Configuring an Amazon Dynamo database for persistent grants
About this task
Maintain access grants in Amazon Web Services (AWS) native DynamoDB.
Global secondary indexes:
-
“AccessGrantsUniqueUserId-index” Hash: UniqueUserID
-
“AccessGrantsHashedRefreshToken-index” Hash: HashedRefreshToken
-
“AccessGrantsClientId-index”: Hash ClientID
-
“AccessGrantsLimitCheck-index” Hash: UniqueUserID, Range: ClientID
Steps
-
To create a table in the DynamoDB to contain access grants, run the commands located in the
access-grant-dynamodb.txt
file in theserver/default/conf/access-grant/nosql-scripts
directory.This file contains the create table command, the key, global secondary indexes, and the attributes needed for the key and index, as well as the command to enable the TTL expires attribute.
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file.-
Go to the
# Service for storage of access grants
section. -
Change the
access.grant.manager
service endpoint to the following:... access.grant.manager=org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl ...
In clustered PingFederate environments, you must manually edit the
service-points.conf
file on each node because cluster replication can’t replicate this change to other nodes.
-
-
Edit the
server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl.xml
file.PingFederate Access Grants Access Grants Description AccessGrantsUniqueUserId-index
The name of the user ID index.
This is the default value.
AccessGrantsHashedRefreshToken-index
The name of the hashed refresh token index.
This is the default value.
AccessGrantsClientId-index
The name of the client ID index.
This is the default value.
AccessGrantsLimitCheck-index
The name of the limits check index.
This is the default value.
EndpointOverride
An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.
By default, this value is empty. To test DynamoDB running locally, specify
EndpointOverride
to point to a local endpoint. For example,<c:item name="EndpointOverride">http://localhost:8000</c:item>
. For more information, see DynamoDB local usage notes in the AWS DynamoDB documentation. -
Export the AWS region.
See the following for a sample command
export AWS_REGION=us-east-2
. -
Start or restart PingFederate.