root / docs / astakos.rst @ 2e1e6844
History | View | Annotate | Download (9.1 kB)
1 | bc055d09 | Constantinos Venetsanopoulos | .. _astakos: |
---|---|---|---|
2 | bc055d09 | Constantinos Venetsanopoulos | |
3 | 53d6886e | Sofia Papagiannaki | Identity Management Service (Astakos) |
4 | bc055d09 | Constantinos Venetsanopoulos | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 | bc055d09 | Constantinos Venetsanopoulos | |
6 | 53d6886e | Sofia Papagiannaki | Astakos is GRNET project that provides identity management, catalog and policy services. |
7 | 53d6886e | Sofia Papagiannaki | It is designed to be used by the synnefo family software, |
8 | 53d6886e | Sofia Papagiannaki | but is free and open to use by anybody, under a BSD-2 clause license. |
9 | bc055d09 | Constantinos Venetsanopoulos | |
10 | 8f9976c6 | Constantinos Venetsanopoulos | Introduction |
11 | 8f9976c6 | Constantinos Venetsanopoulos | ============ |
12 | 8f9976c6 | Constantinos Venetsanopoulos | |
13 | 53d6886e | Sofia Papagiannaki | Astakos serves as a unique point of authentication for `GRNET <http://www.grnet.gr>`_ |
14 | 53d6886e | Sofia Papagiannaki | cloud services. It is a platform-wide service that allows users to manage their accounts. |
15 | 8f9976c6 | Constantinos Venetsanopoulos | |
16 | 8f9976c6 | Constantinos Venetsanopoulos | Users in astakos can be authenticated via several identity providers: |
17 | 8f9976c6 | Constantinos Venetsanopoulos | |
18 | 8f9976c6 | Constantinos Venetsanopoulos | * Local |
19 | 8f9976c6 | Constantinos Venetsanopoulos | * Shibboleth |
20 | 8f9976c6 | Constantinos Venetsanopoulos | |
21 | 53d6886e | Sofia Papagiannaki | It extends the ``snf-manage`` command line tool by introducing commands for managing the user accounts. |
22 | 8f9976c6 | Constantinos Venetsanopoulos | |
23 | 8f9976c6 | Constantinos Venetsanopoulos | It is build over django and extends its authentication mechanism. |
24 | 8f9976c6 | Constantinos Venetsanopoulos | |
25 | 8f9976c6 | Constantinos Venetsanopoulos | This document's goals are: |
26 | 8f9976c6 | Constantinos Venetsanopoulos | |
27 | 8f9976c6 | Constantinos Venetsanopoulos | * present the overall architectural design. |
28 | 8f9976c6 | Constantinos Venetsanopoulos | * provide basic use cases. |
29 | 8f9976c6 | Constantinos Venetsanopoulos | |
30 | 53d6886e | Sofia Papagiannaki | The present document is meant to be read alongside the `Django documentation |
31 | 53d6886e | Sofia Papagiannaki | <https://www.djangoproject.com/>`_. Thus, it is suggested that the reader is |
32 | 8f9976c6 | Constantinos Venetsanopoulos | familiar with associated technologies. |
33 | 8f9976c6 | Constantinos Venetsanopoulos | |
34 | 8f9976c6 | Constantinos Venetsanopoulos | |
35 | bc055d09 | Constantinos Venetsanopoulos | Astakos Architecture |
36 | bc055d09 | Constantinos Venetsanopoulos | ==================== |
37 | 8f9976c6 | Constantinos Venetsanopoulos | |
38 | 8f9976c6 | Constantinos Venetsanopoulos | Overview |
39 | 8f9976c6 | Constantinos Venetsanopoulos | -------- |
40 | 8f9976c6 | Constantinos Venetsanopoulos | |
41 | 8f9976c6 | Constantinos Venetsanopoulos | Astakos service co-ordinates the access to resources (and the subsequent |
42 | 8f9976c6 | Constantinos Venetsanopoulos | permission model) and acts as the single point of registry and entry to the |
43 | 8f9976c6 | Constantinos Venetsanopoulos | GRNET cloud offering, comprising of Cyclades and Pithos+ subsystems. |
44 | 8f9976c6 | Constantinos Venetsanopoulos | |
45 | 8f9976c6 | Constantinos Venetsanopoulos | It also propagates the user state to the Aquarium pricing subsystem. |
46 | 8f9976c6 | Constantinos Venetsanopoulos | |
47 | 87d73e49 | Kostas Papadimitriou | .. image:: images/astakos-okeanos.jpg |
48 | 8f9976c6 | Constantinos Venetsanopoulos | |
49 | 8f9976c6 | Constantinos Venetsanopoulos | Registration Use Cases |
50 | 8f9976c6 | Constantinos Venetsanopoulos | ---------------------- |
51 | 8f9976c6 | Constantinos Venetsanopoulos | |
52 | 8f9976c6 | Constantinos Venetsanopoulos | The following subsections describe two basic registration use cases. All the |
53 | 53d6886e | Sofia Papagiannaki | registration cases are illustrated in :ref:`registration-flow-label` |
54 | 8f9976c6 | Constantinos Venetsanopoulos | |
55 | 8f9976c6 | Constantinos Venetsanopoulos | Invited user |
56 | 8f9976c6 | Constantinos Venetsanopoulos | ~~~~~~~~~~~~ |
57 | 8f9976c6 | Constantinos Venetsanopoulos | |
58 | 8f9976c6 | Constantinos Venetsanopoulos | A registered ~okeanos user, invites student Alice to subscribe to ~okeanos |
59 | 8f9976c6 | Constantinos Venetsanopoulos | services. Alice receives an email and through a link is navigated to Astakos's |
60 | 8f9976c6 | Constantinos Venetsanopoulos | signup page. The system prompts her to select one of the available |
61 | 53d6886e | Sofia Papagiannaki | authentication mechanisms (Shibboleth, local authentication) in |
62 | 8f9976c6 | Constantinos Venetsanopoulos | order to register to the system. Alice already has a Shibboleth account so |
63 | 8f9976c6 | Constantinos Venetsanopoulos | chooses that and then she is redirected to her institution's login page. Upon |
64 | 8f9976c6 | Constantinos Venetsanopoulos | successful login, her account is created. |
65 | 8f9976c6 | Constantinos Venetsanopoulos | |
66 | 53d6886e | Sofia Papagiannaki | Since she is invited her account is automaticaly activated and she is |
67 | 8f9976c6 | Constantinos Venetsanopoulos | redirected to Astakos's login page. As this is the first time Alice has |
68 | 8f9976c6 | Constantinos Venetsanopoulos | accessed the system she is redirected to her profile page where she can edit or |
69 | 8f9976c6 | Constantinos Venetsanopoulos | provide more information. |
70 | 8f9976c6 | Constantinos Venetsanopoulos | |
71 | 8f9976c6 | Constantinos Venetsanopoulos | Not invited user |
72 | 8f9976c6 | Constantinos Venetsanopoulos | ~~~~~~~~~~~~~~~~ |
73 | 8f9976c6 | Constantinos Venetsanopoulos | |
74 | 8f9976c6 | Constantinos Venetsanopoulos | Tony while browsing in the internet finds out about ~okeanos services. He |
75 | 53d6886e | Sofia Papagiannaki | visits the signup page and fills the signup form. Since his not an invited |
76 | 53d6886e | Sofia Papagiannaki | user his account has to be activated from an administrator first, |
77 | 53d6886e | Sofia Papagiannaki | in order to be able to login. Upon the account's activation he receives |
78 | 53d6886e | Sofia Papagiannaki | an email and through a link he is redirected to the login page. |
79 | 8f9976c6 | Constantinos Venetsanopoulos | |
80 | 8f9976c6 | Constantinos Venetsanopoulos | Authentication Use Cases |
81 | 8f9976c6 | Constantinos Venetsanopoulos | ------------------------ |
82 | 8f9976c6 | Constantinos Venetsanopoulos | |
83 | 8f9976c6 | Constantinos Venetsanopoulos | Cloud service user |
84 | 8f9976c6 | Constantinos Venetsanopoulos | ~~~~~~~~~~~~~~~~~~ |
85 | 8f9976c6 | Constantinos Venetsanopoulos | |
86 | 53d6886e | Sofia Papagiannaki | Alice requests a specific resource from a cloud service ex. Pithos+. In the |
87 | 949f8393 | Sofia Papagiannaki | request supplies the `X-Auth-Token` to identify whether she is eligible to |
88 | 8f9976c6 | Constantinos Venetsanopoulos | perform the specific task. The service contacts Astakos through its |
89 | 8f9976c6 | Constantinos Venetsanopoulos | ``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the |
90 | 8f9976c6 | Constantinos Venetsanopoulos | specific ``X-Auth-Token``. Astakos checkes whether the token belongs to an |
91 | 8f9976c6 | Constantinos Venetsanopoulos | active user and it has not expired and returns a dictionary containing user |
92 | 8f9976c6 | Constantinos Venetsanopoulos | related information. Finally the service uses the ``uniq`` field included in |
93 | 8f9976c6 | Constantinos Venetsanopoulos | the dictionary as the account string to identify the user accessible resources. |
94 | 8f9976c6 | Constantinos Venetsanopoulos | |
95 | 8f9976c6 | Constantinos Venetsanopoulos | .. _registration-flow-label: |
96 | 8f9976c6 | Constantinos Venetsanopoulos | |
97 | 8f9976c6 | Constantinos Venetsanopoulos | Registration Flow |
98 | 8f9976c6 | Constantinos Venetsanopoulos | ----------------- |
99 | 8f9976c6 | Constantinos Venetsanopoulos | |
100 | c1e48243 | Sofia Papagiannaki | Responsible for handling the account registration and activation requests is the ``signup`` view. This view checks whether it is a request for a local account. If this is not the case, the user is navigated to the third-party provider to authenticate against it and upon success is redirected back in the ``signup`` view. If the supplied information is valid and an inactive account is created. Then the appropriate ``ActivationBackend`` handles the account activation: the ``InvitationsBackend`` if the invitation mechanism is enabled and the ``SimpleBackend`` otherwise. |
101 | 53d6886e | Sofia Papagiannaki | |
102 | c1e48243 | Sofia Papagiannaki | In the first case, if the request is accompanied with a valid invitation code the user is automatically activated and since its email address (where received the invitation) is verified, acquires a valid token and is logged in the system. If there is no invitation associated with the request, the system check whether the email matches any of the ASTAKOS_RE_USER_EMAIL_PATTERNS and if it does it sends an email to the user to verify the email address, otherwise the system sends a notification email to the administrators and informs the user that the account activation will be moderated by them. |
103 | 53d6886e | Sofia Papagiannaki | |
104 | 53d6886e | Sofia Papagiannaki | If the invitation mechanism is not enabled, the ``SimpleBackend`` checks if the email address matches any of the ASTAKOS_RE_USER_EMAIL_PATTERNS or the moderation is not enabled and it sends a verification email, otherwise informs the user that the account is pending approval and sends a notification email to the admins. |
105 | 53d6886e | Sofia Papagiannaki | |
106 | 53d6886e | Sofia Papagiannaki | The verification email contains a link that navigates the user to ``activate`` view through a URI that contains also a temporary user token. If this token is valid the user account is activated and the user is logged in the system, after renewing the token and setting the cookie identified by ASTAKOS_COOKIE_NAME (used by the ~okeanos subcomponents). |
107 | 53d6886e | Sofia Papagiannaki | |
108 | 53d6886e | Sofia Papagiannaki | If FORCE_PROFILE_UPDATE is set, after the first successful login the user is navigated first to the ``profile`` view, before been redirected to the ``next`` parameter value. |
109 | 53d6886e | Sofia Papagiannaki | |
110 | 87d73e49 | Kostas Papadimitriou | .. image:: images/astakos-signup.jpg |
111 | c1e48243 | Sofia Papagiannaki | :scale: 80% |
112 | 8f9976c6 | Constantinos Venetsanopoulos | |
113 | 8f9976c6 | Constantinos Venetsanopoulos | Login Flow |
114 | 8f9976c6 | Constantinos Venetsanopoulos | ---------- |
115 | 53d6886e | Sofia Papagiannaki | |
116 | 53d6886e | Sofia Papagiannaki | During loging procedure the user is authenticated by the respective identity provider. |
117 | 53d6886e | Sofia Papagiannaki | |
118 | 53d6886e | Sofia Papagiannaki | If ASTAKOS_RECAPTCHA_ENABLED is set and the user fails several times (ASTAKOS_RATELIMIT_RETRIES_ALLOWED setting) to provide the correct credentials for a local account, is prompted to solve a captcha challenge. |
119 | 53d6886e | Sofia Papagiannaki | |
120 | 53d6886e | Sofia Papagiannaki | Upon success, the system renews the token (if it has been expired), logins the user and sets the cookie, before redirecting the user to the ``next`` parameter value. |
121 | 53d6886e | Sofia Papagiannaki | |
122 | 87d73e49 | Kostas Papadimitriou | .. image:: images/astakos-login.jpg |
123 | c1e48243 | Sofia Papagiannaki | :scale: 80% |
124 | 8f9976c6 | Constantinos Venetsanopoulos | |
125 | 53d6886e | Sofia Papagiannaki | Approval Terms |
126 | 53d6886e | Sofia Papagiannaki | -------------- |
127 | 53d6886e | Sofia Papagiannaki | |
128 | 53d6886e | Sofia Papagiannaki | The ``snf-manage addterms`` command serves to add new approval terms. |
129 | 53d6886e | Sofia Papagiannaki | |
130 | 53d6886e | Sofia Papagiannaki | During the account registration, if there are approval terms, the user has to agree with them in order to proceed. |
131 | 53d6886e | Sofia Papagiannaki | |
132 | 53d6886e | Sofia Papagiannaki | In case there are later approval terms that the user has not signed, the ``signed_terms_required`` view decorator redirects to the ``approval_terms`` view. |
133 | 53d6886e | Sofia Papagiannaki | |
134 | 949f8393 | Sofia Papagiannaki | Service Registration |
135 | 949f8393 | Sofia Papagiannaki | -------------------- |
136 | 949f8393 | Sofia Papagiannaki | |
137 | 949f8393 | Sofia Papagiannaki | Services (ex. cyclades, pithos+) are registered in astakos via ``snf-manage registerservice``. This command generates and prints a service token useful for accessing the service API. |
138 | 949f8393 | Sofia Papagiannaki | Registered services can be viewed by ``snf-manage showservices`` command and ``snf-manage unregisterservice`` can be used to unregister a service. |
139 | 949f8393 | Sofia Papagiannaki | |
140 | 8f9976c6 | Constantinos Venetsanopoulos | .. _authentication-label: |
141 | 8f9976c6 | Constantinos Venetsanopoulos | |
142 | 8f9976c6 | Constantinos Venetsanopoulos | Astakos Users and Authentication |
143 | 8f9976c6 | Constantinos Venetsanopoulos | -------------------------------- |
144 | 8f9976c6 | Constantinos Venetsanopoulos | |
145 | 8f9976c6 | Constantinos Venetsanopoulos | Astakos incorporates django user authentication system and extends its User model. |
146 | 8f9976c6 | Constantinos Venetsanopoulos | |
147 | 8f9976c6 | Constantinos Venetsanopoulos | Since username field of django User model has a limitation of 30 characters, |
148 | 8f9976c6 | Constantinos Venetsanopoulos | AstakosUser is **uniquely** identified by the ``email`` instead. Therefore, |
149 | 8f9976c6 | Constantinos Venetsanopoulos | ``astakos.im.authentication_backends.EmailBackend`` is served to authenticate a |
150 | 8f9976c6 | Constantinos Venetsanopoulos | user using email if the first argument is actually an email, otherwise tries |
151 | 8f9976c6 | Constantinos Venetsanopoulos | the username. |
152 | 8f9976c6 | Constantinos Venetsanopoulos | |
153 | 8f9976c6 | Constantinos Venetsanopoulos | A new AstakosUser instance is assigned with a uui as username and also with a |
154 | 8f9976c6 | Constantinos Venetsanopoulos | ``auth_token`` used by the cloud services to authenticate the user. |
155 | 8f9976c6 | Constantinos Venetsanopoulos | ``astakos.im.authentication_backends.TokenBackend`` is also specified in order |
156 | 8f9976c6 | Constantinos Venetsanopoulos | to authenticate the user using the email and the token fields. |
157 | 8f9976c6 | Constantinos Venetsanopoulos | |
158 | 8f9976c6 | Constantinos Venetsanopoulos | Logged on users can perform a number of actions: |
159 | 8f9976c6 | Constantinos Venetsanopoulos | |
160 | 8f9976c6 | Constantinos Venetsanopoulos | * access and edit their profile via: ``/im/profile``. |
161 | 8f9976c6 | Constantinos Venetsanopoulos | * change their password via: ``/im/password`` |
162 | 8f9976c6 | Constantinos Venetsanopoulos | * invite somebody else via: ``/im/invite`` |
163 | 8f9976c6 | Constantinos Venetsanopoulos | * send feedback for grnet services via: ``/im/send_feedback`` |
164 | 8f9976c6 | Constantinos Venetsanopoulos | * logout (and delete cookie) via: ``/im/logout`` |
165 | 8f9976c6 | Constantinos Venetsanopoulos | |
166 | 53d6886e | Sofia Papagiannaki | User entries can also be modified/added via the ``snf-manage`` commands. |
167 | 8f9976c6 | Constantinos Venetsanopoulos | |
168 | 8f9976c6 | Constantinos Venetsanopoulos | Internal Astakos requests are handled using cookie-based django user sessions. |
169 | 8f9976c6 | Constantinos Venetsanopoulos | |
170 | 949f8393 | Sofia Papagiannaki | External systems should forward to the ``/login`` URI. The server, |
171 | 8f9976c6 | Constantinos Venetsanopoulos | depending on its configuration will redirect to the appropriate login page. |
172 | 8f9976c6 | Constantinos Venetsanopoulos | When done with logging in, the service's login URI should redirect to the URI |
173 | 8f9976c6 | Constantinos Venetsanopoulos | provided with next, adding user and token parameters, which contain the email |
174 | 8f9976c6 | Constantinos Venetsanopoulos | and token fields respectively. |
175 | 8f9976c6 | Constantinos Venetsanopoulos | |
176 | 8f9976c6 | Constantinos Venetsanopoulos | The login URI accepts the following parameters: |
177 | 8f9976c6 | Constantinos Venetsanopoulos | |
178 | 8f9976c6 | Constantinos Venetsanopoulos | ====================== ========================= |
179 | 8f9976c6 | Constantinos Venetsanopoulos | Request Parameter Name Value |
180 | 8f9976c6 | Constantinos Venetsanopoulos | ====================== ========================= |
181 | 8f9976c6 | Constantinos Venetsanopoulos | next The URI to redirect to when the process is finished |
182 | 8f9976c6 | Constantinos Venetsanopoulos | renew Force token renewal (no value parameter) |
183 | 8f9976c6 | Constantinos Venetsanopoulos | force Force logout current user (no value parameter) |
184 | 8f9976c6 | Constantinos Venetsanopoulos | ====================== ========================= |
185 | 8f9976c6 | Constantinos Venetsanopoulos | |
186 | 53d6886e | Sofia Papagiannaki | External systems inside the ASTAKOS_COOKIE_DOMAIN scope can acquire the user information by the |
187 | 53d6886e | Sofia Papagiannaki | cookie identified by ASTAKOS_COOKIE_NAME setting (set during the login procedure). |
188 | 8f9976c6 | Constantinos Venetsanopoulos | |
189 | 8f9976c6 | Constantinos Venetsanopoulos | Finally, backend systems having acquired a token can use the |
190 | 8f9976c6 | Constantinos Venetsanopoulos | :ref:`authenticate-api-label` api call from a private network or through HTTPS. |