Get Started

Analytics Framework Service Setup

Like other Predix platform services, authentication access to Analytics Framework is controlled by the designated trusted issuer and managed by the User Account and Authentication (UAA) web service. A UAA service instance must be already set up as the trusted issuer before getting started with the Analytics Framework service.

If you want to create a new Analytics Framework service instance, start with Task Roadmap: Setting Up Analytics Framework Service Instance.

Integrating with Analytics Framework

The Predix Analytics Framework service can be integrated with Time Series and/or Asset Data services to provide reading/writing data capability. If you want to integrate these services together, create your Predix Asset and Time Series service instances before creating your Analytics Framework service instance. Once completed, you can run cf update-service command to configure these services to be used together. The following configuration parameters must be added to "dependentServices" list and added to UAA client ID for scheduler (either scope or authorities or both)


Service	Required Value	Information
Predix Asset	Predix asset zone id	Provide the dependent Predix Asset service instance zone id. The zone id can be found by running the command `cf service <asset-instance-name> --guid`
Predix Time Series	Predix timeseries zone id	Provide the dependent Predix Time Series service instance zone id. The zone id can be found by running the command `cf service <timeseries-instance-name> --guid`

For more information about configuration changes needed when integrating with Predix Asset and Time Series, see Updating an Analytics Framework Service Instance and Configuring an OAuth2 Client for Predix Asset and Time Series Integration.

Task Roadmap: Setting Up Analytics Framework Service Instance

A task roadmap provides the recommended order of steps to complete a process and serves as a planning guide. Use the following roadmaps as a guide for creating your Analytics Framework service instance.

This service can be created either using the Predix console or from the command line.

Prerequisites


No.	Task	Information
1.	Familiarize yourself with Predix platform concepts	See What is Predix Platform?
2.	Set up your Predix development environment	See Task Roadmap: Predix Development Environment Setup
3.	Create the Predix Hello World application if you do not have your own application.	See Creating and Deploying a Simple Web App to Cloud Foundry Tip: You will later bind your service instance to an app to provision service details in the VCAP_SERVICES environmental variable. Cloud Foundry runtime uses the VCAP_SERVICES environment variable to communicate with a deployed application about its environment
4.	Configure the trusted issuer.	See Creating a UAA Service Instance Tip: () service is the authorization server that Predix platform services use for authentication. The maximum number of instances that you can create in your space is 10. As a best practice, use the same instance with each of your services.

Task Roadmap: Setting Up an Analytics Framework Service Instance


No.	Task	Information
1.	Create the service instance	Using Predix console: Creating an Analytics Framework Service Instance Using command line: Using the Command Line to Create an Analytics Framework Service Instance Note: The Analytics Framework requires three dedicated OAuth2 clients to fully manage service features. Save the client id and client secret values provided during service creation for future use.
2.	Review the OAuth2 client recommendations	See OAuth2 Client Recommendations for Analytics Framework Service
3.	Create the OAuth2 clients	See Creating an OAuth2 Client
4.	Configure the OAuth2 clients to manage authentication for the service	See Using Predix console: Creating an OAuth2 Client Configuring an OAuth2 Client for Analytics Framework Using command line: Configuring an OAuth2 Client for Scheduler Using UAAC
5.	(Optional, only if integrated with Predix Asset and/or ) Update the dependent services list	See Updating an Analytics Framework Service Instance
6.	Bind your application to the service instance	See Binding an Application to an Analytics Framework Instance
7.	Create a service key for access when outside the Cloud Foundry environment	See Creating Service Keys
8.	Verify the binding and retrieve the environment variables values	See Verifying the Binding

About the Postman Collections for Analytics Services

You can use Postman to test your analytics service REST API requests.

Sample requests for all analytics services APIs can be found in the Postman collections provided for your use. These Postman collections can be used as is or customized to test your service REST API requests when developing your application. Follow the instructions at https://github.com/PredixDev/predix-analytics-sample/tree/master/postman to import these collections and to configure your Postman environment to connect to your service instances.

OAuth2 Client Recommendations for Analytics Framework Service

The Analytics Framework requires two dedicated OAuth2 clients to fully manage all service features. You can use the UAA Dashboard (Client Management tab) or the UAA command-line interface (UAAC) to create and configure a client for the framework.

is the identity management service used to authenticate users and register OAuth2 clients for Predix platform. It acts as an OAuth2 provider, issuing tokens for client applications to use when acting on behalf of Predix cloud users. Before using any Predix platform service, you must first set up a service instance to act as your trusted issuer. All access to the Predix service will be authenticated by its designated trusted issuer.

When you create the service instance, an admin client is created for bootstrap purposes. While you can use this admin client to manage your Analytics Framework service instance, you will need a total of two clients to manage all features effectively. It is recommended you use two dedicated OAuth2 clients to manage the Analytics Framework service and features.

As part of service instance creation, you will provide three separate client id and client secret values.

Analytics Framework client: The OAuth2 client for the framework service instance. You can use the admin client for the UAA instance acting as the authenticator for the Analytics Framework service instance, or create a new dedicated client.
Scheduler feature client: A dedicated OAuth2 client for the scheduler feature. Save the client id (Runtime client id) and client secret (Runtime client secret) values for future use.

Whenever a new OAuth2 client is created, the client is assigned default scopes and authorities. You will configure the additional authority and scope settings specific to the framework as a separate step. For example, each client requires specific Authorized Grant Types and Refresh Token Validity settings be configured.

For more information and instructions, see Creating an OAuth2 Client.

Passing Configuration Parameters Using a File

When creating or updating an Analytics Framework service instance, you can pass the configuration parameters in a file instead of as a single line.

For example, when creating the Analytics Framework instance, your configuration file may resemble the following.

{
  "trustedIssuerIds": [
    "<uaa_instance_issuerId>"
  ],
  "runtimeClientId": "<my_runtime_client_id>",
  "runtimeClientSecret": "<my_runtime_client_secret>",
  "predixAssetZoneId": "<my_predix_asset_zone_id>",
  "predixTimeseriesZoneId": "<my_predix_timeseries_zone_id>"
}

When using this method you can pass the path to the file after the -c command when using either create or update. For example:

cf update-service <my_service_instance> -c myFile.txt

Creating an Analytics Framework Service Instance

Create a new service using Predix console as follows. Alternatively, you can create the service from the command line.

Procedure

Sign into your Predix account, then navigate to Catalog > Services > Analytics Framework tile.
Select the desired plan and click Subscribe.

The New service instance page displays. Complete the fields in this form to create a new Analytics Framework service instance. Required fields are noted by an asterisk (*).
Select the desired Org, then the Space, from list. Once the creation process is completed, the new service instance will reside in selected location in Predix cloud.
From the User Account & Authentication (UAA) field, select the UAA instance to act as the authenticator for the service instance.
- Select existing UAA: Select the UAA instance name from the list. You can create or modify OAuth2 clients using the Client Management tab in the UAA Dashboard.
- Subscribe to New UAA: Select to create a new UAA instance. Click the plus (+) symbol for instructions.

Complete the configuration fields as follows. Save the values you provide for future use.

Feature	Field	Description
Scheduler	Runtime client id	Provide a non-admin UAA client id to be used for running scheduled jobs. Note: It is recommended that the client have a non-expiring refresh token to accommodate long running scheduled jobs.
Scheduler	Runtime client secret	Provide the UAA client secret. If you have forgotten this value, you can create a new UAA Client and save the client secret for future use.

Click Create Service.

The service instance is created in the Org and Space specified.

Using the Command Line to Create an Analytics Framework Service Instance

Create a new service instance using the command line as follows. Alternatively, you can create the service from Predix Console using the New service instance page.

Before You Begin

Ensure you have completed all Prerequisites described in Task Roadmap: Setting Up Analytics Framework Service Instance.

Create an Analytics Framework service instance as follows.

The following command assumes you want to configure framework optional features (that is, scheduler) and are integrating with Predix Asset and Time Series services. Omit any values not required for your environment. This command is not additive, the configuration parameters must contain the complete configuration details, including information previously configured that remains unchanged.

cf create-service predix-analytics-framework <plan> <my_framework_instance> -c '{ "trustedIssuerIds": [ "<uaa_instance_issuerId>" ], "runtimeClientId": "<my_runtime_client_id>", "runtimeClientSecret": "<my_runtime_client_secret>", "predixAssetZoneId": "<my_predix_asset_zone_id>", "predixTimeseriesZoneId": "<my_predix_timeseries_zone_id>"}'

Where


	Feature	Parameter	Description
1.		trustedIssuerIds	The trusted issuer ids for your UAA instance.
2.	Scheduler	runtimeClientId	Non-admin UAA client id to be used for running scheduled jobs. Should have non-expiring refresh token. You can create a dedicated UAA client. If you are creating this client for the first time, see Configuring an OAuth2 Client for Scheduler Using UAAC.
3.	Scheduler	runtimeClientSecret	Corresponding UAA client secret to be used to generate tokens for running scheduled jobs. Both (2) and (3) are required to configure scheduler feature.
4.	Predix Asset integration	predixAssetZoneId	Predix Zone ID for the dependent Predix Asset instance. Is needed only if your runtime uses a Predix Asset model for running orchestrations. You can look up the zone id by running: "`cf service <my_asset_instance> --guid`".
5.	Predix Time Series integration	predixTimeseriesZoneId	Predix Zone ID for the dependent Predix Time Series instance. Is needed only if your runtime uses Predix Time Series as a data source when running orchestrations. You can lookup the zone id by running: "`cf service <my_timeseries_instance> --guid`".

Note: These parameters can also be provided in a text file. See Passing Configuration Parameters Using a File.

Configuring an OAuth2 Client for Analytics Framework

Analytics Framework requires three dedicated OAuth2 clients to fully manage all service features. Configure the OAuth2 clients to manage authentication for the service.

Before You Begin

The OAuth2 clients should be already created. For more information, see OAuth2 Client Recommendations for Analytics Framework Service.

About This Task

When you create a new OAuth2 client, the client is assigned default scopes and authorities. You must add additional authorities or scopes that are specific to Analytics Framework service. When using the UAA Dashboard to create additional clients, the client is created with the default client_credentials grant type. Some required authorities and scopes are automatically added to the client.

Use UAA Dashboard to configure the OAuth2 clients with additional authorities and scopes that are specific to Analytics Framework service. For detailed steps describing how to use UAA Dashboard, see Updating the OAuth2 Client for Services.

To use UAA command-line interface (UAAC) to configure the clients, see Configuring an OAuth2 Client for Scheduler Using UAAC.

Procedure

In Predix Console, navigate to the UAA instance managing your Analytics Framework service instance.
Log into UAA Dashboard, then navigate to the Client Management tab.
Choose an existing client from the list or choose the Add a new client option. If you chose to add a new client, follow the steps in Creating an OAuth2 Client.

Configure each of the clients as follows.


Configuration Field	Value	Description
Authorized Grant Types	Analytics Framework client: Select either client_credentials or password, according to your needs. Scheduler client: Select password and refresh_token.	Minimum values required. You can add additional values as needed.
Scope	Both clients require the following scope: `analytics.zones.<service_instance_guid>.user`	When a service is protected by UAA, the scope controls what type of access is allowed to the service. The service scope must be registered with UAA. To enable applications to access the Analytics Framework service, your JSON Web Token (JWT) must contain the correct scopes.
Authorities	Both clients require the following authority: `analytics.zones.<service_instance_guid>.user`
Refresh Token Validity	Analytics Framework client: Any value is acceptable. Scheduler: Provide a non-expiring token value.

Clients who use the password grant type or refresh token grant type (Scheduler clients) require a UAA user who is a member of the analytics.zones.<service_instance_guid>.user group.
To create the group, follow the steps in the Creating Groups in a UAA Instance documentation. To create a user and add the user as a member of the group, follow the steps in the Creating Users in a UAA Instance documentation.

Configuring an OAuth2 Client for Scheduler Using UAAC

Before You Begin

This procedure uses the UAA Command Line Interface (UAAC). For more information on installing UAAC, see https://github.com/cloudfoundry/cf-uaac.

About This Task

The service provides an optional scheduler feature that must be configured separately if you plan to schedule an orchestration execution request (also called a job). When scheduling a job in a multi-tenant environment, the request must contain an OAuth2 token with sufficient privileges to schedule and execute the job.

In a multi-tenant environment, a tenant is an application or a group of users that share resources such as data, configuration, and user management. The tenants are logically isolated but physically integrated. That means even if the tenants use the same underlying resources, their data is isolated from each other. All users of a tenant have specific privileges to access the resources associated with that tenant. Each tenant can potentially use multiple service instances. The service instances are specific to the tenant.

When a scheduled job is triggered, the scheduler makes a REST API call to the job execution endpoint configured in the job request body. If the job execution endpoint is secured by OAuth2, the scheduler must be trusted with an OAuth2 client that is authorized to access the job execution endpoint

To configure authorization for job execution with refresh_token, the process is as follows:

Procedure

Create or configure an OAuth2 client, preferably a dedicated client.

It is recommended that you create a dedicated OAuth2 client for this purpose in order to give minimum privileges to this client, though you can use an existing client if desired. In either case, this client must be properly set up with the following requirements.
1. The client must be authorized with the refresh_token and password grant types. The client must also have the necessary scopes to authorize with the job execution endpoint. For example, in the case where the job execution endpoint is the orchestration execution service, the refresh token must have the analytics.zones.<analytics-framework-instance-id>.user scope.
  
  For more information, see Creating an OAuth2 Client and Updating the OAuth2 Client that uses Other Authorization Grant Types.
2. The refresh_token_validity attribute for the client must be configured to validate the refresh token for the duration of the job being scheduled. For example, if you are scheduling the job to run an orchestration for one year, the refresh token must be valid for one year. This can be configured by running the following uaac command: "uaac client update <client-id> --refresh_token_validity <seconds>".
Create a UAA user who is a member of the group analytics.zones.<service_instance_guid>.user. Follow the steps in the Using UAAC to Create Users in a UAA Instance documentation.
Ensure your OAuth2 client and user are set up properly. Follow the steps in Validating an OAuth2 Client for Scheduler.
Configure your existing Analytics Framework instance to enable scheduler. You must provide the values of "trustedClientCredential" configuration with the client credential of the dedicated OAuth2 client. Follow the steps in Updating an Analytics Framework Service Instance.

Configuring an OAuth2 Client for Predix Asset and Time Series Integration

About This Task

When a service scope is protected by UAA, the scope controls what type of access is allowed to the service. All scopes for the service being integrated together must be registered with UAA.

Update your JSON Web Toke (JWT) to include the following scopes:

analytics.zones.<analytics-framework-instance-id>.user
timeseries.zones.<timeseries-service-instance-id>.ingest
timeseries.zones.<timeseries-service-instance-id>.query
timeseries.zones.<timeseries-service-instance-id>.user
predix-asset.zones.<asset-data-service-instance-id>.user

The OAuth2 client uses an authorization grant to request an access token. OAuth2 defines four grant types. Based on the type of authorization grant used, you must update your OAuth2 client to generate the required JWT. For more information on how the OAuth2 client is created, see Creating an OAuth2 Client. For detailed steps to update the OAuth2 token to access your service instance, see Updating the OAuth2 Client for Services.

Validating an OAuth2 Client for Scheduler

Before You Begin

A dedicated OAuth2 client for scheduler must be already set up as described in Configuring an OAuth2 Client for Scheduler Using UAAC.

Procedure

Make a call to the OAuth2 token issuer to get an OAuth2 access token with a Password grant type. For more information, see Obtaining an OAuth2 Access Token for Analytics Services.
Using the "access_token" element of the response, ensure that the job execution endpoint can be invoked successfully.
Using the "refresh_token" element of the response, ensure that you can obtain a new access token by making a new call to the OAuth2 token issuer with the following parameters.
- HTTP Method: POST
- HTTP Endpoint: <OAuth2 token issuer>
- HTTP Header: Key = Authorization, Value = basic <base 64-encoded string of client-id:client-secret>. For example, Authorization: basic bXktY2xpZW50LWlkOm15LWNsaWVudC1zZWNyZXQ=.
Using the “access_token” element of the newly acquired OAuth2 token, ensure that the job execution endpoint can be invoked successfully.

Updating an Analytics Framework Service Instance

You can update your Analytics Framework service instance to add functionality by running the cf update-service command with the new configuration parameters.

These parameters can also be provided in a text file. For an example, see Passing Configuration Parameters Using a File.

To update your existing Analytics Framework service instance, choose from the following.

CAUTION: The configuration parameters provided when updating a service instance will replace all configuration parameters. The update command is not additive. If you want to retain existing configuration parameters, you must specify them again when running the update command. To verify the existing service configuration parameters, run the cf env command on the application bound to the service. Client secrets will not be shown.

To add the scheduler feature, supply the runtimeClientId and runtimeClientSecret parameters as shown. The following example assumes the trustedIssuerIds parameter was supplied when your Analytics Framework instance was created.

cf update-service predix-analytics-framework <plan> <my_service_instance> -c '{"trustedIssuerIds": [ "<uaa_instance_issuerId>" ], "runtimeClientId": "<my_runtime_client_id>", "runtimeClientSecret": "<my_runtime_client_secret>" }'

To add Predix Asset service, Time Series service, and scheduler feature, supply the runtimeClientId, runtimeClientSecret, predixAssetZoneId, and predixTimeseriesZoneId parameters as shown.

cf update-service predix-analytics-framework <plan> <my_service_instance> -c '{"trustedIssuerIds": [ "<uaa_instance_issuerId>" ], "runtimeClientId": "<my_runtime_client_id>", "runtimeClientSecret": "<my_runtime_client_secret>", "predixAssetZoneId": "<my_predix_asset_zone_id>", "predixTimeseriesZoneId": "<my_predix_timeseries_zone_id>"}'

If you are using external data sources during orchestration execution and your external data service is authenticated by credentials other than the OAuth2 token used in the orchestration request, supply the externalService parameters as shown. If not provided, access to the external data source defaults to the OAuth2 token used in the orchestration request.

cf update-service predix-analytics-framework <plan> <my_service_instance> -c '{"trustedIssuerIds": ["<uaa_instance_issuerId>", "<uaa_instance2_issuerId>"], "predixTimeseriesZoneId": "<my_predix_timeseries_zone_id>", "predixAssetZoneId": "<my_predix_asset_zone_id>", "externalServiceUaaUrl": "<uaa_url>", "externalServiceClientId": "<client_id>", "externalServiceClientSecret": "<client_secret>", "externalServiceUsername": "<username>", "externalServicePassword": "<password>", "externalServiceCustomHeaders": ["header1:value1", "header2:value2"]}'

Where


Parameter	Description
`<plan>`	The plan associated with a service.
`<my_service_instance>`	The name of your service instance.
`<uaa_instance_issuerId>`	The `issuerId` of your trusted issuer (UAA instance, for example, `https://13fa0384-9e2a-48e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io/oauth/token)`. You can use a comma-separated list to specify multiple trusted issuers. You can retrieve this URL from the VCAP_SERVICES environment variable after binding your UAA instance to an application.
"`predixTimeseriesZoneId`", "`predixAssetZoneId`"	If integrating with Predix Asset and Time Series services, provide their IDs.
"`runtimeClientId`", "`runtimeClientSecret`"	Values used during the job execution by the Predix Analytics Scheduler to obtain the OAuth2 token in order to authenticate the job execution. Set up an OAuth2 client in your trusted issuer and provide the client credentials.
A set of "`externalService`" parameters	Used to define credentials for external data sources. `externalServiceClientId`: Required. The external data source UAA client id. `externalServiceClientSecret`: Optional. The external data source UAA client secret. `externalServiceUsername`: Optional. The external data source user name. `externalServicePassword`: Optional. The external data source password. `externalServiceUaaUrl`: Required. The external data source UAA trusted issuer id. `externalServiceCustomHeaders`: Optional. Configure an array of key value pairs if you want to pass external parameters as part of the external data source URL. For example, `predix-zone-id: xxx-xxx-xxx`.

Note: If the service instance was previously bound to an application, you must unbind, then re-bind, and finally restage the application. This action ensures the new configuration is registered and available to the bound application when the cf env command is run.

Creating Service Keys

You can create service keys in order to retrieve service details needed to access the Analytics Framework APIs from outside the Cloud Foundry environment.

About This Task

You have two methods for retrieving service details for your instance:

Bind – Bind an existing application running in Cloud Foundry to your Analytics Framework instance, then retrieve service details from VCAP_SERVICES environmental variable. See Binding an Application to an Analytics Framework Instance.
Create Service Keys – To access the API for your service instance when outside the Predix cloud environment, create a service key and retrieve the service details needed. Use the following steps.

Procedure

Run the following command to create a service key.

cf create-service-key <service-instance-name> <service-key-name>

Run the following command to print out the service key.

cf service-key <service-instance-name> <service-key-name>

The output lists the service details needed to access the API from outside of the Predix Cloud. Messages similar to the following are returned, depending upon how your service instance is configured.

{
 "catalog_uri": "<catalog_uri>",
 "config_uri": “<config_uri>",
 "configurations": {
  "predix_asset_zone_id": "<my_asset_zone_id>",
  "predix_timeseries_zone_id": "<my_timeseries_zone_id>",
  "runtime_client_id": "<my_runtime_client_id>",
  "trusted_issuer_ids": "<my_trusted_issuer_id>"
 },
 "execution_uri": "<execution_uri>",
 "monitoring_uri": "<monitoring_uri>",
 "scheduler_uri": "<scheduler_uri>",
 "zone-http-header-name": "Predix-Zone-Id",
 "zone-http-header-value": "<my_predix_zone_id>",
 "zone-oauth-scope": "analytics.zones.<my_predix_zone_id>.user"
}

Binding an Application to an Analytics Framework Instance

Binding your Analytics Framework service instance to your application provisions connection details in the VCAP_SERVICES environment variable. Cloud Foundry runtime uses VCAP_SERVICES environment variable to communicate with a deployed application about its environment.

Before You Begin

The application must have been deployed (cf push) to Cloud Foundry. If you do not have an application of your own, you can create the Predix Hello World app and use that.

About This Task

You have two methods for retrieving service details for your instance:

Bind – Bind an existing application running in Cloud Foundry to your Analytics Framework instance, then retrieve service details from VCAP_SERVICES environmental variable. Use the following steps.
Create Service Keys – Create a service key and retrieve the service details needed to access the UI and the API for your service instance when outside the Predix cloud environment. See afs-get-started.html#task_5f8f5acf-6e2d-463f-bfde-5bd32a2fba16.

To bind the service instance to your application, enter the following command.

cf bind-service <app_name> <my-framework-instance>

Your application is bound to <my-framework-instance>, and a message similar to the following is returned:

Binding service <my-framework-instance> to app <app_name> in org <org_name> / space <space_name> as [email protected]...
OK
TIP: Use 'cf restage' to ensure your env variable changes take effect

To unbind the service instance from your application, enter the following command.

cf unbind-service <app_name> <my-framework-instance>

Verifying the Binding

After an application is bound to the service, you can retrieve details about the instance from VCAP_SERVICES environmental variable.

Before You Begin

Your Analytics Framework service instance is already bound to your application. See Binding an Application to an Analytics Framework Instance.

cf env <app_name>

Messages similar to the following are returned, depending upon how your service instance is configured.

System-Provided:
{
 "VCAP_SERVICES": {
  "predix-analytics-framework": [
   {
    "credentials": {
     "catalog_uri": "<catalog_uri>",
     "config_uri": "<config_uri",
     "configurations": {
      "predix_asset_zone_id": "<my_asset_zone_id>",
      "predix_timeseries_zone_id": "<my_timeseries_zone_id>",
      "runtime_client_id": "<my_runtime_client_id>",
      "trusted_issuer_ids": "<my_trusted_issuer_id>"
     },
     "execution_uri": "<execution_uri>",
     "monitoring_uri": "<monitoring_uri>",
     "scheduler_uri": "<scheduler_uri>",
     "zone-http-header-name": "Predix-Zone-Id",
     "zone-http-header-value": "<my_predix_zone_id>",
     "zone-oauth-scope": "analytics.zones.<my_predix_zone_id>.user"
    },
    "label": "predix-analytics-framework",
    "name": "<my_framework_instance>",
    "plan": "Tiered",
    "provider": null,
    "syslog_drain_url": null,
    "tags": [],
    "volume_mounts": []
   }
  ]
 }
}

You can retrieve the following Analytics Framework service instance details from the VCAP_SERVICES environment variable.


Parameter	Description
catalog_uri	Contains the URI for this Analytics Framework service instance
config_uri	Contains the URI for this Analytics Framework Configuration microservice instance. This base URI should be used for all Configuration API calls (where the endpoint starts with "/api/<version_number>/config")
predix_asset_zone_id	The dependent Predix Asset service instance zone id.
predix_timeseries_zone_id	The dependent Predix Time Series service instance zone id.
runtime_client_id	The non-admin UAA Client ID being used for running scheduled jobs.
trusted_issuer_ids
execution_uri	Contains the URI for this Analytics Framework Execution microservice instance. This base URI should be used for all Execution API calls (where the endpoint starts with "/api/<version_number>/execution")
monitoring_uri	Contains the URI to analytics monitoring microservice. This base URI should be used for Monitoring API calls (where the endpoint starts with "/api/<version_number>/monitoring")
scheduler_uri	Contains the URI for this Analytics Framework Scheduler microservice instance. This base URI should be used for all Scheduler API calls (where the endpoint starts with "/api/<version_number>/scheduler")
zone-http-header-name	Name of the header to include in any Analytics Framework service request
zone-http-header-value	Value of the header to include in any Analytics Framework service request
zone-oauth-scope	This scope is required in the end-user token to access a specific Analytics Framework instance

Obtaining an OAuth2 Access Token for Analytics Services

Predix services are protected by UAA. You must use an Authorization header to pass the OAuth2 access token when issuing REST requests to your service instance. Follow this process to obtain an OAuth2 access token.

Issue the following REST API request.

POST <uaa_instance_issuerId>

Where <uaa_instance_issuerId> is the issuerId of the trusted issuer (UAA instance) provided when the service instance was created. For example, https://13fa0384-9e2a-48e2-9d06-2c95a1f4f5ea.predix-uaa.run.aws-usw02-pr.ice.predix.io/oauth/token.

The request should contain the following header.

Header name: "Authorization"
Header value: “Basic <Base64(client_id:client_secret)>”
Where <Base64(client_id:client_secret)> is the Base64-encoded string containing the <client_id>:<client_secret>. For example, if <client-id> is my-client-id and <client-secret> is my-client-secret, the base-64 encoded string my-client-id:my-client-secret becomes bXktY2xpZW50LWlkOm15LWNsaWVudC1zZWNyZXQ=. The entire header value becomes "Basic bXktY2xpZW50LWlkOm15LWNsaWVudC1zZWNyZXQ=".

The request body should be URL-encoded. Its contents depend on the authorization grant type you have configured in your UAA instance.

Client Credential Type: For a client credentials grant type, the body must contain the following: grant_type=client_credentials.

Password Grant Type

For a password grant type, the body must contain the following:

grant_type=password
username=<my_user_name>
password=<my_password>

The response will contain the following structure.

{
  "access_token":<generated_access_token>,
  "token_type":"bearer",
  "expires_in":3600
}

You must use the <generated_access_token> value in the header of the REST requests made to the service.

Configuring REST Request Headers

The Analytics Framework service REST API endpoints provide a JSON interface for passing data. The application makes HTTPS requests to these API interfaces.

About This Task

All REST requests must contain the following headers for multi-tenant support (provided by Predix UAA Service). Whenever the application makes a call to the service, these headers identify which tenant the application belongs to and must be configured as follows.

UAA Authorization

Header name: "Authorization"
Header value: "Bearer <token obtained from trusted issuer>". For more information, see Obtaining an OAuth2 Access Token for Analytics Services.

Predix Zone

Header name: The zone-http-header-name from the VCAP_SERVICES environment variable for your Analytics Framework instance. For example, Predix-Zone-Id.
Header value: The zone-http-header-value from the VCAP_SERVICES environment variable for your Analytics Framework instance. For example, ba99ab7b-172f-4fe4-8ce9-45afa8a4ab0c.

The following figure shows an example of how to set up the headers for a REST request in Postman.

For information about retrieving VCAP environment variables, see Verifying the Binding.

Deleting an Analytics Framework Service Using REST APIs

You must first delete all subscription analytics from the Analytics Catalog before you delete the Analytics Framework service instance.

Procedure

Required: Delete all subscription analytics from the Analytics Catalog. This removes them from future subscription billing.

You can delete the analytics using either the REST API call method or the UI method.
Delete the Analytics Framework service instance by issuing the following REST API call.
```
cf delete-service <my-service-instance>
```
Where <my-service-instance> is the name of your Analytics Framework service instance.

Note: The delete action will fail with an error message if any subscription analytics still remain in the catalog. In this case, delete any subscription analytics and try again.