = $(Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Apache Software Foundation\Procrun 2.0\NA_WFA_SRV\Parameters\Java" -Name Options -ErrorAction Stop | Select-Object -ExpandProperty Options)
   [String]$password = $options[$options.GetUpperBound(0) -1].Split("=")[1]
   [Int]$jobId       = $(Get-WfaRestParameter "jobId")
   [String]$query    = "SELECT `user`.name, `user`.user_role_type, job_history.`status`, job_execution.`status`, job_history.message FROM wfa.job_history, wfa.job_execution, wfa.`user` WHERE job_history.user_id = `user`.id AND job_history.job_execution_id = job_execution.id AND job_execution.id = $jobId"
}Catch{
   Throw "Failed enumerating MySQL credentials from the registry on ""$Hostname"""
}
#'------------------------------------------------------------------------------
#'Raise an error if the WFA job ID or MySQL password are Null or empty.
#'------------------------------------------------------------------------------
If([String]::IsNullOrEmpty($jobId)){
   Throw "Failed enumerating WFA Job ID"
}
If([String]::IsNullOrEmpty($password)){
   Throw "Invalid MySQL credentials"
} 
#'------------------------------------------------------------------------------
#'Invoke the SQL query for the WFA Job ID history.
#'------------------------------------------------------------------------------
Try{
   $records = Invoke-MySqlQuery -Query $query -User root -Password $password -ErrorAction Stop
   Get-WFALogger -Info -Message "Invoked SQL query ""$query"" for job ID $jobId"
}Catch{
   Get-WFALogger -Error -Message $("Failed invoking SQL query ""$query"" for job ID $jobId. Error " + $_.Exception.Message)
   Throw "Failed invoking SQL query for Job ID $jobId"
}
#'------------------------------------------------------------------------------
#'Raise an error if the workflow was previously canceled by an approver.
#'------------------------------------------------------------------------------
ForEach($record In $records){
   [String]$status   = $record.status
   [String]$userRole = $record.user_role_type
   [String]$message  = $record.Message
   If($status -eq "CANCELED" -And $userRole -eq "Approver"){
      If([String]::IsNullOrEmpty($message)){
         Throw $("Job ID $jobId was canceled by approver """ + $record.Name + """")
      }Else{
         Throw $("Job ID $jobId was canceled by approver """ + $record.Name + """ with comment """ + $message + """")
      }
   }
}
Get-WFALogger -Info -Message "Job ID $jobId was not previously canceled by an approver. Resuming workflow"
#'------------------------------------------------------------------------------

Note: Use can use this MVEL function to enumerate the WFA servers hostname EG call the function using single quotes: get_wfa_hostname('')

 

def get_wfa_hostname(hostname){
   import java.net.InetAddress;
   InetAddress addr = java.net.InetAddress.getLocalHost();   
   return addr.getHostName();
}

Hope that’s useful.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
4,531 Views

I noticed some slight registry changes in WFA5.0 that caused a workflow failure when checking the approval point using the code previously posted. Updated to account for the order of registry keys changing, references the registry option value '-dmysl.password ' by name instead of array index, ensures the option values are valid (key=value) and adds them to a hashtable.

 

Param(
   [Parameter(Mandatory=$True, HelpMessage="The WFA Server hostname")]
   [String]$Hostname
)
#'------------------------------------------------------------------------------
#'Enumerate the MySQL root user credentials from the registry.
#'------------------------------------------------------------------------------
[HashTable]$keyPairs = @{};
[Int]$jobId          = $(Get-WfaRestParameter "jobId")
Try{
   [Array]$options = $(Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Apache Software Foundation\Procrun 2.0\NA_WFA_SRV\Parameters\Java" -Name Options -ErrorAction Stop | Select-Object -ExpandProperty Options)
   ForEach($option In $options){
      If($option.Contains("=")){
         [String]$key   = $option.Split("=")[0]
         [String]$value = $option.Split("=")[1]
         If(-Not($keyPairs.ContainsKey($key))){
            [HashTable]$keyPairs.Add($key, $value)
         }
      }
   }
   [String]$password = $keyPairs["-Dmysql.password"]
   [String]$query    = "SELECT `user`.name, `user`.user_role_type, job_history.`status`, job_execution.`status`, job_history.message FROM wfa.job_history, wfa.job_execution, wfa.`user` WHERE job_history.user_id = `user`.id AND job_history.job_execution_id = job_execution.id AND job_execution.id = $jobId"
}Catch{
   Throw "Failed enumerating MySQL credentials from the registry on ""$Hostname"""
}
#'------------------------------------------------------------------------------
#'Raise an error if the WFA job ID or MySQL password are Null or emtpy.
#'------------------------------------------------------------------------------
If([String]::IsNullOrEmpty($jobId)){
   Throw "Failed enumerating WFA Job ID"
}
If([String]::IsNullOrEmpty($password)){
   Throw "Invalid MySQL credentials"
} 
#'------------------------------------------------------------------------------
#'Invoke the SQL query for the WFA Job ID history.
#'------------------------------------------------------------------------------
Try{
   $records = Invoke-MySqlQuery -Query $query -User root -Password $password -ErrorAction Stop
   Get-WFALogger -Info -Message "Invoked SQL query ""$query"" for job ID ""$jobId"""
}Catch{
   Get-WFALogger -Error -Message $("Failed invoking SQL query ""$query"" for job ID ""$jobId"". Error " + $_.Exception.Message)
   Throw "Failed invoking SQL query for Job ID ""$jobId"""
}
#'------------------------------------------------------------------------------
#'Raise an error if the workflow was previously canceled by an approver.
#'------------------------------------------------------------------------------
ForEach($record In $records){
   [String]$status   = $record.status
   [String]$userRole = $record.user_role_type
   [String]$message  = $record.Message
   If($status -eq "CANCELED" -And $userRole -eq "Approver"){
      If([String]::IsNullOrEmpty($message)){
         Throw $("Job ID $jobId was canceled by approver """ + $record.Name + """")
      }Else{
         Throw $("Job ID $jobId was canceled by approver """ + $record.Name + """ with comment """ + $message + """")
      }
   }
}
Get-WFALogger -Info -Message "Job ID ""$jobId"" was not previously canceled by an approver. Resuming workflow"
#'------------------------------------------------------------------------------
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public