Skip to Content

Wednesday, April 12th SAP has begun to ship SAP HANA 2.0 SPS 01.  If you would like to learn more about all the new features in SAP HANA 2.0 broadly, you can refer to the following blog post:

https://blogs.saphana.com/2017/04/12/whats-new-sap-hana-2-0-sps-01/

In this blog, we would like to point out some of the highlights of the new features for developers who use the SAP HANA native application development capabilities. It should be noted that most of the major architectural changes in the development topic area were recently introduced in SAP HANA 1.0 SPS 11.  This is when we first shipped the SAP HANA extended application services, advanced model (XSA), SAP HANA deployment infrastructure (HDI), and the SAP Web IDE for SAP HANA.  If you are new to these topics in general, you might first want to review the what’s new details from SPS 11, SPS 12, HANA 2.0 SPS 0 and the openSAP course on this topic.

SAP HANA SPS 11: New Developer Features

SAP HANA SPS 12: New Developer Features

SAP HANA 2.0 SPS 0: New Developer Features

https://open.sap.com/courses/hana5/

We will also be hosting a webinar for the What’s New Developer topic:

 April 18 What’s New – SAP HANA Native Application Development Tom Slee, Volker Saggau, Tae Suk Son, Lucas Kiesow, Rich Heilman, Thomas Jung 7 a.m. PST
10 a.m. EST
4 p.m. CET
60  Download

We have also updated the exercises from the latest openSAP course to include a version that showcases how to build the same using HANA 2.0 SPS 01:

https://github.com/SAP/com.sap.openSAP.hana5.example/tree/hana2_sps01

Also the HANA Express version has now been updated to HANA 2.0 SPS 01 as well: https://blogs.sap.com/2017/04/20/sap-hana-express-edition-2.0-sps-01-now-available-to-download./

Database Development

In order to keep this blog from being too large, Rich Heilman posted about the database development features in a separate blog here: https://blogs.sap.com/2017/04/18/sap-hana-2.0-sps-01-new-developer-features-database-development/

SAP HANA Extended Application Services, Advanced Model

One of the biggest changes to the SAP HANA architecture was the introduction of XS advanced in SPS 11. SAP HANA extended application services in SPS 11 represents an evolution of the application server architecture building upon the previous strengths while expanding the technical scope. While I don’t want to repeat all the architectural features which came with XS advanced in SPS 11, you can review them in this blog: SAP HANA SPS 11: New Developer Features; XS Advanced

With HANA 2.0 SPS 01 we continue to round out the general feature set of XS Advanced; filling in one of the major remaining features from the XS Classic environment while also improving support for audit logging and multi-tenancy.

A few of the various new and enhanced features are:

Java Spring Boot Support

Spring is a popular open source application framework for Java. In particular it is focused on web applications in the Java EE space.  This addition ensures that Spring Boot is usable from both the Java runtime in XSA but also is added as an option in the Java module wizard in the SAP Web IDE for SAP HANA.

This addition broadens the offering of Java EE applications and makes it easier to port existing Spring based Java applications to XSA.

Parallel Deployment of Apps

As a performance feature we will now support parallel deployment of applications within the deploy service.

This will improve performance in situations which rely upon a large number of deployments: for example new system installation or system upgrade times.

Fiori Launchpad

One of the few remaining feature gaps to XS classic, was the absence of ability to easily create Fiori Launchpad applications in XSA.  With HANA 2.0 SPS 01, SAP fills this gaps with a full featured implementation of the Fiori Launchpad based in XSA’s micro-service approach and integrated with the SAP Web IDE for SAP HANA.  For more details on this XSA specific implementation of the Fiori Launchpad please refer to this separate blog post here: https://blogs.sap.com/2017/04/24/fiori-launchpad-in-sap-hana-2.0-sp01/

Instance Manager

Service instances, for example HDI containers, are statically bound to an application at deployment time. But multi-tenancy capable applications that leverage service instances for tenant separation (e.g. each tenant stores its data in a separate HDI container) need to create additional instances at runtime whenever a new tenant is added and they also need to connect to any one of these instances when processing a request for a specific tenant. To support this requirement, Application Managed Service Instances are made available by the new Instance Manager (Instance Broker) In HANA 2.0 SPS 01.

This is a key technology for building and delivering multi-tenant applications.  This functionality supports the automated on-boarding and upgrade capabilities required in a true multi-tenant environment.  This capability is delivered on premise in the XSA Runtime, but will also soon be available in the SAP Cloud Platform as well.

So normally you would create an HDI service instance and bind it your application with the following commands (or this happens automatically upon MTAR deployment/installation).

xs create-service hdi hdi-shared tenant-hdi-container
xs bind-service <app-name> tenant-hdi-container

This works perfectly fine when you have a static, single container instance, but if start to use HDI container instances as tenants then the application needs to be restaged and restarted for each new service instance binding.  This is prohibitively disruptive in a productive environment when you could be on-boarding new tenants at any time.  It also requires that the application user have SpaceDeveloepr authorization if your application does the dynamic on-borading at runtime.

But with HANA 2.0 SPS 01 we now have a special Instance Manager that can perform the provisioning and dynamic binding to your application for you.

Your application, at installation type, now creates a special type of HDI service called managed-hana and bind this centrally to your application.  This really gives you a connection to the Instance Manager instead.

xs create-service managed-hana hdi-shared tenant-hdi-container
xs bind-service <app-name> tenant-hdi-container

Your application now makes HTTP requests to the Instance Manager to create, delete, or get access to specific HDI container instances for a particular tenant.  The following is an example written in Node.js for creating a tenant instance named my-tenant, getting access to the instance, and then deleting it.

/*eslint no-console: 0, no-shadow: 0*/
"use strict";

var http = require("http");
var port = process.env.PORT || 3000;

http.createServer(function(req, res) {
	var xsenv = require("@sap/xsenv");
	var createInstanceManager = require("@sap/instance-manager").create;

	var options = xsenv.getServices({
		hana: {
			tag: "managed-hana"
		}
	});
	console.log(JSON.stringify(options.hana)        );
	createInstanceManager(options.hana, function(err, instanceManager) {
		if (err) {
			return console.log("Create instance manager error: ", err.message);
		}

		instanceManager.create("my-tenant", function(err, instance) {
			if (err) {
				return console.log("Create error: ", err.message);
			}

			// consume instance.credentials
			console.log(instance);

			instanceManager.get("my-tenant", function(err, instance) {
				if (err) {
					return console.log("Get error: ", err.message);
				}

				// same instance
				console.log(instance);

				instanceManager.delete("my-tenant", function(err) {
					if (err) {
						return console.log("Delete error: ", err.message);
					}

					console.log("Instance deleted");
				});
			});
		});
	});

	res.writeHead(200, {
		"Content-Type": "text/plain"
	});
	res.end("Instance Test\n");
}).listen(port);

console.log("Server listening on port %d", port);

Limitations:

Using Instance Manager also has some drawbacks:

-Apps have to trigger service instance creation on their own (there are APIs to assist)

-Managed service instances are not visible for the cloud/xsa controller yet for direct administration (but only the shared underlying service instance)

Audit Log

Central Audit logging for XSA was added in HANA 2.0 SPS 0 but the APIs for writing to the log were only available in Java modules. This addition extends the audit logging APIs to Node.js based modules as well.

Customers expect centralized audit logging capabilities for their applications and we can now provide this feature for both Java and Node.js based applications in XSA.

XSA provides both centralized Audit logging APIs but also central storage of the audit entries in the HANA database, an OData service for reading the Audit Log, and an interactive user interface for querying and displaying Audit Log entries.

The Audit Log is provided by an XSA service broker much like the UAA or HDI services.

xs create-service auditlog free <my-service-instance>

Then this audit log service instance needs to be added as a resource in your project’s mta.yaml file:

Finally the resource must be bound to your application (Java or Node.js) that wishes to write Audit Log entries:

For Java modules, you would use the following steps to use the Audit Log:

  1. Include the Audit Log API in your Maven Project
    <dependency> <groupId>com.sap.xs.auditlog</groupId> 
      <artifactId>audit-java-client-api</artifactId> 
      <version>0.2.0</version> 
      <scope>provided</scope> 
    </dependency>
    
  2. Declare the resource
    1. If you are using Tomcat as your runtime, add a new resource in META-INF/context.xml
      <?xml version='1.0' encoding='utf-8'?> 
      <Context> 
        <Resource name="audit" auth="Container" type="com.sap.xs.audit.api.AuditLogMessageFactory" factory="com.sap.xs.XSObjectFactory" singleton="true" /> 
      </Context>
      
    2. If you are using TomEE, then add a new resource in WEB-INF/resources.xml
      <?xml version='1.0' encoding='utf-8'?> 
      <resources> 
        <Resource id="audit" type="com.sap.xs.audit.api.AuditLogMessageFactory" provider="xs.openejb:XS Audit Log Message Factory Provider"/> 
      </resources>
      
  3. Access the AuditLogMessageFactory. This could be done in one of two ways:
    1. Via JNDI lookup
      Context ctx = new InitialContext(); 
      AuditLogMessageFactory auditlogMesageFactory = (AuditLogMessageFactory); ctx.lookup("java:comp/env/audit");
    2. Via Resource Injection
      @Resource(name="audit") private AuditLogMessageFactory mesageFactoryInj;
  4. Finally, the Java coding itself
    ConfigurationChangeAuditMessage message = mesageFactory.createConfigurationChangeAuditMessage();
    message.setUser("<user>"); 
    message.setObjectId("logger.com.sap.xs.test"); 
    message.addValue("severity", "error", "warn"); 
    message.logSuccess(); 

Or for Node.js this example shows loading the Audit Log instance resource via the @sap/xsenv module and then using the APIs to write a log entry from within an Express handler.

/*eslint no-console: 0, no-unused-vars: 0, no-shadow: 0, quotes: 0, no-use-before-define: 0, new-cap:0 */
"use strict";
var express = require("express");

module.exports = function() {
	var app = express.Router();

	var xsenv = require("@sap/xsenv");
	xsenv.loadEnv();
	var credentials = xsenv.getServices({
		auditlog: 'openSAP5-ex-log'
	}).auditlog;
	var auditLog = require('@sap/audit-logging')(credentials);

	//Simple AuditLog Example
	app.get("/example1", function(req, res) {
		var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
		if (req.headers['x-forwarded-for']) {
			ip = req.headers['x-forwarded-for'].split(",")[0];
		} else if (req.connection && req.connection.remoteAddress) {
			ip = req.connection.remoteAddress;
		} else {
			ip = req.ip;
		}
		auditLog.securityMessage('%d unsuccessful login attempts', 3).by(req.user.id).externalIP(ip).log(function(err, id) {
			// Place all of the remaining logic here
			if (err) {
				res.type("text/plain").status(500).send("ERROR: " + err.toString());
				return;
			}
			res.type("application/json").status(200).send(JSON.stringify('Log Entry Saved as: ' + id));
		});
	});

	return app;
};

Finally there is the central Audit Log UI provided by the XSA runtime itself that can be used to search and display the entries:

Scoped NPM Packages

Before HANA 2.0 SPS 01, the SAP provided Node.js modules were simply separated out by the fact that their names generally began with the text “SAP”.  This could potentially cause conflicts with customer or other public NPM modules.  This will especially become a problem once SAP launches the planned public NPM repository for SAP modules. Scoping provides a safe, enforceable namespace for NPM modules/packages.

The use of scoped packages better identifies SAP provided Node.js modules but most importantly allows for the integration of SAP modules with customer or open source specific modules. It is a key feature necessarily for the launch of the SAP owned public NPM repository.

With HANA 2.0 SPS 01, customers should switch all the references in their package.json files in their projects to the new scoped module names. Only the scoped modules will continue to be updated.

Development Tools

SAP Web IDE for SAP HANA provides a comprehensive web-based end-to-end development experience for creating SAP HANA native applications:

  • Development of SAP HANA content and models
  • UI development with SAPUI5
  • Node.js or XSJS business code
  • Git integration

Therefore it provides a complete workflow for all of your new HANA Deployment Infrastructure (HDI) and XS advanced model (XSA) based development.

SAP Web IDE for SAP HANA comprises capabilities of SAP HANA Studio and SAP HANA Web-based Development Workbench. It represents the long term replacement tool for both of these previous offerings. It consolidates technologies, follows industry trends, and leverages industry standards where possible, while retaining a competitive innovation focus of SAP’s current offering.

With SAP HANA 2.0 SPS 1, we continue to enhance and expand the capabilities of the SAP Web IDE for SAP HANA and close the few remain feature gaps compared to the old HANA studio.

Backwards Compatibility

Previously the version of the SAP Web IDE for SAP HANA had to match exactly the version of the underlying HANA database. With the HANA 2.0 SPS 01 version of SAP Web IDE for SAP HANA, we introduce the ability to target older releases of HANA for HDB modules. Upon module creation, the developer choose the lowest HANA release they want to target. Then all source code editors adjust their syntax checks and other features to enforce the development at the target older release.

This means that customers running HANA databases at 1.0 SPS 12, can now upgrade both their XSA Runtime and the SAP Web IDE for SAP HANA to HANA 2.0 SPS 01 (and later) versions and gain new features that previously were only available with a full HANA DB upgrade.

Fiori Template Enhancements

 

We’ve enhanced the Data Connection step of the Master/Detail  modules.  In SPS 01, it now allow you to connect to OData services in the current project and allows you to see all endpoints in multiple modules of your project.

mta.yaml Editor

The mta.yaml file is the core project configuration file in the SAP Web IDE for SAP HANA.  Although it is based upon the open standard of YAML; we’ve received feedback from customers that both the YAML specification and the technical complexity of the mta file are difficult to understand and edit. This leads to a higher learning curve and more development errors. With SPS 01 we introduce a new form based editor in addition to the existing source code based editor for the mta.yaml file.

This new error reduces the overwhelming initial complexity of project creation and maintenance experience in SAP Web IDE for SAP HANA.  It structures the flow that developers need to follow and enforces checks upon the values they provide. It also provides better overall navigation than a traditional source code based editor can provide.  Overall this new editor should work to greatly reduce the barier to entry that many developers face when first working with the SAP Web IDE for SAP HANA.

Application Lifecycle Management

Product installation for XSA in SAP HANA 2.0 SPS 0 and lower is only possible via the XS command line tool. With HANA 2.0 SPS 01 we introduce a web-based user interface alternative for installing XSA products and customer owned application MTA archives.

This new UI offers more options for installation tooling as well as better administrative user experience. This also better unifies the administrative and devops user experience around web-based tooling.

Closing

With SAP HANA 1.0 SPS 11, SAP introduced a considerable change in the architecture of application development. Much of the development for the past few years has been focused on just delivering the first version of that new architecture and then only closing gaps between the old and new architecture.  With SAP HANA 2.0 SPS 1, you are beginning to see that we can finally innovate based upon this new architecture.  The general improvements combined with tools and programming model changes you see here are laying the foundation to allow you to build new kinds of applications easier and faster than you ever have before.

 

To report this post you need to login first.

63 Comments

You must be Logged on to comment or reply to a post.

  1. Alexander K

    Hello, Thomas.

    Thanks for the great blog.

    Now I can download SAP HANA 2.0 express edition from sap.com for learning SAP HANA.

    And when can I download  SAP HANA 2.0 express edition SPS 01 ? It will be soon?

    (0) 
    1. Thomas Jung Post author

      >And when can I download  SAP HANA 2.0 express edition SPS 01 ?

      Soon.  The HXE team needs a few days after the final release is available to do testing and prepare the new download.  I believe back in December with HANA 2.0 SPS 0, it took a little less than two weeks.

      (0) 
            1. Alexander K

              Hello.

              I have a problem when i installing Hana express edition sp 01 at VMWARE. Two applications did not start. How can i resolve that problem?

               

              (0) 
  2. Claudio Mauri

    Hello Thomas, thanks for your great post. ! I have a question about SAP Web IDE.
    Since SAP introduced support for java spring boot framework, I wonder if now one can use SAP Web IDE for the full development cycle with java other than with XSJS and Node.js artifacts. With ‘full development’ I mean that Sap Web IDE supports features like code completion, code check, build / run / debug even when developing Java Modules. This question, more generally, would apply to all ‘buildpack’ SAP will introduce (soon or later), since Web IDE is the “long-term replacement for SAP Hana Studio” and similar developer tools.
    Documentation isn’t so clear on this point, could you clarify please ?

    (0) 
    1. Thomas Jung Post author

      > I wonder if now one can use SAP Web IDE for the full development cycle with java other than with XSJS and Node.js artifacts

      You could already do the full Java development cycle in HANA 2.0 SPS 0.  We added build/run support in SPS 0.

      >With ‘full development’ I mean that Sap Web IDE supports features like code completion, code check, build / run / debug even when developing Java Modules

      Everything you listed there is supported for Java Modules in the SAP Web IDE for SAP HANA.

      >This question, more generally, would apply to all ‘buildpack’ SAP will introduce (soon or later)

      The SAP Web IDE for SAP HANA won’t necessarily support the Bring Your Own Language build packs, but will support the primary SAP supported build packs (which right now is Java and Node.js).

       

      (0) 
    1. Thomas Jung Post author

      The new Cloud Foundry based version of SAP Cloud Platform will come with HANA 2.0.  For more details on the availability of this, I suggest you keep a close eye on the announcements that will come out of SAPPHIRE next month.

      (0) 
    1. Thomas Jung Post author

      Yes this is possible as of HANA 2.0 SPS 0: https://www.sap.com/documents/2016/12/98ccd65a-9c7c-0010-82c7-eda71af511fa.html

       

      (0) 
  3. Dirk Raschke

    Application Lifecycle Management
    “we introduce a web-based user interface alternative for installing XSA products and customer owned application MTA archives

    Are we really able to use it for our own MTA archives? Is there more documentation how we have to do it?

     

    (0) 
    1. Thomas Jung Post author

      I can be used for your own, but you need to put your mtar file inside a zip and create folder called META-INF and add a SL_MANIFEST.XML to that folder. I would suggest looking at one of the SAP product zip files as an example.

      (0) 
  4. Clemens Kopfer

    Scoped NPM Packages

    I could not find that much information on that.

    Is the idea in using that functionality that traditional ABAP-namespaces will be administered for NPM/node.js in the future as well? I mean, having that one folder level approach is nice – but even scoped names like “@booking/analyze” obviously might not be unique.

    I mean administered by SAP.

     

    (0) 
      1. Clemens Kopfer

        Thanks for swift reply, however, I know that.

        I was trying to get info from you if SAP plans to get SAP ABAP Namespaces onto that npm structure / scope, mybe under a private, ie SAP owned, registry server or so.

        But most likely – as that obviously is not implemented right now – you would not be allowed to elaborate on such possibly planned features…

        (0) 
  5. Thomas Jung Post author

    We can’t change how a scope works. That’s defined by NPM itself.  We will publish all of our modules in the @SAP scope to avoid potential conflicts and to allow layered NPM repositories.  And yes we are launching our own SAP owned private registry for our modules.  That private registry is actually live on the internet already, but we’ve not advertised it yet as not all of our modules are published yet.  In another few days, hopefully all teams will have their publishing done and we can begin to promote it.

    (0) 
  6. Dirk Raschke

    Hi,

    I can’t find the documentation for changing the URL/Domain for different applications/ports. I think I read about this feature but can’t find it.

    Is there something possible? Thanks a lot!

    (0) 
    1. Thomas Jung Post author

      There are a few different ways. If you are using hostname based routing, by default the URL will be Organization-Space-Service Name-base hostname

      However in your mta.yaml for the module definition in the parameters section you can override the default behavior and supply your own host part that gets added to the base hostname

       

       

      Another approach is to use path based routing instead of hostname based. This was a new feature in HANA 2.0 SPS 0.

      https://blogs.sap.com/2016/12/01/sap-hana-2.0-sps-0-new-developer-features/

      CREATE-ROUTE is the keyword you need for this.

      With HANA 2.0 SPS 0, XSA introduces the option of context path based routing.  This allows the developer or admin to assign nice URLs with recognizable path names.  It also avoids the same origin policy issue (CORS/Cross-Site-Scripting). Instead of the port access you can assign a path that will route to your application.  This can be assigned during push or more likely direct assigned to a running application via the new create-route command.

      https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.01/en-US/7b24c9d9284643e49554e2eeeaad7be7.html

      (0) 
      1. Dirk Raschke

        Hi Thomas,

        I tried to change the host, but it didn’t work for me. Did I miss a step?

        properties:
        host: test
        register-service-url: true
        service-name: web
        service-url: ‘${default-url}’

        Thanks!

        (0) 
        1. Thomas Jung Post author

          What exactly is happening?  Do you already have the service deployed? If changing these values in the MTA and the service already exists, you might have to delete it manually and then re-run. Also are you using hostname based routing? This approach only works with hostname based routing.

          (0) 
          1. Dirk Raschke

            “Do you already have the service deployed?” –>Yes, I tried it more times.

            “If changing these values in the MTA and the service already exists, you might have to delete it manually and then re-run.” –> How?

            xs unregister-service-url https://host.domain.de:port!? The docu is to small at this point.

            “Also are you using hostname based routing?” –> yes.

            (0) 
            1. Thomas Jung Post author

              I was suggesting deleting the service with XS DELETE. There is also the XS DELETE-ROUTE command for completely removing the existing route.

              (0) 
    1. Thomas Jung Post author

      No I don’t think that will help.  Its probably just new logic in the Web IDE for naming of the container instance.  Is there a reason why the new container is a big problem in development?  Nothing from the build/run of the Web IDE should really ever be considered permanent.

      (0) 
      1. Dirk Raschke

        Is there a reason why the new container is a big problem in development?

        –> Yes, because we are working on our “test”-data, which we have loaded before for each of us in our development environment.

        But the bigger problem for me is, what will happen, if we bring the app in the production world. And after an WebIDE update, the customer will have a new container and isn’t able to see and work on his “old” data?

         

         

         

         

         

         

        (0) 
        1. Thomas Jung Post author

          >But the bigger problem for me is, what will happen, if we bring the app in the production world. And after an WebIDE update, the customer will have a new container and isn’t able to see and work on his “old” data?

          You don’t install a productive app via the Web IDE.  You build the MTAR and then deploy that.  YOu won’t have the same issue at all.  The Web IDE post-fixes the container names to keep them unique in a development environment when multiple developers might build the same container in the same space.  The deployer does no such thing.

          (0) 
          1. Dirk Raschke

            But once more.

            From developer view I don’t understand why the objects (hdi-container, and so on)  are created again. The old objects wouldn’t be used anymore.

            And the problem is further while I try to start the new deployed app, I get the error msg “that already a route exists” and stops the running. To fix it, I’ve to delete the old objects…

            We never we had this behavior in the past and I wouldn’t miss it.

            (0) 
  7. sap public inc

    Hi Thomas,

     

    After XSA runtime upgrade, is HANA system restart required?

    We are thinking about if we should host XSA separately from HANA database in order to get frequent XSA upgrades without needs of system downtime.

     

    Thank you!

    Bill

    (0) 
    1. Thomas Jung Post author

      No.  A HANA DB restart is not required for just an XSA Runtime update even if they are both installed on the same host machine.

      Thomas Jung

      (0) 
  8. Sunaryo SUMIATI

    Hi Thomas, having visited your OpenSAP course HANA5,  I am too eager to try the Github exercise you pointed out above.

    Unfortunately I still cannot pass through the installation issue “Timed out while waiting for apps: cockpit-adminui-svc, cockpit-admin-web-app”, for which I have posted a question:

    https://answers.sap.com/questions/208586/index.html

    User “Alexander K” also posted the same issue in this blog above on  April 26, 2017 at 5:19 am, but without getting any answer.

    It would be great if you could share some of your thoughts about this issue.

    Thanks.

    Sunny

    (0) 
    1. Thomas Jung Post author

      Blog comments are not the location to get installation support issues. I can answer questions about the functionality described here, but it shouldn’t become a support destination.

      (0) 
  9. Claudio Mauri

    Hi Thomas,

    I’d like to know if announced Sap Web Ide Multicloud version will be available even on premise Hana installation or not.

    Moreover, is Web Ide Multicloud a replacement for Web Ide ?

    (0) 
    1. Thomas Jung Post author

      SAP Web IDE Multicloud is the Cloud deployed version and SAP Web IDE for SAP HANA is the on premise version.  They come from the same core code base and will share many of the same features.

      (0) 
  10. Fabian Krüger

     

    Hi Thomas,

    I’m currently looking at the v4 OData via Java App and found some issues:

    • Access Control: It looks like the java app doesn’t initialize the XS_APPLICATIONUSER variable. At least the variable contains the SBSS_… User and not the User which is logged in (owner of the JWT). As far as I can see CDS AccessPolicies and Aspects also use this variable as $user. This makes it impossible to restrict the rows based on the user?
    • Parameters: CDS added support for parameters (and generates table functions instead of views), but when exposing their context via @OData.publish: true the service cannot be accessed:
    {
      "error": {
        "code": null,
        "message": "No enum constant com.sap.jds.cds.model.CdsArtifactKind.PARAMETER"
      }
    }​

    Do you have any suggestions? I’m on HXE SP2 but I also have access to the Software Download Center… are these issues known limitations or is there a newer version of the SAP Gateway Runtime (looks like I’m currently on 1.0.6) or the OData jars (4.3.0-sap-02)?

    Thanks for your help,

    Fabian

    (0) 
    1. Thomas Jung Post author

      Admittedly my knowledge on the Java module is limited. I spend most of my time covering the Node.js side.  On the first item, are you not getting the auth token or is that the wizard generated code just isn’t setting the DB session variables.  If you aren’t getting the auth token at all, make sure you have a web module in front of your Java module and are using the forwardAuthToken option in the xs-app.json.  If its the later, you might have to set the DB session variables manually in the OData exit framework.

       

      As far as the latest version of SAP Gateway Runtime, I just updated one of my projects yesterday based upon SPS 02 and its version 1.2.3. This is SPS 02 Patch 1 of the Web IDE for SAP HANA (4.2.18)

      https://github.com/SAP/com.sap.openSAP.hana5.example/blob/hana2_sps02/user_java/pom.xml

       

      So yes 1.0.6 seems quite old.

      (0) 
      1. Fabian Krüger

        I’ve updated the Gateway Runtime to 1.2.4 from the Software Download Center (XS_JAVA Package). Still the same problem:

        The JWT seems to be forwarded to the java app. I enabled the security constraint in web.xml to test this, now when I don’t activate forwardAuthToken in the .yaml, I get 401 forbidden, when I set it to true I can see the results again. I guess you meant the .yaml and not the xs-app.json, right? The xs-app.json only has the entry “authenticationType”: “xsuaa”…

        But this means the JWT is processed by the java app… Otherwise the result would be the same in both scenarios (with and without auth token). Only the session variables are not set automatically 🙁

        Is there any information about the “you might have to set the DB session variables manually in the OData exit framework”? Basically I went through the tutorial https://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/2.0.02/en-US/e09f5225d61b40bb8761c756f138f2b0.html

        The tutorial has some inconsistencies as well:

        Step 8c sets up the route, but it should be ^/java/odata/(.*)$ instead. With /java/odata/v4 you cannot reach the clearCache endpoint for example, which is not prefixed by v4. Also the URLs in Step 12 for clearCache seem to be wrong, since I was able to call /java/odata/clearCache directly but calling /java/odata/clearCache/<context> as explained here is returning a 404…

         

        Besides these problems… do you already know when the nodejs based OData v4 implementation will be ready? I was about to use the nodejs odata v2 anyway, but seems like it can’t handle cds views with parameters as well. So I would need to use calculation views to expose those views. But I have the feeling that cds will be the go-forward solution vs calc views. Similar to how S/4HANA embedded analytics based on cds now makes HANA Live based on calc views obsolete…

        (0) 
        1. Thomas Jung Post author

          I really can’t help you further on this item. I suggest you either enter a question in the Q&A section or if you have found incorrect information in the online help which is leading you astray you can consider entering a support ticket.

          >do you already know when the nodejs based OData v4 implementation will be ready

          Not anytime soon.  It is in the roadmap and will hopefully be at least partially delivered in SPS 03 in April 2018.

           

          (1) 
  11. Lijo Kumblolikal John

    Hi Thomas,

     

    I have been following your blogs and open sap sessions on HANA 2.0 and XSA developments.

    I have a scenario.

    I have an existing XS Classic Schema (MY_XS_CLASSIC_SCHEMA) created via a .hdbschema file in my HANA system.

    I need to access the tables in this existing XS Classic schema from a new XS Advanced HDI container (MYHDI)

    I defined a user provided service for this purpose. This service was created using a HANA database user (XS_CLASSIC_USER) that has SELECT access to the existing XS classic Schema.

    The mta.yaml file was modified to add the user provided service and a .hdbgrant file is defined in the HDI container.

    Now when i build the HDI container i get the below error.

    Error: Error executing: GRANT “SELECT” ON SCHEMA “MY_XS_CLASSIC_SCHEMA” TO “MYHDI_HDI_MYHDIDBMODULE_1#OO”;(nested message: insufficient privilege: Not authorized)

    The user I used to create the User Provided Service has the SELECT access for the XS classic schema but don’t have the GRANTABLE option. Is that the issue?

    If yes then how can I create a HANA data base user in XS Classic which has a SELECT object privilege to a hdbschema with GRANTABLE option? I tried logging in with the SYSTEM user and running the below command but it fails with an authorization issue.

    GRANT SELECT on schema MY_XS_CLASSIC_SCHEMA to XS_CLASSIC_USER WITH GRANT OPTION.

    Thanks for your help,

    Lijo John

     

    (0) 
    1. Thomas Jung Post author

      >The user I used to create the User Provided Service has the SELECT access for the XS classic schema but don’t have the GRANTABLE option. Is that the issue?

      Yes that is exactly the problem. The user in the User Provided Service must have the authorization with GRANTABLE option as they will be the ones performing the Grant at the SQL level.

      >If yes then how can I create a HANA data base user in XS Classic which has a SELECT object privilege to a hdbschema with GRANTABLE option?

      You will need to create an HDBROLE in the repository for the XSC Schema.  This role can contain the grant with grantable option.

       

      (0) 
        1. Thomas Jung Post author

          Your right, I thought there had been an option for the grantable in hdbrole but I guess I was confusing that with the new feature in the HDI hdbrole.  I think the long term solution is certainly that such schemas must be converted to HDI.  I did find in the 3.0 version of the HDI deployer documentation these details. It looks like your user provided service can call a stored procedure which in turn can grant the access (by calling the GRANT_ACTIVATED_ROLE).

          If the technical database user does not have GRANT privileges by its own, but only EXECUTE privileges on a stored procedure which can grant the privileges, then the following settings are required:

          • At the datababase, a GRANT procedure must exist (or be visible) in the schema which is used in the user-provided service; an example is shown below.
          • The technical database user must have EXECUTE privileges on the GRANT procedure.
          • The name of the GRANT procedure must be specified in the user-provided service in the "procedure" field, e.g. "procedure": "GRANT".
          • The scheme name of the GRANT procedure can be specified in the user-provided service in the "procedure_schema"field, e.g. "procedure_schema": "A_SCHEMA".
          • The user-provided service must contain a "type" field with the value "procedure".
          (0) 
          1. Lijo Kumblolikal John

            Hi Thomas,

            Thanks for the quick response.

            I have a problem converting these XS classic Schemas into HDI.

            We have a BW system sitting on the same HANA Box. The classic schemas have multiple HANA procedures that are consumed via AMDP by the BW system.

            Can you tell me if AMDP is supported on procedures created via HDI containers ?Are the generated schemas of the HDI container visible to ABAP via AMDP? Even if it’s visible how do you grant access to the BW ABAP user to the HDI container procedures.

            I hope you would cover the integration of AMDP/ABAP and XSA in one of the future blogs or the upcoming open sap session.

            Thanks,

            Lijo John

             

             

            (0) 
            1. Thomas Jung Post author

              >Can you tell me if AMDP is supported on procedures created via HDI containers

              Yes AMDP can certainly call HDI-based procedures. You just need to create HDBROLES within the container and grant those roles to the ABAP technical user.

               

              >Are the generated schemas of the HDI container visible to ABAP via AMDP

              Absolutely, once they have the correct authorizations (as described above),.

              >Even if it’s visible how do you grant access to the BW ABAP user to the HDI container procedures.

              Its not really any different than the old repository. You create HDBROLE within the container.  It deploys a container-specific role. However this role looks like any other in the User Admin/Role Assignment tools. You just see the container name prefixed on the role name.  You can grant them using the Studio or HANA Cockpit user admin tools.

               

              (0) 
          2. Lijo Kumblolikal John

            Hi Thomas,

            I tried the solution you provided but I could not make it work 🙁

            Can you please guide me where I am going wrong?

            It would be a nice if SAP can do a blog on this topic as accessing XS classic Schema from XSA HDI container is a common scenario customers encounter when XS classic applications are too complex to migrate and still you need to access those SCHEMAS in XSA.

             

            Step 1:

            I created a .hdbrole in my existing XS Classic Schema as shown below.

            This role contains all authorizations that are required to access my XS classic Schema from the new HDI container.

            role global.security.roles.development::gbw_dev

            {

            catalog schema “MY_XS_CLASSIC_SCHEMA” : CREATE ANY, SELECT, INSERT, UPDATE, DELETE, EXECUTE, DEBUG, ALTER, DROP;

            }

             

            Step 2:

            Next I created a database procedure in the XS Classic schema. This procedure is a wrapper and just includes the CALL for granting the role defined above.

            Question: To which user should I grant the roles here? Is it to the generated users of the HDI container? If yes how do I find those user ids ? If i hardcode the user ids dont they change while moving the solution to Quality or production systems?

             

            PROCEDURE “GRANTSCHEMA”.”gbw.model.procs::PROC_GRANT_GBW_DEV_ROLE” ( )

            LANGUAGE SQLSCRIPT

            SQL SECURITY definer as

            BEGIN

            CALL GRANT_ACTIVATED_ROLE

            (‘global.security.roles.development::gbw_dev’ , ”);

            END

             

            Step 3

            Next I created a user provided service like you suggested.

            xs cups CROSS_SCHEMA_SERVICE_ GRANT_PROC -p “{\”host\”:\”10.41.20.21\”,\”port\”:\”30015\”,\”user\”:\”COMM_USR\”,\”password\”:\”ABCDEFG\”,\”driver\”:\”com.sap.db.jdbc.Driver\”,\”tags\”:[\”hana\”],\”type\”:[\”procedure\”],\”procedure_schema\”:\” GRANTSCHEMA\” ,\”procedure\”:\” global.security.roles.development::gbw_dev\” }”

             

            Step 4

            Modified the mta.yaml to include the new user provided service as a resource and defined the dependencies to the hdi module

            Step 5 (I am a bit lost from this step onwards)

            Question: Do I have to create a .hdbgrants file just like in a normal cross schema scenario? if yes what access I give there? Do you have an example? I tried the below and it fails saying the user dont have the grant privilege.

            {{   “hdi-test-service”: {    “object_owner”: { “schema_privileges”:[ { “reference”:”MY_XS_CLASSIC_SCHEMA”, “privileges”:[ “SELECT”, “EXECUTE” ]  } ]    }, “application_user” : { “schema_privileges”:[ { “reference”:”MY_XS_CLASSIC_SCHEMA”, “privileges”:[ “SELECT”, “EXECUTE” ] } ]        } }}

             

            Step 6

            Question: Assuming Step 5 is fixed, what do I do next? Create a synonym for the remote schema tables?

             

            Thanks,

            Lijo John

             

            (0) 
            1. Thomas Jung Post author

              Your procedure doesn’t have any interface on it. Please refer to the online help for the hdideploy module.  It lists the needed interface and a sample of how to write the granting procedure. One of the things passed into the interface is the target users to grant to. So no you certainly don’t hard code the technical users names as you couldn’t possibly know them in advance anyway.

              (0) 
                1. Thomas Jung Post author

                  The documentation is in the readme.md file of the @sap/hdi-deploy module itself. Best way to access it is via npm and just install the module on your local machine. However here is the section in question:

                   

                  For the different types of privileges, the following fields are passed to the GRANT procedure:

                  PRIVILEGE_TYPE PRIVILEGE_NAME OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE GRANTEE_SCHEMA GRANTEE_NAME GRANTABLE
                  SCHEMA_OBJECT_PRIVILEGE privilege schema object NULL NULL grantee TRUE/FALSE
                  GLOBAL_OBJECT_PRIVILEGE privilege NULL object type NULL grantee TRUE/FALSE
                  SCHEMA_ROLE NULL schema role NULL NULL grantee TRUE/FALSE
                  GLOBAL_ROLE NULL NULL role NULL NULL grantee TRUE/FALSE
                  SCHEMA_PRIVILEGE privilege NULL schema NULL NULL grantee TRUE/FALSE
                  SYSTEM_PRIVILEGE privilege NULL NULL NULL NULL grantee TRUE/FALSE

                  Example of a GRANT procedure:

                  CREATE PROCEDURE GRANT(
                    IN PRIVILEGES TABLE (
                      PRIVILEGE_TYPE NVARCHAR(128), -- 'SCHEMA_OBJECT_PRIVILEGE'
                                                    -- 'GLOBAL_OBJECT_PRIVILEGE'
                                                    -- 'SCHEMA_ROLE'
                                                    -- 'GLOBAL_ROLE'
                                                    -- 'SCHEMA_PRIVILEGE'
                                                    -- 'SYSTEM_PRIVILEGE'
                      PRIVILEGE_NAME NVARCHAR(256), -- cf. SYS.PRIVILEGES
                      OBJECT_SCHEMA NVARCHAR(256),  -- NULL or schema
                      OBJECT_NAME NVARCHAR(256),
                      OBJECT_TYPE NVARCHAR(128),    -- NULL or 'REMOTE SOURCE'
                      GRANTEE_SCHEMA NVARCHAR(256), -- NULL or schema
                      GRANTEE_NAME NVARCHAR(256),
                      GRANTABLE NVARCHAR(5)         -- 'TRUE' or 'FALSE'
                    )
                  )
                  LANGUAGE SQLSCRIPT
                  SQL SECURITY DEFINER
                  AS
                  BEGIN
                    DECLARE ERROR CONDITION FOR SQL_ERROR_CODE 10000;
                    DECLARE CURSOR PRIVILEGES_CURSOR FOR SELECT * FROM :PRIVILEGES;
                  
                    -- TODO: add checks for valid grantees, e.g. check with _SYS_DI#<group>.M_CONTAINER_SCHEMAS
                    --       or with SYS.USERS and creator and grantee like '%#OO'
                    -- TODO: keep only functionality that should be allowed, e.g. only allow to grant schema-local
                    --       roles, but no object privileges, etc.
                  
                    FOR PRIVILEGE AS PRIVILEGES_CURSOR
                    DO
                      DECLARE TO_GRANTEE_CLAUSE NVARCHAR(512);
                      DECLARE GRANTABLE_CLAUSE NVARCHAR(512) = '';
                  
                      IF PRIVILEGE.GRANTEE_SCHEMA IS NULL THEN
                        TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
                      ELSE
                        TO_GRANTEE_CLAUSE = ' TO "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_SCHEMA)
                                                    || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.GRANTEE_NAME) || '"';
                      END IF;
                  
                      IF PRIVILEGE.GRANTABLE = 'TRUE' THEN
                        IF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' OR
                           PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' OR
                           PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
                          GRANTABLE_CLAUSE = ' WITH ADMIN OPTION';
                        ELSE
                          GRANTABLE_CLAUSE = ' WITH GRANT OPTION';
                        END IF;
                      ELSEIF PRIVILEGE.GRANTABLE != 'FALSE' THEN
                        SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for GRANTABLE: '
                                                        || PRIVILEGE.GRANTABLE;
                      END IF;
                  
                      IF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_OBJECT_PRIVILEGE' THEN
                        EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
                          || ' ON "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
                                     || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                          || TO_GRANTEE_CLAUSE
                          || GRANTABLE_CLAUSE;
                      ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_OBJECT_PRIVILEGE' THEN
                        IF PRIVILEGE.OBJECT_TYPE = 'REMOTE SOURCE' THEN
                          EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
                            || ' ON ' || PRIVILEGE.OBJECT_TYPE || ' "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                            || TO_GRANTEE_CLAUSE
                            || GRANTABLE_CLAUSE;
                        ELSE
                          SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for OBJECT_TYPE for GLOBAL_OBJECT_PRIVILEGE: '
                                                          || PRIVILEGE.OBJECT_TYPE;
                        END IF;
                      ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_ROLE' THEN
                        EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_SCHEMA)
                                       || '"."' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                          || TO_GRANTEE_CLAUSE
                          || GRANTABLE_CLAUSE;
                      ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'GLOBAL_ROLE' THEN
                        EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                          || TO_GRANTEE_CLAUSE
                          || GRANTABLE_CLAUSE;
                      ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SCHEMA_PRIVILEGE' THEN
                        EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
                          || ' ON SCHEMA "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.OBJECT_NAME) || '" '
                          || TO_GRANTEE_CLAUSE
                          || GRANTABLE_CLAUSE;
                      ELSEIF PRIVILEGE.PRIVILEGE_TYPE = 'SYSTEM_PRIVILEGE' THEN
                        EXEC 'GRANT "' || ESCAPE_DOUBLE_QUOTES(PRIVILEGE.PRIVILEGE_NAME) || '"'
                          || TO_GRANTEE_CLAUSE
                          || GRANTABLE_CLAUSE;
                      ELSE
                        SIGNAL ERROR SET MESSAGE_TEXT = 'unsupported value for PRIVILEGE_TYPE: '
                                                        || PRIVILEGE.PRIVILEGE_TYPE;
                      END IF;
                    END FOR;
                  END;
                  (0) 
                  1. Lijo Kumblolikal John

                    Hi Thomas,

                    Thanks for the reply.

                    I installed the module @sap/hdi-deploy but the installation does not come with a README.MD file.

                    Is this module in the sap npm registry missing the README.MD file?

                     

                     

                     

                    (0) 
                    1. Thomas Jung Post author

                      All the modules in the SAP NPM repo should have a readme.md, but unfortunately this one does not. I put the relevant section in my earlier posting. I’ve also spoken to the documentation lead and development manager for this module and they will work to get the readme.md included in the next release.

                      (0) 
                      1. Lijo Kumblolikal John

                        Hi Thomas,

                        Thanks.

                        Can you then please share the section on subsequent step of creation of user provided service of type procedure also? I did the below but not sure if the syntax is correct.

                        xs cups CROSS_SCHEMA_SERVICE_CCO_CE_GRANT_NEW -p “{\”host\”:\”10.41.20.21\”,\”port\”:\”30015\”,\”user\”:\”CCO_CR_SCH_USR\”,\”password\”:\”ABCDE\”,\”driver\”:\”com.sap.db.jdbc.Driver\”,\”tags\”:[\”hana\”],\”type\”:\”procedure\”,\”procedure_schema\”:\”LKUMBLOL\” ,\”procedure\”:\” hgrs.cco.fc_ce_grp.model.procs::GRANT\” }”

                        As per my understanding, Once the user provided service is created, I need to create a .hdbgrants file (like below) and then create synonyms. Please correct if I am wrong.

                        {{   “hdi-hccocelive-service”: {    “object_owner”: { “schema_privileges”:[ { “reference”:”MY_SCHEMA”, “privileges”:[ “SELECT” ]  } ]    }, “application_user” : { “schema_privileges”:[ { “reference”:”MY_SCHEMA”, “privileges”:[ “SELECT” ]  } ]        } }}

                         

                        Thanks,

                        Lijo John

                        (0) 
                        1. Thomas Jung Post author

                          There is no subsequent steps.  Just the section I posted earlier:

                          • At the datababase, a GRANT procedure must exist (or be visible) in the schema which is used in the user-provided service; an example is shown below.
                          • The technical database user must have EXECUTE privileges on the GRANT procedure.
                          • The name of the GRANT procedure must be specified in the user-provided service in the "procedure" field, e.g. "procedure": "GRANT".
                          • The scheme name of the GRANT procedure can be specified in the user-provided service in the "procedure_schema"field, e.g. "procedure_schema": "A_SCHEMA".
                          • The user-provided service must contain a "type" field with the value "procedure".

                           

                          (0) 

Leave a Reply