Configuring an Amazon Dynamo database for persistent grants
About this task
Maintain access grants in Amazon Web Services (AWS) native DynamoDB.
Global secondary indexes:
-
“AccessGrantsUniqueUserId-index” Hash: UniqueUserID
-
“AccessGrantsHashedRefreshToken-index” Hash: HashedRefreshToken
-
“AccessGrantsClientId-index”: Hash ClientID
-
“AccessGrantsLimitCheck-index” Hash: UniqueUserID, Range: ClientID
Steps
-
To create a table in the DynamoDB to contain access grants, run the commands located in the
access-grant-dynamodb.txt
file in theserver/default/conf/access-grant/nosql-scripts
directory.This file contains the create table command, the key, global secondary indexes, and the attributes needed for the key and index, as well as the command to enable the TTL expires attribute.
-
Edit the
<pf_install>/pingfederate/server/default/conf/hivemodule.xml
file:-
Add
org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl
to the available Access Grant managers inserver/default/conf/hivemodule.xml
. -
Locate the
AccessGrantManager
service point.<!-- Service for storage of access grants --> <service-point id="AccessGrantManager" interface="com.pingidentity.sdk.accessgrant.AccessGrantManager"> <create-instance class="org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl"/> </service-point>
-
Update the
class
attribute value to one of the following values.Directory server Class value AWS Dynamodb
org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl
-
Save the file.
For a clustered PingFederate environment, you must edit the
hivemodule.xml
file on each node manually as cluster replication can’t replicate this change to other nodes.
-
-
Edit the
server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl.xml
file.PingFederate Access Grants Access Grants Description AccessGrantsUniqueUserId-index
The name of the user ID index.
This is the default value.
AccessGrantsHashedRefreshToken-index
The name of the hashed refresh token index.
This is the default value.
AccessGrantsClientId-index
The name of the client ID index.
This is the default value.
AccessGrantsLimitCheck-index
The name of the limits check index.
This is the default value.
EndpointOverride
An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.
By default, this value is empty. To test DynamoDB running locally, specify
EndpointOverride
to point to a local endpoint. For example,<c:item name="EndpointOverride">http://localhost:8000</c:item>
. For more information, see DynamoDB local usage notes in the AWS DynamoDB documentation. -
Export the AWS region.
See the following for a sample command
export AWS_REGION=us-east-2
. -
Start or restart PingFederate.