Revision 262c2717
/dev/null | ||
---|---|---|
1 |
# Copyright 2012 GRNET S.A. All rights reserved. |
|
2 |
# |
|
3 |
# Redistribution and use in source and binary forms, with or |
|
4 |
# without modification, are permitted provided that the following |
|
5 |
# conditions are met: |
|
6 |
# |
|
7 |
# 1. Redistributions of source code must retain the above |
|
8 |
# copyright notice, this list of conditions and the following |
|
9 |
# disclaimer. |
|
10 |
# |
|
11 |
# 2. Redistributions in binary form must reproduce the above |
|
12 |
# copyright notice, this list of conditions and the following |
|
13 |
# disclaimer in the documentation and/or other materials |
|
14 |
# provided with the distribution. |
|
15 |
# |
|
16 |
# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS |
|
17 |
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
18 |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
19 |
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR |
|
20 |
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|
21 |
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
|
22 |
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
|
23 |
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED |
|
24 |
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
25 |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
|
26 |
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
27 |
# POSSIBILITY OF SUCH DAMAGE. |
|
28 |
# |
|
29 |
# The views and conclusions contained in the software and |
|
30 |
# documentation are those of the authors and should not be |
|
31 |
# interpreted as representing official policies, either expressed |
|
32 |
# or implied, of GRNET S.A. |
|
33 |
|
|
34 |
import pika |
|
35 |
import json |
|
36 |
import uuid |
|
37 |
|
|
38 |
from urlparse import urlparse |
|
39 |
from time import time |
|
40 |
|
|
41 |
|
|
42 |
def exchange_connect(exchange, vhost='/'): |
|
43 |
"""Format exchange as a URI: rabbitmq://user:pass@host:port/exchange""" |
|
44 |
parts = urlparse(exchange) |
|
45 |
if parts.scheme != 'rabbitmq': |
|
46 |
return None |
|
47 |
if len(parts.path) < 2 or not parts.path.startswith('/'): |
|
48 |
return None |
|
49 |
exchange = parts.path[1:] |
|
50 |
connection = pika.BlockingConnection(pika.ConnectionParameters( |
|
51 |
host=parts.hostname, port=parts.port, virtual_host=vhost, |
|
52 |
credentials=pika.PlainCredentials(parts.username, parts.password))) |
|
53 |
channel = connection.channel() |
|
54 |
channel.exchange_declare(exchange=exchange, type='topic', durable=True) |
|
55 |
return (connection, channel, exchange) |
|
56 |
|
|
57 |
def exchange_close(conn): |
|
58 |
connection, channel, exchange = conn |
|
59 |
connection.close() |
|
60 |
|
|
61 |
def exchange_send(conn, key, value): |
|
62 |
"""Messages are sent to exchanges at a key.""" |
|
63 |
connection, channel, exchange = conn |
|
64 |
channel.basic_publish(exchange=exchange, |
|
65 |
routing_key=key, |
|
66 |
body=json.dumps(value)) |
|
67 |
|
|
68 |
|
|
69 |
def exchange_route(conn, key, queue): |
|
70 |
"""Set up routing of keys to queue.""" |
|
71 |
connection, channel, exchange = conn |
|
72 |
channel.queue_declare(queue=queue, durable=True, |
|
73 |
exclusive=False, auto_delete=False) |
|
74 |
channel.queue_bind(exchange=exchange, |
|
75 |
queue=queue, |
|
76 |
routing_key=key) |
|
77 |
|
|
78 |
def queue_callback(conn, queue, cb): |
|
79 |
|
|
80 |
def handle_delivery(channel, method_frame, header_frame, body): |
|
81 |
#print 'Basic.Deliver %s delivery-tag %i: %s' % (header_frame.content_type, |
|
82 |
# method_frame.delivery_tag, |
|
83 |
# body) |
|
84 |
if cb: |
|
85 |
cb(json.loads(body)) |
|
86 |
channel.basic_ack(delivery_tag=method_frame.delivery_tag) |
|
87 |
|
|
88 |
connection, channel, exchange = conn |
|
89 |
channel.basic_consume(handle_delivery, queue=queue) |
|
90 |
|
|
91 |
def queue_start(conn): |
|
92 |
connection, channel, exchange = conn |
|
93 |
channel.start_consuming() |
|
94 |
|
|
95 |
class Receipt(object): |
|
96 |
def __init__(self, client, user, resource, value, details=None): |
|
97 |
self.eventVersion = 1 |
|
98 |
self.id = str(uuid.uuid4()) |
|
99 |
self.timestamp = int(time() * 1000) |
|
100 |
self.clientId = client |
|
101 |
self.userId = user |
|
102 |
self.resource = resource |
|
103 |
self.value = value |
|
104 |
if details: |
|
105 |
self.details = details |
|
106 |
|
|
107 |
def format(self): |
|
108 |
return self.__dict__ |
/dev/null | ||
---|---|---|
1 |
# Copyright 2012 GRNET S.A. All rights reserved. |
|
2 |
# |
|
3 |
# Redistribution and use in source and binary forms, with or |
|
4 |
# without modification, are permitted provided that the following |
|
5 |
# conditions are met: |
|
6 |
# |
|
7 |
# 1. Redistributions of source code must retain the above |
|
8 |
# copyright notice, this list of conditions and the following |
|
9 |
# disclaimer. |
|
10 |
# |
|
11 |
# 2. Redistributions in binary form must reproduce the above |
|
12 |
# copyright notice, this list of conditions and the following |
|
13 |
# disclaimer in the documentation and/or other materials |
|
14 |
# provided with the distribution. |
|
15 |
# |
|
16 |
# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS |
|
17 |
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
18 |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
19 |
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR |
|
20 |
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|
21 |
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
|
22 |
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
|
23 |
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED |
|
24 |
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
25 |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
|
26 |
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
27 |
# POSSIBILITY OF SUCH DAMAGE. |
|
28 |
# |
|
29 |
# The views and conclusions contained in the software and |
|
30 |
# documentation are those of the authors and should not be |
|
31 |
# interpreted as representing official policies, either expressed |
|
32 |
# or implied, of GRNET S.A. |
|
33 |
|
|
34 |
from queue import Queue |
|
35 |
|
|
36 |
__all__ = ["Queue"] |
|
37 |
|
/dev/null | ||
---|---|---|
1 |
# Copyright 2012 GRNET S.A. All rights reserved. |
|
2 |
# |
|
3 |
# Redistribution and use in source and binary forms, with or |
|
4 |
# without modification, are permitted provided that the following |
|
5 |
# conditions are met: |
|
6 |
# |
|
7 |
# 1. Redistributions of source code must retain the above |
|
8 |
# copyright notice, this list of conditions and the following |
|
9 |
# disclaimer. |
|
10 |
# |
|
11 |
# 2. Redistributions in binary form must reproduce the above |
|
12 |
# copyright notice, this list of conditions and the following |
|
13 |
# disclaimer in the documentation and/or other materials |
|
14 |
# provided with the distribution. |
|
15 |
# |
|
16 |
# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS |
|
17 |
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
|
18 |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
19 |
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR |
|
20 |
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
|
21 |
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
|
22 |
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF |
|
23 |
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED |
|
24 |
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
|
25 |
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
|
26 |
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
|
27 |
# POSSIBILITY OF SUCH DAMAGE. |
|
28 |
# |
|
29 |
# The views and conclusions contained in the software and |
|
30 |
# documentation are those of the authors and should not be |
|
31 |
# interpreted as representing official policies, either expressed |
|
32 |
# or implied, of GRNET S.A. |
|
33 |
|
|
34 |
from astakos.im.queue import exchange_connect, exchange_send, Receipt |
|
35 |
|
|
36 |
class Queue(object): |
|
37 |
"""Queue. |
|
38 |
Required constructor parameters: exchange, message_key, client_id. |
|
39 |
""" |
|
40 |
|
|
41 |
def __init__(self, **params): |
|
42 |
exchange = params['exchange'] |
|
43 |
self.conn = exchange_connect(exchange) |
|
44 |
self.message_key = params['message_key'] |
|
45 |
self.client_id = params['client_id'] |
|
46 |
|
|
47 |
def send(self, user, resource, value, details): |
|
48 |
body = Receipt(self.client_id, user, resource, value, details).format() |
|
49 |
exchange_send(self.conn, self.message_key, body) |
|
50 |
|
/dev/null | ||
---|---|---|
1 |
This is where the docs will be built. |
/dev/null | ||
---|---|---|
1 |
Backends |
|
2 |
============== |
|
3 |
|
|
4 |
.. automodule:: astakos.im.backends |
|
5 |
:show-inheritance: |
|
6 |
:members: |
|
7 |
:undoc-members: |
/dev/null | ||
---|---|---|
1 |
# -*- coding: utf-8 -*- |
|
2 |
# |
|
3 |
# Astakos documentation build configuration file, created by |
|
4 |
# sphinx-quickstart on Wed May 18 12:42:48 2011. |
|
5 |
# |
|
6 |
# This file is execfile()d with the current directory set to its containing dir. |
|
7 |
# |
|
8 |
# Note that not all possible configuration values are present in this |
|
9 |
# autogenerated file. |
|
10 |
# |
|
11 |
# All configuration values have a default; values that are commented out |
|
12 |
# serve to show the default. |
|
13 |
|
|
14 |
import sys, os |
|
15 |
|
|
16 |
# If extensions (or modules to document with autodoc) are in another directory, |
|
17 |
# add these directories to sys.path here. If the directory is relative to the |
|
18 |
# documentation root, use os.path.abspath to make it absolute, like shown here. |
|
19 |
sys.path.insert(0, os.path.abspath('../..')) |
|
20 |
|
|
21 |
from synnefo import settings |
|
22 |
from django.core.management import setup_environ |
|
23 |
setup_environ(settings) |
|
24 |
|
|
25 |
# -- General configuration ----------------------------------------------------- |
|
26 |
|
|
27 |
# If your documentation needs a minimal Sphinx version, state it here. |
|
28 |
#needs_sphinx = '1.0' |
|
29 |
|
|
30 |
# Add any Sphinx extension module names here, as strings. They can be extensions |
|
31 |
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. |
|
32 |
extensions = ['sphinx.ext.autodoc', 'sphinx.ext.todo'] |
|
33 |
|
|
34 |
# Add any paths that contain templates here, relative to this directory. |
|
35 |
templates_path = ['_templates'] |
|
36 |
|
|
37 |
# The suffix of source filenames. |
|
38 |
source_suffix = '.rst' |
|
39 |
|
|
40 |
# The encoding of source files. |
|
41 |
#source_encoding = 'utf-8-sig' |
|
42 |
|
|
43 |
# The master toctree document. |
|
44 |
master_doc = 'index' |
|
45 |
|
|
46 |
# General information about the project. |
|
47 |
project = u'Astakos' |
|
48 |
copyright = u'2011, Astakos Team' |
|
49 |
|
|
50 |
# The version info for the project you're documenting, acts as replacement for |
|
51 |
# |version| and |release|, also used in various other places throughout the |
|
52 |
# built documents. |
|
53 |
# |
|
54 |
# The short X.Y version. |
|
55 |
version = '1' |
|
56 |
# The full version, including alpha/beta/rc tags. |
|
57 |
release = '1' |
|
58 |
|
|
59 |
# The language for content autogenerated by Sphinx. Refer to documentation |
|
60 |
# for a list of supported languages. |
|
61 |
#language = None |
|
62 |
|
|
63 |
# There are two options for replacing |today|: either, you set today to some |
|
64 |
# non-false value, then it is used: |
|
65 |
#today = '' |
|
66 |
# Else, today_fmt is used as the format for a strftime call. |
|
67 |
#today_fmt = '%B %d, %Y' |
|
68 |
|
|
69 |
# List of patterns, relative to source directory, that match files and |
|
70 |
# directories to ignore when looking for source files. |
|
71 |
exclude_patterns = ['_build'] |
|
72 |
|
|
73 |
# The reST default role (used for this markup: `text`) to use for all documents. |
|
74 |
#default_role = None |
|
75 |
|
|
76 |
# If true, '()' will be appended to :func: etc. cross-reference text. |
|
77 |
#add_function_parentheses = True |
|
78 |
|
|
79 |
# If true, the current module name will be prepended to all description |
|
80 |
# unit titles (such as .. function::). |
|
81 |
#add_module_names = True |
|
82 |
|
|
83 |
# If true, sectionauthor and moduleauthor directives will be shown in the |
|
84 |
# output. They are ignored by default. |
|
85 |
#show_authors = False |
|
86 |
|
|
87 |
# The name of the Pygments (syntax highlighting) style to use. |
|
88 |
pygments_style = 'sphinx' |
|
89 |
|
|
90 |
# A list of ignored prefixes for module index sorting. |
|
91 |
#modindex_common_prefix = [] |
|
92 |
|
|
93 |
|
|
94 |
# -- Options for HTML output --------------------------------------------------- |
|
95 |
|
|
96 |
# The theme to use for HTML and HTML Help pages. See the documentation for |
|
97 |
# a list of builtin themes. |
|
98 |
html_theme = 'default' |
|
99 |
|
|
100 |
# Theme options are theme-specific and customize the look and feel of a theme |
|
101 |
# further. For a list of options available for each theme, see the |
|
102 |
# documentation. |
|
103 |
#html_theme_options = {} |
|
104 |
|
|
105 |
# Add any paths that contain custom themes here, relative to this directory. |
|
106 |
#html_theme_path = [] |
|
107 |
|
|
108 |
# The name for this set of Sphinx documents. If None, it defaults to |
|
109 |
# "<project> v<release> documentation". |
|
110 |
#html_title = None |
|
111 |
|
|
112 |
# A shorter title for the navigation bar. Default is the same as html_title. |
|
113 |
#html_short_title = None |
|
114 |
|
|
115 |
# The name of an image file (relative to this directory) to place at the top |
|
116 |
# of the sidebar. |
|
117 |
#html_logo = None |
|
118 |
|
|
119 |
# The name of an image file (within the static path) to use as favicon of the |
|
120 |
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 |
|
121 |
# pixels large. |
|
122 |
#html_favicon = None |
|
123 |
|
|
124 |
# Add any paths that contain custom static files (such as style sheets) here, |
|
125 |
# relative to this directory. They are copied after the builtin static files, |
|
126 |
# so a file named "default.css" will overwrite the builtin "default.css". |
|
127 |
#html_static_path = ['_static'] |
|
128 |
|
|
129 |
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, |
|
130 |
# using the given strftime format. |
|
131 |
#html_last_updated_fmt = '%b %d, %Y' |
|
132 |
|
|
133 |
# If true, SmartyPants will be used to convert quotes and dashes to |
|
134 |
# typographically correct entities. |
|
135 |
#html_use_smartypants = True |
|
136 |
|
|
137 |
# Custom sidebar templates, maps document names to template names. |
|
138 |
#html_sidebars = {} |
|
139 |
|
|
140 |
# Additional templates that should be rendered to pages, maps page names to |
|
141 |
# template names. |
|
142 |
#html_additional_pages = {} |
|
143 |
|
|
144 |
# If false, no module index is generated. |
|
145 |
#html_domain_indices = True |
|
146 |
|
|
147 |
# If false, no index is generated. |
|
148 |
#html_use_index = True |
|
149 |
|
|
150 |
# If true, the index is split into individual pages for each letter. |
|
151 |
#html_split_index = False |
|
152 |
|
|
153 |
# If true, links to the reST sources are added to the pages. |
|
154 |
#html_show_sourcelink = True |
|
155 |
|
|
156 |
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. |
|
157 |
#html_show_sphinx = True |
|
158 |
|
|
159 |
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. |
|
160 |
#html_show_copyright = True |
|
161 |
|
|
162 |
# If true, an OpenSearch description file will be output, and all pages will |
|
163 |
# contain a <link> tag referring to it. The value of this option must be the |
|
164 |
# base URL from which the finished HTML is served. |
|
165 |
#html_use_opensearch = '' |
|
166 |
|
|
167 |
# This is the file name suffix for HTML files (e.g. ".xhtml"). |
|
168 |
#html_file_suffix = None |
|
169 |
|
|
170 |
# Output file base name for HTML help builder. |
|
171 |
htmlhelp_basename = 'Astakosdoc' |
|
172 |
|
|
173 |
|
|
174 |
# -- Options for LaTeX output -------------------------------------------------- |
|
175 |
|
|
176 |
# The paper size ('letter' or 'a4'). |
|
177 |
#latex_paper_size = 'letter' |
|
178 |
|
|
179 |
# The font size ('10pt', '11pt' or '12pt'). |
|
180 |
#latex_font_size = '10pt' |
|
181 |
|
|
182 |
# Grouping the document tree into LaTeX files. List of tuples |
|
183 |
# (source start file, target name, title, author, documentclass [howto/manual]). |
|
184 |
latex_documents = [ |
|
185 |
('index', 'Astakos.tex', u'Astakos Documentation', |
|
186 |
u'Astakos Team', 'manual'), |
|
187 |
] |
|
188 |
|
|
189 |
# The name of an image file (relative to this directory) to place at the top of |
|
190 |
# the title page. |
|
191 |
#latex_logo = None |
|
192 |
|
|
193 |
# For "manual" documents, if this is true, then toplevel headings are parts, |
|
194 |
# not chapters. |
|
195 |
#latex_use_parts = False |
|
196 |
|
|
197 |
# If true, show page references after internal links. |
|
198 |
#latex_show_pagerefs = False |
|
199 |
|
|
200 |
# If true, show URL addresses after external links. |
|
201 |
#latex_show_urls = False |
|
202 |
|
|
203 |
# Additional stuff for the LaTeX preamble. |
|
204 |
#latex_preamble = '' |
|
205 |
|
|
206 |
# Documents to append as an appendix to all manuals. |
|
207 |
#latex_appendices = [] |
|
208 |
|
|
209 |
# If false, no module index is generated. |
|
210 |
#latex_domain_indices = True |
|
211 |
|
|
212 |
|
|
213 |
# -- Options for manual page output -------------------------------------------- |
|
214 |
|
|
215 |
# One entry per manual page. List of tuples |
|
216 |
# (source start file, name, description, authors, manual section). |
|
217 |
man_pages = [ |
|
218 |
('index', 'astakos', u'Astakos Documentation', |
|
219 |
[u'Astakos Team'], 1) |
|
220 |
] |
|
221 |
|
|
222 |
|
|
223 |
autodoc_default_flags = ['members'] |
/dev/null | ||
---|---|---|
1 |
Astakos Developer Guide |
|
2 |
======================= |
|
3 |
|
|
4 |
Introduction |
|
5 |
------------ |
|
6 |
|
|
7 |
Astakos serves as the point of authentication for GRNET (http://www.grnet.gr) services. It is a platform-wide service, allowing users to register, login, and keep track of permissions. |
|
8 |
|
|
9 |
Users in astakos can be authenticated via several identity providers: |
|
10 |
|
|
11 |
* Local |
|
12 |
* Shibboleth |
|
13 |
|
|
14 |
It provides also a command line tool for managing user accounts. |
|
15 |
|
|
16 |
It is build over django and extends its authentication mechanism. |
|
17 |
|
|
18 |
This document's goals are: |
|
19 |
|
|
20 |
* present the overall architectural design. |
|
21 |
* provide basic use cases. |
|
22 |
* describe the APIs to the outer world. |
|
23 |
* document the views and provide guidelines for a developer to extend them. |
|
24 |
|
|
25 |
The present document is meant to be read alongside the Django documentation (https://www.djangoproject.com/). Thus, it is suggested that the reader is familiar with associated technologies. |
|
26 |
|
|
27 |
Document Revisions |
|
28 |
^^^^^^^^^^^^^^^^^^ |
|
29 |
|
|
30 |
========================= ================================ |
|
31 |
Revision Description |
|
32 |
========================= ================================ |
|
33 |
0.1 (Feb 10, 2012) Initial release. |
|
34 |
========================= ================================ |
|
35 |
|
|
36 |
Overview |
|
37 |
-------- |
|
38 |
|
|
39 |
Astakos service co-ordinates the access to resources (and the subsequent permission model) and acts as the single point of registry and entry to the GRNET cloud offering, comprising of Cyclades and Pithos subsystems. |
|
40 |
|
|
41 |
It also propagates the user state to the Aquarium pricing subsystem. |
|
42 |
|
|
43 |
.. image:: images/~okeanos.jpg |
|
44 |
|
|
45 |
Registration Use Cases |
|
46 |
---------------------- |
|
47 |
|
|
48 |
The following subsections describe two basic registration use cases. All the registration cases are covered in :ref:`registration-flow-label` |
|
49 |
|
|
50 |
Invited user |
|
51 |
^^^^^^^^^^^^ |
|
52 |
|
|
53 |
A registered ~okeanos user, invites student Alice to subscribe to ~okeanos services. Alice receives an email and through a link is navigated to Astakos's signup page. The system prompts her to select one of the available authentication mechanisms (Shibboleth or local authentication) in order to register to the system. Alice already has a Shibboleth account so chooses that and then she is redirected to her institution's login page. Upon successful login, her account is created. |
|
54 |
|
|
55 |
Since she is invited his account is automaticaly activated and she is redirected to Astakos's login page. As this is the first time Alice has accessed the system she is redirected to her profile page where she can edit or provide more information. |
|
56 |
|
|
57 |
Not invited user |
|
58 |
^^^^^^^^^^^^^^^^ |
|
59 |
|
|
60 |
Tony while browsing in the internet finds out about ~okeanos services. He visits the signup page and since his has not a shibboleth account selects the local authentication mechanism. Upon successful signup the account is created. |
|
61 |
|
|
62 |
Since his not an invited user his account has to be activated from an administrator first, in order to be able to login. Upon the account's activation he receives an email and through a link he is redirected to the login page. |
|
63 |
|
|
64 |
Authentication Use Cases |
|
65 |
------------------------ |
|
66 |
|
|
67 |
Cloud service user |
|
68 |
^^^^^^^^^^^^^^^^^^ |
|
69 |
|
|
70 |
Alice requests a specific resource from a cloud service ex. Pithos. In the request supplies the `X-Auth-Token`` to identify whether she is eligible to perform the specific task. The service contacts Astakos through its ``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the specific ``X-Auth-Token``. Astakos checkes whether the token belongs to an active user and it has not expired and returns a dictionary containing user related information. Finally the service uses the ``uniq`` field included in the dictionary as the account string to identify the user accessible resources. |
|
71 |
|
|
72 |
.. _registration-flow-label: |
|
73 |
|
|
74 |
Registration Flow |
|
75 |
----------------- |
|
76 |
|
|
77 |
.. image:: images/signup.jpg |
|
78 |
:scale: 100% |
|
79 |
|
|
80 |
Login Flow |
|
81 |
---------- |
|
82 |
.. image:: images/login.jpg |
|
83 |
:scale: 100% |
|
84 |
|
|
85 |
.. _authentication-label: |
|
86 |
|
|
87 |
Astakos Users and Authentication |
|
88 |
-------------------------------- |
|
89 |
|
|
90 |
Astakos incorporates django user authentication system and extends its User model. |
|
91 |
|
|
92 |
Since username field of django User model has a limitation of 30 characters, AstakosUser is **uniquely** identified by the ``email`` instead. Therefore, ``astakos.im.authentication_backends.EmailBackend`` is served to authenticate a user using email if the first argument is actually an email, otherwise tries the username. |
|
93 |
|
|
94 |
A new AstakosUser instance is assigned with a uui as username and also with a ``auth_token`` used by the cloud services to authenticate the user. ``astakos.im.authentication_backends.TokenBackend`` is also specified in order to authenticate the user using the email and the token fields. |
|
95 |
|
|
96 |
Logged on users can perform a number of actions: |
|
97 |
|
|
98 |
* access and edit their profile via: ``/im/profile``. |
|
99 |
* change their password via: ``/im/password`` |
|
100 |
* invite somebody else via: ``/im/invite`` |
|
101 |
* send feedback for grnet services via: ``/im/feedback`` |
|
102 |
* logout (and delete cookie) via: ``/im/logout`` |
|
103 |
|
|
104 |
User entries can also be modified/added via the ``snf-manage activateuser`` command. |
|
105 |
|
|
106 |
A superuser account can be created the first time you run the ``manage.py syncdb`` django command and then loading the extra user data from the ``admin_user`` fixture. At a later date, the ``manage.py createsuperuser`` command line utility can be used (as long as the extra user data for Astakos is added with a fixture or by hand). |
|
107 |
|
|
108 |
Internal Astakos requests are handled using cookie-based django user sessions. |
|
109 |
|
|
110 |
External systems in the same domain can delgate ``/login`` URI. The server, depending on its configuration will redirect to the appropriate login page. When done with logging in, the service's login URI should redirect to the URI provided with next, adding user and token parameters, which contain the email and token fields respectively. |
|
111 |
|
|
112 |
The login URI accepts the following parameters: |
|
113 |
|
|
114 |
====================== ========================= |
|
115 |
Request Parameter Name Value |
|
116 |
====================== ========================= |
|
117 |
next The URI to redirect to when the process is finished |
|
118 |
renew Force token renewal (no value parameter) |
|
119 |
force Force logout current user (no value parameter) |
|
120 |
====================== ========================= |
|
121 |
|
|
122 |
External systems outside the domain scope can acquire the user information by a cookie set identified by ASTAKOS_COOKIE_NAME setting. |
|
123 |
|
|
124 |
Finally, backend systems having acquired a token can use the :ref:`authenticate-api-label` api call from a private network or through HTTPS. |
|
125 |
|
|
126 |
The Astakos API |
|
127 |
--------------- |
|
128 |
|
|
129 |
.. _authenticate-api-label: |
|
130 |
|
|
131 |
Authenticate |
|
132 |
^^^^^^^^^^^^ |
|
133 |
|
|
134 |
Authenticate API requests require a token. An application that wishes to connect to Astakos, but does not have a token, should redirect the user to ``/login``. (see :ref:`authentication-label`) |
|
135 |
|
|
136 |
==================== ========= ================== |
|
137 |
Uri Method Description |
|
138 |
==================== ========= ================== |
|
139 |
``/im/authenticate`` GET Authenticate user using token |
|
140 |
==================== ========= ================== |
|
141 |
|
|
142 |
| |
|
143 |
|
|
144 |
==================== =========================== |
|
145 |
Request Header Name Value |
|
146 |
==================== =========================== |
|
147 |
X-Auth-Token Authentication token |
|
148 |
==================== =========================== |
|
149 |
|
|
150 |
Extended information on the user serialized in the json format will be returned: |
|
151 |
|
|
152 |
=========================== ============================ |
|
153 |
Name Description |
|
154 |
=========================== ============================ |
|
155 |
username User uniq identifier |
|
156 |
uniq User email (uniq identifier used by Astakos) |
|
157 |
auth_token Authentication token |
|
158 |
auth_token_expires Token expiration date |
|
159 |
auth_token_created Token creation date |
|
160 |
has_credits Whether user has credits |
|
161 |
has_signed_terms Whether user has aggred on terms |
|
162 |
=========================== ============================ |
|
163 |
|
|
164 |
Example reply: |
|
165 |
|
|
166 |
:: |
|
167 |
|
|
168 |
{"userid": "270d191e09834408b7af65885f46a3", |
|
169 |
"email": ["user111@example.com"], |
|
170 |
"name": "user1 User1", |
|
171 |
"auth_token_created": 1333372365000, |
|
172 |
"auth_token_expires": 1335964365000, |
|
173 |
"auth_token": "uiWDLAgtJOGW4mI4q9R/8w==", |
|
174 |
"has_credits": true} |
|
175 |
|
|
176 |
| |
|
177 |
|
|
178 |
=========================== ===================== |
|
179 |
Return Code Description |
|
180 |
=========================== ===================== |
|
181 |
204 (No Content) The request succeeded |
|
182 |
400 (Bad Request) The request is invalid |
|
183 |
401 (Unauthorized) Missing token or inactive user or penging approval terms |
|
184 |
500 (Internal Server Error) The request cannot be completed because of an internal error |
|
185 |
=========================== ===================== |
|
186 |
|
|
187 |
Get Services |
|
188 |
^^^^^^^^^^^^ |
|
189 |
|
|
190 |
Returns a json formatted list containing information about the supported cloud services. |
|
191 |
|
|
192 |
==================== ========= ================== |
|
193 |
Uri Method Description |
|
194 |
==================== ========= ================== |
|
195 |
``/im/get_services`` GET Get cloud services |
|
196 |
==================== ========= ================== |
|
197 |
|
|
198 |
Example reply: |
|
199 |
|
|
200 |
:: |
|
201 |
|
|
202 |
[{"url": "/", "icon": "home-icon.png", "name": "grnet cloud", "id": "cloud"}, |
|
203 |
{"url": "/okeanos.html", "name": "~okeanos", "id": "okeanos"}, |
|
204 |
{"url": "/ui/", "name": "pithos+", "id": "pithos"}] |
|
205 |
|
|
206 |
Get Menu |
|
207 |
^^^^^^^^ |
|
208 |
|
|
209 |
Returns a json formatted list containing the cloud bar links. |
|
210 |
|
|
211 |
==================== ========= ================== |
|
212 |
Uri Method Description |
|
213 |
==================== ========= ================== |
|
214 |
``/im/get_menu`` GET Get cloud bar menu |
|
215 |
==================== ========= ================== |
|
216 |
|
|
217 |
| |
|
218 |
|
|
219 |
====================== ========================= |
|
220 |
Request Parameter Name Value |
|
221 |
====================== ========================= |
|
222 |
location Location to pass in the next parameter |
|
223 |
====================== ========================= |
|
224 |
|
|
225 |
Example reply if request user is not authenticated: |
|
226 |
|
|
227 |
:: |
|
228 |
|
|
229 |
[{"url": "/im/login?next=", "name": "login..."}] |
|
230 |
|
|
231 |
Example reply if request user is authenticated: |
|
232 |
|
|
233 |
[{"url": "/im/profile", "name": "spapagian@grnet.gr"}, |
|
234 |
{"url": "/im/profile", "name": "view your profile..."}, |
|
235 |
{"url": "/im/password", "name": "change your password..."}, |
|
236 |
{"url": "/im/feedback", "name": "feedback..."}, |
|
237 |
{"url": "/im/logout", "name": "logout..."}] |
|
238 |
|
|
239 |
|
|
240 |
|
|
241 |
|
/dev/null | ||
---|---|---|
1 |
Forms |
|
2 |
============== |
|
3 |
|
|
4 |
.. automodule:: astakos.im.forms |
|
5 |
:show-inheritance: |
/dev/null | ||
---|---|---|
1 |
Astakos Documentation |
|
2 |
===================== |
|
3 |
|
|
4 |
Contents: |
|
5 |
|
|
6 |
.. toctree:: |
|
7 |
:maxdepth: 3 |
|
8 |
|
|
9 |
devguide |
|
10 |
views |
|
11 |
models |
|
12 |
forms |
|
13 |
backends |
|
14 |
|
|
15 |
Indices and tables |
|
16 |
================== |
|
17 |
|
|
18 |
* :ref:`genindex` |
|
19 |
* :ref:`modindex` |
|
20 |
* :ref:`search` |
|
21 |
|
/dev/null | ||
---|---|---|
1 |
Models |
|
2 |
============== |
|
3 |
|
|
4 |
.. automodule:: astakos.im.models |
|
5 |
:show-inheritance: |
|
6 |
:members: |
|
7 |
:undoc-members: |
/dev/null | ||
---|---|---|
1 |
Views |
|
2 |
============== |
|
3 |
|
|
4 |
.. automodule:: astakos.im.views |
|
5 |
:show-inheritance: |
|
6 |
:members: |
|
7 |
:undoc-members: |
b/snf-astakos-app/astakos/im/forms.py | ||
---|---|---|
139 | 139 |
user.renew_token() |
140 | 140 |
if commit: |
141 | 141 |
user.save() |
142 |
logger.info('Created user %s', user) |
|
142 |
logger.info('Created user %s', user)
|
|
143 | 143 |
return user |
144 | 144 |
|
145 | 145 |
class InvitedLocalUserCreationForm(LocalUserCreationForm): |
... | ... | |
220 | 220 |
user.provider = get_query(self.request).get('provider') |
221 | 221 |
if commit: |
222 | 222 |
user.save() |
223 |
logger.info('Created user %s', user) |
|
223 |
logger.info('Created user %s', user)
|
|
224 | 224 |
return user |
225 | 225 |
|
226 | 226 |
class InvitedThirdPartyUserCreationForm(ThirdPartyUserCreationForm): |
Also available in: Unified diff