In order to get the system privileges someone has to give them to your HDI container. This are the steps you have to follow to get them into the container. In this a sample the IMPORT/EXPORT privileges could be given.
1. [optional] A user with DBA-ADMIN role creates a usergroup [HELP] such as "HDI_CONTAINER_RIGHTS"
Either use the HANA Cloud Central to create a USERGROUP
2. or use a SQL command:
-- DROP USERGROUP "HDI_CONTAINER_RIGHTS";
CREATE USERGROUP "HDI_CONTAINER_RIGHTS";
3. Create a USER "HDI_IMPORT_EXPORT_GRANTOR":
or use a SQL command:
--DROP USER HDI_IMPORT_EXPORT_GRANTER;
CREATE USER HDI_IMPORT_EXPORT_GRANTERPASSWORD Abcd1234 NO FORCE_FIRST_PASSWORD_CHANGE SET USERGROUP "HDI_CONTAINER_RIGHTS";
4. Define a ROLE "HANAIMPORTEXPORT4HDI" that has the privileges needed for the container:
or use and SQL command:
CREATE ROLE HANAIMPORTEXPORT4HDI;GRANT IMPORT TO HANAIMPORTEXPORT4HDI;GRANT EXPORT TO HANAIMPORTEXPORT4HDI;
5. Now this role has to be given to the HDI_IMPORT_EXPORT_GRANTOR with GRANT to others.
He will give the HDI container the role so that the container can import and export
or with the SQL commend:
GRANT HANAIMPORTEXPORT4HDI TO HDI_IMPORT_EXPORT_GRANTER WITH ADMIN OPTION;
Now we have done the HANA Cloud side of things.
There is a user "HDI_IMPORT_EXPORT_GRANTER" that can grant a role "HANAIMPORTEXPORT4HDI" with IMPORT and EXPORT privileges.
6. Now we have to get this role into our HDI container. We have to switch to the BTP Cockpit:
Inside your development space -here dev - a CUPS (Custom User Provided Service) needs to be defined.
{ "user": "HDI_IMPORT_EXPORT_GRANTER", "password": "Abcd1234", "tags": [ "hana" ]}
Now there is a CUPS service in your space that could grant your HDI Containers the role to import and export. Of course you need all this in a similar style in other landscapes you are using. Explain this to your SAP HANA Cloud ADMIN. Certainly there are only very few people in production allowed to see the passwords. The rights of the role had been selected by intention very limited.
7. Now we go into BusinessApplicationStudio to get the wanted role into the HDI Container.
1. Invoke the CUPS service into your project:
That will appear as a "cross-container-service-n". (In my case I had another one as well)
This container get a name: here "cross-container-service-3" which you will also find back in the mta.yaml file:
2. Now that we have a service that could GRANT us the role we are looking for we need a hdbgrants file:
or here the text version:
{ "ServiceName_3": { "object_owner":{ "global_roles": [ { "roles": [ "HANAIMPORTEXPORT4HDI" ] } ] }, "application_user": { "global_roles": [ { "roles": [ "HANAIMPORTEXPORT4HDI" ] } ] } }}
(Formatting is maybe wrong but content should be ok
3. Next step is deployment
The result shows that we successful granted the hdbgrants files:
8. Now the import /export can be tested: Open the DBX application as RT user:
and the prices are now imported and exported through my S3 bucket ( as BTP object store service)
9. There is a PSE/Certificate setting that needed to be defined as well. Please check with below BLOG to establish this HANA Cloud setting.
No comments:
Post a Comment