API#
Overview#
EDA includes an HTTP REST API to support software integration. By using the REST API, you can write your own software that can configure any feature of the EDA.
General Concepts#
The EDA API is following a very similar model as the Kubernetes Resource Model. Every custom resource that gets added through the installation of an App, will be available through the EDA API in a similar way as custom resources in Kubernetes are available through the Kubernetes API.
There are two major components to the EDA API, and a few internal components:
- Core API
- The Core API is used to manage a few core concepts of EDA, like getting and posting Transactions, executing EQLQueriesand gettingNodeConfigsfor specific nodes.
- Apps API
-  The Apps API is where every App installed into EDA, exposes its custom resources. That includes all the default installed Apps. EDA API vs Kubernetes API & kubectlIn the current EDA model, both the EDA API and Kubernetes API (or kubectl) can be used to manage certain resources. However, be aware that anything that has been internally generated within EDA might not be fully visible to the Kubernetes environment and only available over the EDA API.
- OpenAPI API
- This API provides access to OpenAPIv3 Specifications for the Core and Apps API.
- HTTPProxy API
- The EDA API server acts as a transparent passthrough proxy for certain services, like Keycloak for authentication and other internal services. This is handled by the HTTPProxy API.
Do not change or manipulate any of the HTTPProxy API settings as this can break your EDA deployment.
Synchronous vs Asynchronous#
All the API requests are handled as synchronous API requests. To make asynchronous API requests use the Transaction API.
Authentication#
For authentication and authorization, EDA uses Keycloak as its backend. Keycloak is a proven and secure solution for Identity and Access management. EDA uses Keycloak through the OpenID Connect protocol where the authentication flow to obtain the OAuth 2.0 token is different for browser-based and non-browser-based clients:
- For browser-based clients, the user is redirected to Keycloak for authentication and then send back with the necessary tokens for the API to authenticate and verify the user as a legitimate user. This is referred to as the Standard Flow (Authorization Code Grant in the OAuth2 specifications RFC 6749 4.1).
- For non-browser API clients, such as CLI applications, scripts, etc., the Direct Access Grant flow (Resource Owner Password Credentials Grant in the OAuth2 specifications RFC 6749 4.5) is used to obtain the authentication token. In this case the API client directly authenticates with Keycloak using client_secret and provides the Authorization Server with Resource Owner credentials (EDA username credentials). The Authorization Server (Keycloak) provides the client with the token that is used for further API calls to the EDA API. The API client is also responsible for refreshing or renewing their token.
The non-browser API clients authenticate against the Kecloak authorization server by providing the following parameters in the request:
- client_id: Must be set to- eda
- grant_type: Must be set to- password
- scope: Must be set to- openid
- username: The username for the user that needs to authenticate
- password: The password for the user that needs to authenticate
- client_secret: The Keycloak client secret for client ID- eda
Some of the hardcoded settings might change in the future
Getting the client_secret#
 Every EDA deployment gets a unique client secret token generated during installtion. An EDA system administrator is responsible for retrieving the client secret and providing it to the application/scripts/clients that intent to interact with the EDA API server. The secret can be retrieved using Keycloak UI and Keycloak API. Below you will find different methods to obtain the client secret:
- Navigate to https://{EDA_URL}/core/httpproxy/v1/keycloakin your browser.
- Log in with the Keycloak administrator username and password (default is admin:adminand can be changed1).
- From the Keycloak drop-down list on the upper left, select Event Driven Automation (eda).
- Select Clients from the menu on the left.
- Select eda in the client table.
- Select Credentials in the tab bar on the top.
- Copy the Client Secret.
The above steps are shown in the video:
During the development cycle a user might want to fetch the client secret in the automated way, without resorting to the UI. The shell script below fetches the client secret using the variables defined at the top of the file:
Note, the script requires
curlandjqto be installed in your environment.
Shell Script
#!/bin/bash
export EDA_API_URL="${EDA_API_URL:-https://myinstance.eda.rocks:9443}"
export KC_KEYCLOAK_URL="${EDA_API_URL}/core/httpproxy/v1/keycloak/"
export KC_REALM="master"
export KC_CLIENT_ID="admin-cli"
export KC_USERNAME="${KC_USERNAME:-admin}"
export KC_PASSWORD="${KC_PASSWORD:-admin}"
export EDA_REALM="eda"
export API_CLIENT_ID="eda"
# Get access token
KC_ADMIN_ACCESS_TOKEN=$(curl -sk \
  -X POST "$KC_KEYCLOAK_URL/realms/$KC_REALM/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=$KC_CLIENT_ID" \
  -d "username=$KC_USERNAME" \
  -d "password=$KC_PASSWORD" \
  | jq -r '.access_token')
if [ -z "$KC_ADMIN_ACCESS_TOKEN" ]; then
  echo "Failed to obtain keycloak admin token"
  exit 1
fi
# Fetch all clients in the 'eda-realm'
KC_CLIENTS=$(curl -sk \
  -X GET "$KC_KEYCLOAK_URL/admin/realms/$EDA_REALM/clients" \
  -H "Authorization: Bearer $KC_ADMIN_ACCESS_TOKEN" \
  -H "Content-Type: application/json")
# Get the `eda` client's ID
EDA_CLIENT_ID=$(echo "$KC_CLIENTS" | jq -r ".[] | select(.clientId==\"${API_CLIENT_ID}\") | .id")
if [ -z "$EDA_CLIENT_ID" ]; then
  echo "Client 'eda' not found in realm 'eda-realm'"
  exit 1
fi
# Fetch the client secret
EDA_CLIENT_SECRET=$(curl -sk \
  -X GET "$KC_KEYCLOAK_URL/admin/realms/$EDA_REALM/clients/$EDA_CLIENT_ID/client-secret" \
  -H "Authorization: Bearer $KC_ADMIN_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  | jq -r '.value')
if [ -z "$EDA_CLIENT_SECRET" ]; then
  echo "Failed to fetch client secret"
  exit 1
fi
echo "$EDA_CLIENT_SECRET"
If you have this script saved as a file, you can call it like this:
With overriding the top level parameters using the env variables.
In case you're using Ansible collections for Nokia EDA, you can fetch the client secret using the Utils collection and the get_client_secret module.
Getting the Access Token#
With the client secret obtained from the previous step, an API client can now request an access token from Keycloak. Below you will find different ways of getting the token:
An example of using curl to authenticate and get an access token for the EDA API. Make sure to use your own EDA URL and Keycloak client secret.
curl -s https://${EDA_API_URL}/core/httpproxy/v1/keycloak/realms/eda/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=eda' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode 'scope=openid' \
  --data-urlencode 'username=${EDA_USERNAME}' \
  --data-urlencode 'password=${EDA_PASSWORD}' \
  --data-urlencode 'client_secret=${EDA_CLIENT_SECRET}'
Example output parsed using jq
 curl -s https://${EDA_API_URL}/core/httpproxy/v1/keycloak/realms/eda/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=eda' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode 'scope=openid' \
  --data-urlencode 'username=admin' \
  --data-urlencode 'password=admin' \
  --data-urlencode 'client_secret=9eGhwdAaox8bQ5DnfuUHuQTbOxhJxUwg' | jq -S
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBTHBheFhxanhaYmY5Vy1Pb3JpVnoxSUNTUV9SLUNrc05jZzVGRGFadUI0In0.eyJleHAiOjE3MzM5OTMyNDcsImlhdCI6MTczMzk5Mjk0NywianRpIjoiZjExZTdmM2UtMzFkNi00NTQ0LWE3MDUtMjA2Mzg0ZTYyYmNiIiwiaXNzIjoiaHR0cHM6Ly9wbG0tc2Itazgubm92YWxvY2FsOjk0NDMvY29yZS9odHRwcHJveHkvdjEva2V5Y2xvYWsvcmVhbG1zL2VkYSIsInN1YiI6ImYyYTc1MDM1LTU2YTUtNGJhMC1iZTliLTUzZTEzNTEyNTliZSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImVkYSIsInNpZCI6ImYyZTU1YjQ2LWRiN2YtNGIwMi05ZTIwLTc2YTc2YWE0MDYwMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImVkYXJvbGVfc3lzdGVtLWFkbWluaXN0cmF0b3IiLCJhZG1pbiJdfSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkVEQSBhZG1pbiB1c2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiRURBIiwiZmFtaWx5X25hbWUiOiJhZG1pbiB1c2VyIn0.ZH2vO1sbxm4tke2bE1fUdUbkCtHYo3bFUZpr0J46GL0lGpyIf0LkxOnosatjpLCQl7-CpExhZCv11SmUM6W6c4DoX6d90PKeC-t-GoSKshAxGIh7njtFt1_dYAf1NgF4EGOQMPINj-_n4igjU22Ef7aU8c05m-QkbIPykYFJ0BefqG_H8A1QzNvntADrEfrpHAudGFxB1Ei5FpBxIRfqX40B7_9brzWMlrRRXeWA9i-JVe-6JXQxTTqRKAF9sWGllTA-vbcl-MZ1WsGcC8yS-KQ9nyTrqkwT4Sh06Z7s8IpqBNPEcVJ8p_X65bblGoRKrXMSD0zEXM2zTsJRGd6JVA",
  "expires_in": 300,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBTHBheFhxanhaYmY5Vy1Pb3JpVnoxSUNTUV9SLUNrc05jZzVGRGFadUI0In0.eyJleHAiOjE3MzM5OTMyNDcsImlhdCI6MTczMzk5Mjk0NywianRpIjoiODM0MGVlMWQtOThkNC00ZmQ5LThhOTQtNTIwNTQ5YWJlMjE3IiwiaXNzIjoiaHR0cHM6Ly9wbG0tc2Itazgubm92YWxvY2FsOjk0NDMvY29yZS9odHRwcHJveHkvdjEva2V5Y2xvYWsvcmVhbG1zL2VkYSIsImF1ZCI6ImVkYSIsInN1YiI6ImYyYTc1MDM1LTU2YTUtNGJhMC1iZTliLTUzZTEzNTEyNTliZSIsInR5cCI6IklEIiwiYXpwIjoiZWRhIiwic2lkIjoiZjJlNTViNDYtZGI3Zi00YjAyLTllMjAtNzZhNzZhYTQwNjAxIiwiYXRfaGFzaCI6IlNJRUREbWdpb2xneXpPT2lqQ3ZHRWciLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiRURBIGFkbWluIHVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiJFREEiLCJmYW1pbHlfbmFtZSI6ImFkbWluIHVzZXIifQ.a9946wNL4_UCfi9LmysRz6wiZG3Zgt84Vz6pa5HfxRcQj5tvFsoBVNCSWd07OzxAS_QuPsMESl9WM4WalUW4Ib6XyNEPENvJsQE8mRWSm-x1R0d1lqrGSaiOJzKX5XUNgZ1u7PRbG-jtlcY-Iaq3Ei7sfOWVmXz8mKOyGteRCa9MSrbD4oFe52DTPNV4EwHIbkI8hUuO9dvgu3MdX6OdLSU9FApDAQjrMo7dqF9_E5SfGvnIPWcAiPD2QyuTP6ZF2SBDEX0OIqn7LNiyyeg4t6RylCakgi31zi_cTY3SfeMhmc9_X4SOj0XbmqZYM7o_mCFxbXTjeSVLcJv4zvuMHg",
  "not-before-policy": 0,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1NDRjYThkOC0yN2JkLTRlYTAtOGY2Ny1jOTkzYjExMDAwZDYifQ.eyJleHAiOjE3MzM5OTQ3NDcsImlhdCI6MTczMzk5Mjk0NywianRpIjoiZmE2OGQwYWEtNTcyOS00ZjhiLWE5OWUtNDQyNmY3ZWEwNzg5IiwiaXNzIjoiaHR0cHM6Ly9wbG0tc2Itazgubm92YWxvY2FsOjk0NDMvY29yZS9odHRwcHJveHkvdjEva2V5Y2xvYWsvcmVhbG1zL2VkYSIsImF1ZCI6Imh0dHBzOi8vcGxtLXNiLWs4Lm5vdmFsb2NhbDo5NDQzL2NvcmUvaHR0cHByb3h5L3YxL2tleWNsb2FrL3JlYWxtcy9lZGEiLCJzdWIiOiJmMmE3NTAzNS01NmE1LTRiYTAtYmU5Yi01M2UxMzUxMjU5YmUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiZWRhIiwic2lkIjoiZjJlNTViNDYtZGI3Zi00YjAyLTllMjAtNzZhNzZhYTQwNjAxIiwic2NvcGUiOiJvcGVuaWQgcm9sZXMgd2ViLW9yaWdpbnMgYWNyIGJhc2ljIHByb2ZpbGUgZW1haWwifQ.SQeRoXLXA61l8AozNH2iaOYR0lJVMYWTtbAEYKY4lREYYesAAMNRVk5wcLR1oKJrFzCFRnhMmIEZysQ7D_DDcw",
  "scope": "openid profile email",
  "session_state": "f2e55b46-db7f-4b02-9e20-76a76aa40601",
  "token_type": "Bearer"
}
In case you're using Ansible collections for Nokia EDA, you can fetch the client secret using the Utils collection and the get_token module.
OpenAPI Specifications#
Detailed information about all of the individual API endpoints and their parameters is available in the OpenAPI (v3) format. You can download OpenAPIv3 JSON files either from your EDA installation or from the community-supported eda-labs/openapi repository.
API documentation in the EDA UI#
If you have EDA already installed2 you can find OpenAPI documentation and download specifications for both EDA Core as well as for every application you have installed in your cluster. To access the API Documentation, use the icon in the top right corner and select API Documentation menu item:
The API Documentation UI can be used to explore the API specification as well as to download the OpenAPI Specification JSON files. To download the specification file for a selected application, use the icon in the top right corner.
You can then use these files within your own tools that can work with the standard OpenAPI specifications.
The API documentation web view does not only provide a reference to the available APIs and endpoints, but also allows you to run the requests for all available endpoints. For example, the video below shows how to run a GET request to list configured users in the EDA platform by using the Core API.
The request runner in the API documentation web view takes care of the authentication flow on your behalf. You can start running API requests right away.
EDA OpenAPI Repository#
If you don't have EDA installed, but still want to browse the OpenAPI specification for the EDA core and its default apps, you can use the community-supported eda-labs/openapi repository.
This repo uses tags to indicate which EDA software release these OpenAPI spec files were extracted from.
Listing OpenAPI Specifications#
For EDA Core and each installed EDA App the API server maintains the API Specification file that can be listed and fetched via the openapi endpoint.
To list the available API Specifications and their relevant URLs, first authenticate the client and then you can execute the following curl command to get the list of APIs and OpenAPI Specification URLs per API.
curl -s https://${EDA_URL}/openapi/v3 \
  -H 'Authorization: Bearer ${TOKEN}' \
  -H 'Content-Type: application/json'
Example output parsed using jq
 $ curl -s https://${EDA_URL}/openapi/v3 \
  -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJuNnV4VXVyODdyaHNYUEt6dHNlT1Qxc1lERVI5MVVlMXBzWnhhaEdQX19rIn0.eyJleHAiOjE3MTQ2MDMwNjAsImlhdCI6MTcxNDYwMjc2MCwianRpIjoiYzdiZjU3NGUtY2ZkNi00Nzk3LTk2NzItMWI5Y2E5YTg2NzQ2IiwiaXNzIjoiaHR0cDovL2hlbGl4Lm5va2lhLmRlbGxhZXJ0LmRldjo5MjAwL2NvcmUvaHR0cHByb3h5L3YxL2tleWNsb2FrL3JlYWxtcy9lZGEiLCJzdWIiOiJmMmE3NTAzNS01NmE1LTRiYTAtYmU5Yi01M2UxMzUxMjU5YmUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGEiLCJzZXNzaW9uX3N0YXRlIjoiMTFkZjU2OWEtNTZhYi00NmMyLWJkOTItNTJkYTg1YzM4NzA4IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiYWRtaW4iXX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiIxMWRmNTY5YS01NmFiLTQ2YzItYmQ5Mi01MmRhODVjMzg3MDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZ2l2ZW5fbmFtZSI6IiIsImZhbWlseV9uYW1lIjoiIn0.bfTVRxe8KaVAqxjjDKIOJI6UGtJtpKc4W58ouvM1ILAVTiUtaWONT9xGIWDsUaEOzWQTlg-fjYWD3SmAMwPMo11wXafQkL7hTItj6Gs0DalwvmarXGetaVc7rVQhG5p3kvTQ0rNYqjE2bU763ml173kPXNKWUl7VXArCVK6uZ0azBDDX5uzlFBd5QEBtn1pH_-rATheCpvnkjC3s2WfJhDULfkix63N5MQWwhOajAKRe5mXTWLv9W9d_nwDsrHipPBtvAvG65I7s6tqjFH_M--PQPXifsl73v0hTnIHzC9ujpcGxkxctK9DvpwADF7TmuKVjbFHZqxp3FT7HxaK6Zg' \
  -H 'Content-Type: application/json' | jq -S
{
    "paths": {
        "/apps/aaa.eda.nokia.com/v1alpha1": {
            "x-eda-nokia-com": {
                "serverRelativeURL": "/openapi/v3/apps/aaa.eda.nokia.com/v1alpha1",
                "title": "AAA Application APIs"
            },
            "serverRelativeURL": "/openapi/v3/apps/aaa.eda.nokia.com/v1alpha1",
            "title": "AAA Application APIs"
        },
        "/apps/aifabrics.eda.nokia.com/v1alpha1": {
            "x-eda-nokia-com": {
                "serverRelativeURL": "/openapi/v3/apps/aifabrics.eda.nokia.com/v1alpha1",
                "title": "AIFabrics Application APIs"
            },
            "serverRelativeURL": "/openapi/v3/apps/aifabrics.eda.nokia.com/v1alpha1",
            "title": "AIFabrics Application APIs"
        },
        "/apps/appstore.eda.nokia.com/v1": {
            "x-eda-nokia-com": {
                "serverRelativeURL": "/openapi/v3/apps/appstore.eda.nokia.com/v1",
                "title": "App Store Application APIs"
            },
            "serverRelativeURL": "/openapi/v3/apps/appstore.eda.nokia.com/v1",
            "title": "App Store Application APIs"
        },
        // snipped
    }
}
Fetching the API Specifications#
For each of the App/version and the Core, the serverRelativeURL is the full URI to the API specifications for that specific App/version. You can use that to fetch the full OpenAPIv3 Specifications for the resources used and exposed by that specific App and version. Below is an example for the connect App. With an authenticated client you can execute the following curl command to fetch the OpenAPIv3 specification of the connect.eda.nokia.com/v1alpha1 app.
curl -s http://${EDA_HOST}/openapi/v3/apps/connect.eda.nokia.com/v1alpha1 \
  -H 'Authorization: Bearer ${TOKEN}' \
  -H 'Content-Type: application/json'
-  https://documentation.nokia.com/eda/25-8/books/user/change-internal-passwords.html#keycloak-and-the-eda-ui ↩ 
-  Try EDA installation is a perfect fit for experimenting with the API. ↩