Statistics
| Branch: | Tag: | Revision:

root / docs / source / devguide.rst @ 0af186f6

History | View | Annotate | Download (10.1 kB)

1
Astakos Developer Guide
2
=======================
3

    
4
Introduction
5
------------
6

    
7
Astakos serves as the point of authentication for GRNET (http://www.grnet.gr) services. It is a platform-wide service, allowing users to register, login, and keep track of permissions.
8

    
9
Users in astakos can be authenticated via several identity providers:
10

    
11
* Local
12
* Shibboleth
13

    
14
It provides also a command line tool for managing user accounts.
15

    
16
It is build over django and extends its authentication mechanism.
17

    
18
This document's goals are:
19

    
20
* present the overall architectural design.
21
* provide basic use cases.
22
* describe the APIs to the outer world.
23
* document the views and provide guidelines for a developer to extend them.
24

    
25
The present document is meant to be read alongside the Django documentation (https://www.djangoproject.com/). Thus, it is suggested that the reader is familiar with associated technologies.
26

    
27
Document Revisions
28
^^^^^^^^^^^^^^^^^^
29

    
30
=========================  ================================
31
Revision                   Description
32
=========================  ================================
33
0.1 (Feb 10, 2012)         Initial release.
34
=========================  ================================
35

    
36
Overview
37
--------
38

    
39
Astakos service co-ordinates the access to resources (and the subsequent permission model) and acts as the single point of registry and entry to the GRNET cloud offering, comprising of Cyclades and Pithos subsystems.
40

    
41
It also propagates the user state to the Aquarium pricing subsystem.
42

    
43
.. image:: images/~okeanos.jpg
44

    
45
Registration Use Cases
46
----------------------
47

    
48
The following subsections describe two basic registration use cases. All the registration cases are covered in :ref:`registration-flow-label`
49

    
50
Invited user
51
^^^^^^^^^^^^
52

    
53
A registered ~okeanos user, invites student Alice to subscribe to ~okeanos services. Alice receives an email and through a link is navigated to Astakos's signup page. The system prompts her to select one of the available authentication mechanisms (Shibboleth or local authentication) in order to register to the system. Alice already has a Shibboleth account so chooses that and then she is redirected to her institution's login page. Upon successful login, her account is created.
54

    
55
Since she is invited his account is automaticaly activated and she is redirected to Astakos's login page. As this is the first time Alice has accessed the system she is redirected to her profile page where she can edit or provide more information.
56

    
57
Not invited user
58
^^^^^^^^^^^^^^^^
59

    
60
Tony while browsing in the internet finds out about ~okeanos services. He visits the signup page and since his has not a shibboleth account selects the local authentication mechanism. Upon successful signup the account is created.
61

    
62
Since his not an invited user his account has to be activated from an administrator first, in order to be able to login. Upon the account's activation he receives an email and through a link he is redirected to the login page.
63

    
64
Authentication Use Cases
65
------------------------
66

    
67
Cloud service user
68
^^^^^^^^^^^^^^^^^^
69

    
70
Alice requests a specific resource from a cloud service ex. Pithos. In the request supplies the `X-Auth-Token`` to identify whether she is eligible to perform the specific task. The service contacts Astakos through its ``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the specific ``X-Auth-Token``. Astakos checkes whether the token belongs to an active user and it has not expired and returns a dictionary containing user related information. Finally the service uses the ``uniq`` field included in the dictionary as the account string to identify the user accessible resources. 
71

    
72
.. _registration-flow-label:
73

    
74
Registration Flow
75
-----------------
76

    
77
.. image:: images/signup.jpg
78
    :scale: 100%
79

    
80
Login Flow
81
----------
82
.. image:: images/login.jpg
83
    :scale: 100%
84

    
85
.. _authentication-label:
86

    
87
Astakos Users and Authentication
88
--------------------------------
89

    
90
Astakos incorporates django user authentication system and extends its User model.
91

    
92
Since username field of django User model has a limitation of 30 characters, AstakosUser is **uniquely** identified by the ``email`` instead. Therefore, ``astakos.im.authentication_backends.EmailBackend`` is served to authenticate a user using email if the first argument is actually an email, otherwise tries the username.
93

    
94
A new AstakosUser instance is assigned with a uui as username and also with a ``auth_token`` used by the cloud services to authenticate the user. ``astakos.im.authentication_backends.TokenBackend`` is also specified in order to authenticate the user using the email and the token fields.
95

    
96
Logged on users can perform a number of actions:
97

    
98
* access and edit their profile via: ``/im/profile``.
99
* change their password via: ``/im/password``
100
* invite somebody else via: ``/im/invite``
101
* send feedback for grnet services via: ``/im/feedback``
102
* logout (and delete cookie) via: ``/im/logout``
103

    
104
User entries can also be modified/added via the ``snf-manage activateuser`` command.
105

    
106
A superuser account can be created the first time you run the ``manage.py syncdb`` django command and then loading the extra user data from the ``admin_user`` fixture. At a later date, the ``manage.py createsuperuser`` command line utility can be used (as long as the extra user data for Astakos is added with a fixture or by hand).
107

    
108
Internal Astakos requests are handled using cookie-based django user sessions.
109

    
110
External systems in the same domain can delgate ``/login`` URI. The server, depending on its configuration will redirect to the appropriate login page. When done with logging in, the service's login URI should redirect to the URI provided with next, adding user and token parameters, which contain the email and token fields respectively.
111

    
112
The login URI accepts the following parameters:
113

    
114
======================  =========================
115
Request Parameter Name  Value
116
======================  =========================
117
next                    The URI to redirect to when the process is finished
118
renew                   Force token renewal (no value parameter)
119
force                   Force logout current user (no value parameter)
120
======================  =========================
121

    
122
External systems outside the domain scope can acquire the user information by a cookie set identified by ASTAKOS_COOKIE_NAME setting.
123

    
124
Finally, backend systems having acquired a token can use the :ref:`authenticate-api-label` api call from a private network or through HTTPS.
125

    
126
The Astakos API
127
---------------
128

    
129
.. _authenticate-api-label:
130

    
131
Authenticate
132
^^^^^^^^^^^^
133

    
134
Authenticate API requests require a token. An application that wishes to connect to Astakos, but does not have a token, should redirect the user to ``/login``. (see :ref:`authentication-label`)
135

    
136
==================== =========  ==================
137
Uri                  Method     Description
138
==================== =========  ==================
139
``/im/authenticate`` GET        Authenticate user using token
140
==================== =========  ==================
141

    
142
|
143

    
144
====================  ===========================
145
Request Header Name   Value
146
====================  ===========================
147
X-Auth-Token          Authentication token
148
====================  ===========================
149

    
150
Extended information on the user serialized in the json format will be returned:
151

    
152
===========================  ============================
153
Name                         Description
154
===========================  ============================
155
username                     User uniq identifier
156
uniq                         User email (uniq identifier used by Astakos)
157
auth_token                   Authentication token
158
auth_token_expires           Token expiration date
159
auth_token_created           Token creation date
160
has_credits                  Whether user has credits
161
has_signed_terms             Whether user has aggred on terms
162
===========================  ============================
163

    
164
Example reply:
165

    
166
::
167

    
168
  {"userid": "270d191e09834408b7af65885f46a3",
169
  "email": ["user111@example.com"],
170
  "name": "user1 User1",
171
  "auth_token_created": 1333372365000,
172
  "auth_token_expires": 1335964365000,
173
  "auth_token": "uiWDLAgtJOGW4mI4q9R/8w==",
174
  "has_credits": true}
175

    
176
|
177

    
178
=========================== =====================
179
Return Code                 Description
180
=========================== =====================
181
204 (No Content)            The request succeeded
182
400 (Bad Request)           The request is invalid
183
401 (Unauthorized)          Missing token or inactive user or penging approval terms
184
500 (Internal Server Error) The request cannot be completed because of an internal error
185
=========================== =====================
186

    
187
Get Services
188
^^^^^^^^^^^^
189

    
190
Returns a json formatted list containing information about the supported cloud services.
191

    
192
==================== =========  ==================
193
Uri                  Method     Description
194
==================== =========  ==================
195
``/im/get_services`` GET        Get cloud services
196
==================== =========  ==================
197

    
198
Example reply:
199

    
200
::
201

    
202
[{"url": "/", "icon": "home-icon.png", "name": "grnet cloud", "id": "cloud"},
203
 {"url": "/okeanos.html", "name": "~okeanos", "id": "okeanos"},
204
 {"url": "/ui/", "name": "pithos+", "id": "pithos"}]
205
 
206
Get Menu
207
^^^^^^^^
208

    
209
Returns a json formatted list containing the cloud bar links. 
210

    
211
==================== =========  ==================
212
Uri                  Method     Description
213
==================== =========  ==================
214
``/im/get_menu``     GET        Get cloud bar menu
215
==================== =========  ==================
216

    
217
|
218

    
219
======================  =========================
220
Request Parameter Name  Value
221
======================  =========================
222
location                Location to pass in the next parameter
223
======================  =========================
224

    
225
Example reply if request user is not authenticated:
226

    
227
::
228

    
229
[{"url": "/im/login?next=", "name": "login..."}]
230

    
231
Example reply if request user is authenticated:
232

    
233
[{"url": "/im/profile", "name": "spapagian@grnet.gr"},
234
 {"url": "/im/profile", "name": "view your profile..."},
235
 {"url": "/im/password", "name": "change your password..."},
236
 {"url": "/im/feedback", "name": "feedback..."},
237
 {"url": "/im/logout", "name": "logout..."}]
238

    
239

    
240
.. include:: ../../snf-astakos-app/Changelog