Configure a System User with Node API Credentials

The Watch Folders API uses Node API credentials for authentication to the local Aspera server (the server to which you send Watch Folders API requests). This server requires configuration to support authentication for Watch Folders.

  1. Select or create a user account to run your services.

    Watch Folder services must be run under a user with access to every area of your file system in which you intend to create a Watch Folder. You can run multiple instances of these services under different users; however, most deployments run these services under one user, such as “root” on Unix-based systems or “svcAspera” on Windows.

  2. Configure a docroot or restriction for the user.

    Docroots and path restrictions limit the area of a file system or object storage to which the user has access. Users can create Watch Folders and Watch services on files or objects only within their docroot or restriction. Users can have a docroot or restriction, but not both or Watch Folder creation fails.

    To configure a docroot, run the following command:

    asconfigurator -x "set_user_data;user_name,username;absolute,docroot"

    To configure a restriction, run the following command:

    # asconfigurator -x "set_user_data;user_name,username;file_restriction,|path"

    The restriction path format depends on the type of storage. For local storage:

    • specific folder: file:////folder/*
    • drive root: file:////*

    For restriction format for other types of storage, see the IBM Aspera High-Speed Transfer Server Admin Guide.

  3. Restart the IBM Aspera NodeD service (asperanoded) to activate your changes.

    For Linux, run the following command:

    # systemctl restart asperanoded
  4. Ensure the user has permissions to write to the default log directory if no directory is specified.
  5. Create a Node API user and associate it with the transfer user account. The user account must have administrative (root / sudo) privileges to interact with asperawatchfolderd.
    # /opt/aspera/bin/asnodeadmin -a -u node_username -p node_password -x admin_user --acl-set "admin,impersonation"

    For example:

    # /opt/aspera/bin/asnodeadmin -a -u watchfolder_user -p X245lskd3 -x root --acl-set "admin,impersonation"

    This command creates a user with admin permissions for Watch Folder actions (no restrictions). You can create other node users without admin permissions and customize their allowed actions by using the /access_control endpoint.

    Adding, modifying, or deleting a node-user triggers automatic reloading of the user database and the node’s configuration and license files. For more information on the Node API, see your transfer server’s administrator guide.

  6. Verify that you correctly added the Node API user.
    # /opt/aspera/bin/asnodeadmin -l
    List of Node API user(s):
                    user       system/transfer user                    acls
    ====================    =======================    ====================
           node_api_user                system_user    [admin,impersonation]

    For example, using the information from the example in the previous step, the output is similar to the following:

    # /opt/aspera/bin/asnodeadmin -l
                    user       system/transfer user                    acls
    ====================    =======================    ====================
    watchfolder_user                          root    [admin,impersonation]