root / docs / astakos.rst @ 8f9976c6
History | View | Annotate | Download (6.3 kB)
1 |
.. _astakos: |
---|---|
2 |
|
3 |
Identity Management Service (astakos) |
4 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 |
|
6 |
Astakos is the synnefo Identity Management Service. |
7 |
|
8 |
Introduction |
9 |
============ |
10 |
|
11 |
Astakos serves as the point of authentication for GRNET (http://www.grnet.gr) |
12 |
services. It is a platform-wide service, allowing users to register, login, and |
13 |
keep track of permissions. |
14 |
|
15 |
Users in astakos can be authenticated via several identity providers: |
16 |
|
17 |
* Local |
18 |
|
19 |
* Shibboleth |
20 |
|
21 |
It provides also a command line tool for managing user accounts. |
22 |
|
23 |
It is build over django and extends its authentication mechanism. |
24 |
|
25 |
This document's goals are: |
26 |
|
27 |
* present the overall architectural design. |
28 |
* provide basic use cases. |
29 |
|
30 |
The present document is meant to be read alongside the Django documentation |
31 |
(https://www.djangoproject.com/). Thus, it is suggested that the reader is |
32 |
familiar with associated technologies. |
33 |
|
34 |
|
35 |
Astakos Architecture |
36 |
==================== |
37 |
|
38 |
Overview |
39 |
-------- |
40 |
|
41 |
Astakos service co-ordinates the access to resources (and the subsequent |
42 |
permission model) and acts as the single point of registry and entry to the |
43 |
GRNET cloud offering, comprising of Cyclades and Pithos+ subsystems. |
44 |
|
45 |
It also propagates the user state to the Aquarium pricing subsystem. |
46 |
|
47 |
.. image:: images/~okeanos.jpg |
48 |
|
49 |
Registration Use Cases |
50 |
---------------------- |
51 |
|
52 |
The following subsections describe two basic registration use cases. All the |
53 |
registration cases are covered in :ref:`registration-flow-label` |
54 |
|
55 |
Invited user |
56 |
~~~~~~~~~~~~ |
57 |
|
58 |
A registered ~okeanos user, invites student Alice to subscribe to ~okeanos |
59 |
services. Alice receives an email and through a link is navigated to Astakos's |
60 |
signup page. The system prompts her to select one of the available |
61 |
authentication mechanisms (Shibboleth, Twitter or local authentication) in |
62 |
order to register to the system. Alice already has a Shibboleth account so |
63 |
chooses that and then she is redirected to her institution's login page. Upon |
64 |
successful login, her account is created. |
65 |
|
66 |
Since she is invited his account is automaticaly activated and she is |
67 |
redirected to Astakos's login page. As this is the first time Alice has |
68 |
accessed the system she is redirected to her profile page where she can edit or |
69 |
provide more information. |
70 |
|
71 |
Not invited user |
72 |
~~~~~~~~~~~~~~~~ |
73 |
|
74 |
Tony while browsing in the internet finds out about ~okeanos services. He |
75 |
visits the signup page and since his has already a twitter account selects the |
76 |
twitter authentication mechanism and he is redirected to twitter login page |
77 |
where he is promted to provide his credentials. Upon successful login, twitter |
78 |
redirects him back to the Astakos and the account is created. |
79 |
|
80 |
Since his not an invited user his account has to be activated from an |
81 |
administrator first, in order to be able to login. Upon the account's |
82 |
activation he receives an email and through a link he is redirected to the |
83 |
login page. |
84 |
|
85 |
Authentication Use Cases |
86 |
------------------------ |
87 |
|
88 |
Cloud service user |
89 |
~~~~~~~~~~~~~~~~~~ |
90 |
|
91 |
Alice requests a specific resource from a cloud service ex. Pithos. In the |
92 |
request supplies the `X-Auth-Token`` to identify whether she is eligible to |
93 |
perform the specific task. The service contacts Astakos through its |
94 |
``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the |
95 |
specific ``X-Auth-Token``. Astakos checkes whether the token belongs to an |
96 |
active user and it has not expired and returns a dictionary containing user |
97 |
related information. Finally the service uses the ``uniq`` field included in |
98 |
the dictionary as the account string to identify the user accessible resources. |
99 |
|
100 |
.. _registration-flow-label: |
101 |
|
102 |
Registration Flow |
103 |
----------------- |
104 |
|
105 |
.. image:: images/signup.jpg |
106 |
:scale: 100% |
107 |
|
108 |
Login Flow |
109 |
---------- |
110 |
.. image:: images/login.jpg |
111 |
:scale: 100% |
112 |
|
113 |
.. _authentication-label: |
114 |
|
115 |
Astakos Users and Authentication |
116 |
-------------------------------- |
117 |
|
118 |
Astakos incorporates django user authentication system and extends its User model. |
119 |
|
120 |
Since username field of django User model has a limitation of 30 characters, |
121 |
AstakosUser is **uniquely** identified by the ``email`` instead. Therefore, |
122 |
``astakos.im.authentication_backends.EmailBackend`` is served to authenticate a |
123 |
user using email if the first argument is actually an email, otherwise tries |
124 |
the username. |
125 |
|
126 |
A new AstakosUser instance is assigned with a uui as username and also with a |
127 |
``auth_token`` used by the cloud services to authenticate the user. |
128 |
``astakos.im.authentication_backends.TokenBackend`` is also specified in order |
129 |
to authenticate the user using the email and the token fields. |
130 |
|
131 |
Logged on users can perform a number of actions: |
132 |
|
133 |
* access and edit their profile via: ``/im/profile``. |
134 |
* change their password via: ``/im/password`` |
135 |
* invite somebody else via: ``/im/invite`` |
136 |
* send feedback for grnet services via: ``/im/send_feedback`` |
137 |
* logout (and delete cookie) via: ``/im/logout`` |
138 |
|
139 |
User entries can also be modified/added via the ``snf-manage activateuser`` command. |
140 |
|
141 |
A superuser account can be created the first time you run the ``manage.py |
142 |
syncdb`` django command and then loading the extra user data from the |
143 |
``admin_user`` fixture. At a later date, the ``manage.py createsuperuser`` |
144 |
command line utility can be used (as long as the extra user data for Astakos is |
145 |
added with a fixture or by hand). |
146 |
|
147 |
Internal Astakos requests are handled using cookie-based django user sessions. |
148 |
|
149 |
External systems in the same domain can delgate ``/login`` URI. The server, |
150 |
depending on its configuration will redirect to the appropriate login page. |
151 |
When done with logging in, the service's login URI should redirect to the URI |
152 |
provided with next, adding user and token parameters, which contain the email |
153 |
and token fields respectively. |
154 |
|
155 |
The login URI accepts the following parameters: |
156 |
|
157 |
====================== ========================= |
158 |
Request Parameter Name Value |
159 |
====================== ========================= |
160 |
next The URI to redirect to when the process is finished |
161 |
renew Force token renewal (no value parameter) |
162 |
force Force logout current user (no value parameter) |
163 |
====================== ========================= |
164 |
|
165 |
External systems outside the domain scope can acquire the user information by a |
166 |
cookie set identified by ASTAKOS_COOKIE_NAME setting. |
167 |
|
168 |
Finally, backend systems having acquired a token can use the |
169 |
:ref:`authenticate-api-label` api call from a private network or through HTTPS. |
170 |
|