root / docs / source / devguide.rst @ 270dd48d
History | View | Annotate | Download (10.2 kB)
1 | 890b0eaf | Sofia Papagiannaki | Astakos Developer Guide |
---|---|---|---|
2 | 890b0eaf | Sofia Papagiannaki | ======================= |
3 | 890b0eaf | Sofia Papagiannaki | |
4 | 890b0eaf | Sofia Papagiannaki | Introduction |
5 | 890b0eaf | Sofia Papagiannaki | ------------ |
6 | 890b0eaf | Sofia Papagiannaki | |
7 | 462c63e8 | Sofia Papagiannaki | Astakos serves as the point of authentication for GRNET (http://www.grnet.gr) services. It is a platform-wide service, allowing users to register, login, and keep track of permissions. |
8 | 890b0eaf | Sofia Papagiannaki | |
9 | 462c63e8 | Sofia Papagiannaki | Users in astakos can be authenticated via several identity providers: |
10 | 462c63e8 | Sofia Papagiannaki | |
11 | 462c63e8 | Sofia Papagiannaki | * Local |
12 | 890b0eaf | Sofia Papagiannaki | |
13 | 890b0eaf | Sofia Papagiannaki | * Shibboleth |
14 | 890b0eaf | Sofia Papagiannaki | |
15 | 1ae97c83 | Sofia Papagiannaki | It provides also a command line tool for managing user accounts. |
16 | 890b0eaf | Sofia Papagiannaki | |
17 | 462c63e8 | Sofia Papagiannaki | It is build over django and extends its authentication mechanism. |
18 | 890b0eaf | Sofia Papagiannaki | |
19 | 890b0eaf | Sofia Papagiannaki | This document's goals are: |
20 | 890b0eaf | Sofia Papagiannaki | |
21 | 462c63e8 | Sofia Papagiannaki | * present the overall architectural design. |
22 | 462c63e8 | Sofia Papagiannaki | * provide basic use cases. |
23 | 462c63e8 | Sofia Papagiannaki | * describe the APIs to the outer world. |
24 | 462c63e8 | Sofia Papagiannaki | * document the views and provide guidelines for a developer to extend them. |
25 | 890b0eaf | Sofia Papagiannaki | |
26 | 462c63e8 | Sofia Papagiannaki | The present document is meant to be read alongside the Django documentation (https://www.djangoproject.com/). Thus, it is suggested that the reader is familiar with associated technologies. |
27 | 890b0eaf | Sofia Papagiannaki | |
28 | 890b0eaf | Sofia Papagiannaki | Document Revisions |
29 | 890b0eaf | Sofia Papagiannaki | ^^^^^^^^^^^^^^^^^^ |
30 | 890b0eaf | Sofia Papagiannaki | |
31 | 890b0eaf | Sofia Papagiannaki | ========================= ================================ |
32 | 890b0eaf | Sofia Papagiannaki | Revision Description |
33 | 890b0eaf | Sofia Papagiannaki | ========================= ================================ |
34 | d49c2fa0 | root | 0.1 (Feb 10, 2012) Initial release. |
35 | 890b0eaf | Sofia Papagiannaki | ========================= ================================ |
36 | 890b0eaf | Sofia Papagiannaki | |
37 | 462c63e8 | Sofia Papagiannaki | Overview |
38 | 462c63e8 | Sofia Papagiannaki | -------- |
39 | 462c63e8 | Sofia Papagiannaki | |
40 | 462c63e8 | Sofia Papagiannaki | Astakos service co-ordinates the access to resources (and the subsequent permission model) and acts as the single point of registry and entry to the GRNET cloud offering, comprising of Cyclades and Pithos subsystems. |
41 | 462c63e8 | Sofia Papagiannaki | |
42 | 462c63e8 | Sofia Papagiannaki | It also propagates the user state to the Aquarium pricing subsystem. |
43 | 462c63e8 | Sofia Papagiannaki | |
44 | 462c63e8 | Sofia Papagiannaki | .. image:: images/~okeanos.jpg |
45 | 462c63e8 | Sofia Papagiannaki | |
46 | 462c63e8 | Sofia Papagiannaki | Registration Use Cases |
47 | 462c63e8 | Sofia Papagiannaki | ---------------------- |
48 | 462c63e8 | Sofia Papagiannaki | |
49 | 462c63e8 | Sofia Papagiannaki | The following subsections describe two basic registration use cases. All the registration cases are covered in :ref:`registration-flow-label` |
50 | 462c63e8 | Sofia Papagiannaki | |
51 | 462c63e8 | Sofia Papagiannaki | Invited user |
52 | 462c63e8 | Sofia Papagiannaki | ^^^^^^^^^^^^ |
53 | 462c63e8 | Sofia Papagiannaki | |
54 | 462c63e8 | Sofia Papagiannaki | A registered ~okeanos user, invites student Alice to subscribe to ~okeanos services. Alice receives an email and through a link is navigated to Astakos's signup page. The system prompts her to select one of the available authentication mechanisms (Shibboleth, Twitter or local authentication) in order to register to the system. Alice already has a Shibboleth account so chooses that and then she is redirected to her institution's login page. Upon successful login, her account is created. |
55 | 462c63e8 | Sofia Papagiannaki | |
56 | 462c63e8 | Sofia Papagiannaki | Since she is invited his account is automaticaly activated and she is redirected to Astakos's login page. As this is the first time Alice has accessed the system she is redirected to her profile page where she can edit or provide more information. |
57 | 462c63e8 | Sofia Papagiannaki | |
58 | 462c63e8 | Sofia Papagiannaki | Not invited user |
59 | 462c63e8 | Sofia Papagiannaki | ^^^^^^^^^^^^^^^^ |
60 | 462c63e8 | Sofia Papagiannaki | |
61 | 462c63e8 | Sofia Papagiannaki | Tony while browsing in the internet finds out about ~okeanos services. He visits the signup page and since his has already a twitter account selects the twitter authentication mechanism and he is redirected to twitter login page where he is promted to provide his credentials. Upon successful login, twitter redirects him back to the Astakos and the account is created. |
62 | 462c63e8 | Sofia Papagiannaki | |
63 | 462c63e8 | Sofia Papagiannaki | Since his not an invited user his account has to be activated from an administrator first, in order to be able to login. Upon the account's activation he receives an email and through a link he is redirected to the login page. |
64 | 462c63e8 | Sofia Papagiannaki | |
65 | 462c63e8 | Sofia Papagiannaki | Authentication Use Cases |
66 | 462c63e8 | Sofia Papagiannaki | ------------------------ |
67 | 462c63e8 | Sofia Papagiannaki | |
68 | 462c63e8 | Sofia Papagiannaki | Cloud service user |
69 | 462c63e8 | Sofia Papagiannaki | ^^^^^^^^^^^^^^^^^^ |
70 | 462c63e8 | Sofia Papagiannaki | |
71 | 462c63e8 | Sofia Papagiannaki | Alice requests a specific resource from a cloud service ex. Pithos. In the request supplies the `X-Auth-Token`` to identify whether she is eligible to perform the specific task. The service contacts Astakos through its ``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the specific ``X-Auth-Token``. Astakos checkes whether the token belongs to an active user and it has not expired and returns a dictionary containing user related information. Finally the service uses the ``uniq`` field included in the dictionary as the account string to identify the user accessible resources. |
72 | 462c63e8 | Sofia Papagiannaki | |
73 | 462c63e8 | Sofia Papagiannaki | .. _registration-flow-label: |
74 | 462c63e8 | Sofia Papagiannaki | |
75 | 462c63e8 | Sofia Papagiannaki | Registration Flow |
76 | 462c63e8 | Sofia Papagiannaki | ----------------- |
77 | 462c63e8 | Sofia Papagiannaki | |
78 | 462c63e8 | Sofia Papagiannaki | .. image:: images/signup.jpg |
79 | d49c2fa0 | root | :scale: 100% |
80 | 462c63e8 | Sofia Papagiannaki | |
81 | 462c63e8 | Sofia Papagiannaki | Login Flow |
82 | 462c63e8 | Sofia Papagiannaki | ---------- |
83 | 462c63e8 | Sofia Papagiannaki | .. image:: images/login.jpg |
84 | d49c2fa0 | root | :scale: 100% |
85 | 462c63e8 | Sofia Papagiannaki | |
86 | 462c63e8 | Sofia Papagiannaki | .. _authentication-label: |
87 | 462c63e8 | Sofia Papagiannaki | |
88 | 890b0eaf | Sofia Papagiannaki | Astakos Users and Authentication |
89 | 890b0eaf | Sofia Papagiannaki | -------------------------------- |
90 | 890b0eaf | Sofia Papagiannaki | |
91 | 462c63e8 | Sofia Papagiannaki | Astakos incorporates django user authentication system and extends its User model. |
92 | 890b0eaf | Sofia Papagiannaki | |
93 | 462c63e8 | Sofia Papagiannaki | Since username field of django User model has a limitation of 30 characters, AstakosUser is **uniquely** identified by the ``email`` instead. Therefore, ``astakos.im.authentication_backends.EmailBackend`` is served to authenticate a user using email if the first argument is actually an email, otherwise tries the username. |
94 | 462c63e8 | Sofia Papagiannaki | |
95 | 462c63e8 | Sofia Papagiannaki | A new AstakosUser instance is assigned with a uui as username and also with a ``auth_token`` used by the cloud services to authenticate the user. ``astakos.im.authentication_backends.TokenBackend`` is also specified in order to authenticate the user using the email and the token fields. |
96 | 890b0eaf | Sofia Papagiannaki | |
97 | 890b0eaf | Sofia Papagiannaki | Logged on users can perform a number of actions: |
98 | 890b0eaf | Sofia Papagiannaki | |
99 | 462c63e8 | Sofia Papagiannaki | * access and edit their profile via: ``/im/profile``. |
100 | 462c63e8 | Sofia Papagiannaki | * change their password via: ``/im/password`` |
101 | 462c63e8 | Sofia Papagiannaki | * invite somebody else via: ``/im/invite`` |
102 | 462c63e8 | Sofia Papagiannaki | * send feedback for grnet services via: ``/im/send_feedback`` |
103 | 462c63e8 | Sofia Papagiannaki | * logout (and delete cookie) via: ``/im/logout`` |
104 | 462c63e8 | Sofia Papagiannaki | |
105 | 1ae97c83 | Sofia Papagiannaki | User entries can also be modified/added via the ``snf-manage activateuser`` command. |
106 | 890b0eaf | Sofia Papagiannaki | |
107 | d49c2fa0 | root | A superuser account can be created the first time you run the ``manage.py syncdb`` django command and then loading the extra user data from the ``admin_user`` fixture. At a later date, the ``manage.py createsuperuser`` command line utility can be used (as long as the extra user data for Astakos is added with a fixture or by hand). |
108 | 890b0eaf | Sofia Papagiannaki | |
109 | 462c63e8 | Sofia Papagiannaki | Internal Astakos requests are handled using cookie-based django user sessions. |
110 | 890b0eaf | Sofia Papagiannaki | |
111 | 462c63e8 | Sofia Papagiannaki | External systems in the same domain can delgate ``/login`` URI. The server, depending on its configuration will redirect to the appropriate login page. When done with logging in, the service's login URI should redirect to the URI provided with next, adding user and token parameters, which contain the email and token fields respectively. |
112 | 890b0eaf | Sofia Papagiannaki | |
113 | 890b0eaf | Sofia Papagiannaki | The login URI accepts the following parameters: |
114 | 890b0eaf | Sofia Papagiannaki | |
115 | 890b0eaf | Sofia Papagiannaki | ====================== ========================= |
116 | 890b0eaf | Sofia Papagiannaki | Request Parameter Name Value |
117 | 890b0eaf | Sofia Papagiannaki | ====================== ========================= |
118 | 890b0eaf | Sofia Papagiannaki | next The URI to redirect to when the process is finished |
119 | 890b0eaf | Sofia Papagiannaki | renew Force token renewal (no value parameter) |
120 | ebd369d0 | Sofia Papagiannaki | force Force logout current user (no value parameter) |
121 | 890b0eaf | Sofia Papagiannaki | ====================== ========================= |
122 | 890b0eaf | Sofia Papagiannaki | |
123 | 462c63e8 | Sofia Papagiannaki | External systems outside the domain scope can acquire the user information by a cookie set identified by ASTAKOS_COOKIE_NAME setting. |
124 | 890b0eaf | Sofia Papagiannaki | |
125 | 462c63e8 | Sofia Papagiannaki | Finally, backend systems having acquired a token can use the :ref:`authenticate-api-label` api call from a private network or through HTTPS. |
126 | 890b0eaf | Sofia Papagiannaki | |
127 | 890b0eaf | Sofia Papagiannaki | The Astakos API |
128 | 890b0eaf | Sofia Papagiannaki | --------------- |
129 | 890b0eaf | Sofia Papagiannaki | |
130 | 462c63e8 | Sofia Papagiannaki | .. _authenticate-api-label: |
131 | 462c63e8 | Sofia Papagiannaki | |
132 | 890b0eaf | Sofia Papagiannaki | Authenticate |
133 | 890b0eaf | Sofia Papagiannaki | ^^^^^^^^^^^^ |
134 | 890b0eaf | Sofia Papagiannaki | |
135 | 1ae97c83 | Sofia Papagiannaki | Authenticate API requests require a token. An application that wishes to connect to Astakos, but does not have a token, should redirect the user to ``/login``. (see :ref:`authentication-label`) |
136 | 1ae97c83 | Sofia Papagiannaki | |
137 | 462c63e8 | Sofia Papagiannaki | ==================== ========= ================== |
138 | 1ae97c83 | Sofia Papagiannaki | Uri Method Description |
139 | 462c63e8 | Sofia Papagiannaki | ==================== ========= ================== |
140 | 462c63e8 | Sofia Papagiannaki | ``/im/authenticate`` GET Authenticate user using token |
141 | 462c63e8 | Sofia Papagiannaki | ==================== ========= ================== |
142 | 890b0eaf | Sofia Papagiannaki | |
143 | 890b0eaf | Sofia Papagiannaki | | |
144 | 890b0eaf | Sofia Papagiannaki | |
145 | 890b0eaf | Sofia Papagiannaki | ==================== =========================== |
146 | 890b0eaf | Sofia Papagiannaki | Request Header Name Value |
147 | 890b0eaf | Sofia Papagiannaki | ==================== =========================== |
148 | 890b0eaf | Sofia Papagiannaki | X-Auth-Token Authentication token |
149 | 890b0eaf | Sofia Papagiannaki | ==================== =========================== |
150 | 890b0eaf | Sofia Papagiannaki | |
151 | 890b0eaf | Sofia Papagiannaki | Extended information on the user serialized in the json format will be returned: |
152 | 890b0eaf | Sofia Papagiannaki | |
153 | 890b0eaf | Sofia Papagiannaki | =========================== ============================ |
154 | 890b0eaf | Sofia Papagiannaki | Name Description |
155 | 890b0eaf | Sofia Papagiannaki | =========================== ============================ |
156 | 462c63e8 | Sofia Papagiannaki | username User uniq identifier |
157 | 462c63e8 | Sofia Papagiannaki | uniq User email (uniq identifier used by Astakos) |
158 | 890b0eaf | Sofia Papagiannaki | auth_token Authentication token |
159 | 890b0eaf | Sofia Papagiannaki | auth_token_expires Token expiration date |
160 | 890b0eaf | Sofia Papagiannaki | auth_token_created Token creation date |
161 | 270dd48d | Sofia Papagiannaki | has_credits Whether user has credits |
162 | 270dd48d | Sofia Papagiannaki | has_signed_terms Whether user has aggred on terms |
163 | 890b0eaf | Sofia Papagiannaki | =========================== ============================ |
164 | 890b0eaf | Sofia Papagiannaki | |
165 | 890b0eaf | Sofia Papagiannaki | Example reply: |
166 | 890b0eaf | Sofia Papagiannaki | |
167 | 890b0eaf | Sofia Papagiannaki | :: |
168 | 890b0eaf | Sofia Papagiannaki | |
169 | 462c63e8 | Sofia Papagiannaki | {"username": "4ad9f34d6e7a4992b34502d40f40cb", |
170 | 462c63e8 | Sofia Papagiannaki | "uniq": "papagian@example.com" |
171 | 890b0eaf | Sofia Papagiannaki | "auth_token": "0000", |
172 | 890b0eaf | Sofia Papagiannaki | "auth_token_expires": "Tue, 11-Sep-2012 09:17:14 ", |
173 | 270dd48d | Sofia Papagiannaki | "auth_token_created": "Sun, 11-Sep-2011 09:17:14 ", |
174 | 270dd48d | Sofia Papagiannaki | "has_credits": false, |
175 | 270dd48d | Sofia Papagiannaki | "has_signed_terms": true} |
176 | 890b0eaf | Sofia Papagiannaki | |
177 | 890b0eaf | Sofia Papagiannaki | | |
178 | 890b0eaf | Sofia Papagiannaki | |
179 | 863193cb | Sofia Papagiannaki | =========================== ===================== |
180 | 863193cb | Sofia Papagiannaki | Return Code Description |
181 | 863193cb | Sofia Papagiannaki | =========================== ===================== |
182 | 863193cb | Sofia Papagiannaki | 204 (No Content) The request succeeded |
183 | 863193cb | Sofia Papagiannaki | 400 (Bad Request) The request is invalid |
184 | 270dd48d | Sofia Papagiannaki | 401 (Unauthorized) Missing token or inactive user or penging approval terms |
185 | 863193cb | Sofia Papagiannaki | 500 (Internal Server Error) The request cannot be completed because of an internal error |
186 | d49c2fa0 | root | =========================== ===================== |
187 | 1ae97c83 | Sofia Papagiannaki | |
188 | 1ae97c83 | Sofia Papagiannaki | Get Services |
189 | 1ae97c83 | Sofia Papagiannaki | ^^^^^^^^^^^^ |
190 | 1ae97c83 | Sofia Papagiannaki | |
191 | 1ae97c83 | Sofia Papagiannaki | Returns a json formatted list containing information about the supported cloud services. |
192 | 1ae97c83 | Sofia Papagiannaki | |
193 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
194 | 1ae97c83 | Sofia Papagiannaki | Uri Method Description |
195 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
196 | 1ae97c83 | Sofia Papagiannaki | ``/im/get_services`` GET Get cloud services |
197 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
198 | 1ae97c83 | Sofia Papagiannaki | |
199 | 1ae97c83 | Sofia Papagiannaki | Example reply: |
200 | 1ae97c83 | Sofia Papagiannaki | |
201 | 1ae97c83 | Sofia Papagiannaki | :: |
202 | 1ae97c83 | Sofia Papagiannaki | |
203 | 1ae97c83 | Sofia Papagiannaki | [{"url": "/", "icon": "home-icon.png", "name": "grnet cloud", "id": "cloud"}, |
204 | 1ae97c83 | Sofia Papagiannaki | {"url": "/okeanos.html", "name": "~okeanos", "id": "okeanos"}, |
205 | 1ae97c83 | Sofia Papagiannaki | {"url": "/ui/", "name": "pithos+", "id": "pithos"}] |
206 | 1ae97c83 | Sofia Papagiannaki | |
207 | 1ae97c83 | Sofia Papagiannaki | Get Menu |
208 | 1ae97c83 | Sofia Papagiannaki | ^^^^^^^^ |
209 | 1ae97c83 | Sofia Papagiannaki | |
210 | 1ae97c83 | Sofia Papagiannaki | Returns a json formatted list containing the cloud bar links. |
211 | 1ae97c83 | Sofia Papagiannaki | |
212 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
213 | 1ae97c83 | Sofia Papagiannaki | Uri Method Description |
214 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
215 | 1ae97c83 | Sofia Papagiannaki | ``/im/get_menu`` GET Get cloud bar menu |
216 | 1ae97c83 | Sofia Papagiannaki | ==================== ========= ================== |
217 | 1ae97c83 | Sofia Papagiannaki | |
218 | ded3a1b7 | Sofia Papagiannaki | | |
219 | ded3a1b7 | Sofia Papagiannaki | |
220 | ded3a1b7 | Sofia Papagiannaki | ====================== ========================= |
221 | ded3a1b7 | Sofia Papagiannaki | Request Parameter Name Value |
222 | ded3a1b7 | Sofia Papagiannaki | ====================== ========================= |
223 | ded3a1b7 | Sofia Papagiannaki | location Location to pass in the next parameter |
224 | ded3a1b7 | Sofia Papagiannaki | ====================== ========================= |
225 | ded3a1b7 | Sofia Papagiannaki | |
226 | 1ae97c83 | Sofia Papagiannaki | Example reply if request user is not authenticated: |
227 | 1ae97c83 | Sofia Papagiannaki | |
228 | 1ae97c83 | Sofia Papagiannaki | :: |
229 | 1ae97c83 | Sofia Papagiannaki | |
230 | 1ae97c83 | Sofia Papagiannaki | [{"url": "/im/login?next=", "name": "login..."}] |
231 | 1ae97c83 | Sofia Papagiannaki | |
232 | 1ae97c83 | Sofia Papagiannaki | Example reply if request user is authenticated: |
233 | 1ae97c83 | Sofia Papagiannaki | |
234 | 1ae97c83 | Sofia Papagiannaki | [{"url": "/im/profile", "name": "spapagian@grnet.gr"}, |
235 | 1ae97c83 | Sofia Papagiannaki | {"url": "/im/profile", "name": "view your profile..."}, |
236 | 1ae97c83 | Sofia Papagiannaki | {"url": "/im/password", "name": "change your password..."}, |
237 | 1ae97c83 | Sofia Papagiannaki | {"url": "/im/feedback", "name": "feedback..."}, |
238 | 1ae97c83 | Sofia Papagiannaki | {"url": "/im/logout", "name": "logout..."}] |
239 | 1ae97c83 | Sofia Papagiannaki | |
240 | 1ae97c83 | Sofia Papagiannaki | |
241 | 1ae97c83 | Sofia Papagiannaki |