Functions can take an attachment as an input parameter and then work with the attachment. TypeScript & Python functions have documentation on how to achieve this, but compute modules do not list attachments as one of their input types.
A compute-module-backed function can take a string as an input parameter, and an attachment RID can be passed to that parameter, but how the function should load the attachment is not clear. Should the function use the authHeader
field on the job context? Or the tempCredsAuthToken
? If the latter, how should the function interact with the mentioned (but not documented) data sidecar?
And, most importantly, is this even possible?
According to the compute module function mode permissions documentation, a compute-module-backed function can either have no access to Foundry resources, or service-user permissions to Foundry resources. In the case of an attachment that is not yet associated with an object (which a service user could be configured to access), how would a compute module get access to that attachment?
Cheers
Paul
Hi @pwest-northslope, I would recommend using service-user permissions for this use case. On the configure tab of your compute module, you can select to use “application permissions”, at which point you can either provide an existing client ID or have the compute module generate one for you. You can ensure that client ID has access to the attachement(s) in question by sharing access with that client ID.
Then in your compute module code, you can use the oauth helper function to generate an auth token with the configured client ID/secret for your compute module. Based on these docs, it seems you’ll need at least the api:ontologies-read
scope to call this endpoint.
@skruyswyk how would the client ID get read permissions for those attachments?
The attachments are uploaded by the user from a front-end when they are fed into an action. The action reads from and writes to zero object types, so object permissions do not apply. The attachment exists as a free-floating resource which does not appear to be subject to any externally-controllable permissions scheme to which the service user could be a party.
Reading the attachment is tied to reading the object.
Permissions to view, edit, and delete an attachment are consistent with the object to which they are uploaded.
from https://www.palantir.com/docs/foundry/action-types/upload-attachments
So if your service user can see the object (Viewer on the Object instances) it should be able to access the Attachment of those objects (like any property of those objects).
Right, but how can a function get permission to read an attachment that is not uploaded to an object?
Below I have an action that takes a single attachment as a parameter and forwards that attachment to a function. The function reads from and writes to no objects; it just reads metadata from the attachment. I can trigger this action from Workshop with a file-upload pane; the file selected in that widget is fed directly to the action (and function) without first being attached to an object.
This is what I’m trying to accomplish in a compute module: a function which takes an attachment that has not been uploaded to an object as an input, and works with it.
For this scenario, how do the permissions work?