Commit 137e9cf6 authored by Antony Chazapis's avatar Antony Chazapis

Use /login to redirect or not, depending on the configuration. Document.

Fixes #1778
parent cbea15c4
......@@ -19,19 +19,22 @@ The present document is meant to be read alongside the OOS API documentation. Th
Whatever marked as to be determined (**TBD**), should not be considered by implementors.
More info about Pithos can be found here: https://code.grnet.gr/projects/pithos
Document Revisions
^^^^^^^^^^^^^^^^^^
========================= ================================
Revision Description
========================= ================================
0.8 (Dec 22, 2011) Update allowed versioning values.
0.8 (Jan 19, 2012) Update allowed versioning values.
\ Change policy/meta formatting in JSON/XML replies.
\ Document that all non-ASCII characters in headers should be URL-encoded.
\ Support metadata-based queries when listing objects at the container level.
\ Note Content-Type issue when using the internal django web server.
\ Add object UUID field.
\ Always reply with the MD5 in the ETag.
\ Note that ``/login`` will only work if an external authentication system is defined.
0.7 (Nov 21, 2011) Suggest upload/download methods using hashmaps.
\ Propose syncing algorithm.
\ Support cross-account object copy and move.
......@@ -77,13 +80,11 @@ Revision Description
Pithos Users and Authentication
-------------------------------
Pithos keeps separate databases for users and objects.
Each user is uniquely identified by the ``Uniq`` field. This should be used as the user's account in the API. The API uses the ``Token`` field to authenticate a user, thus allowing cross-account requests. All API requests require a token.
In Pithos, each user is uniquely identified by a token. All API requests require a token and each token is internally resolved to an account string. The API uses the account string to identify the user's own files, thus whether a request is local or cross-account.
User entries can be modified/added via the management interface available at ``https://hostname/admin``.
Pithos does not keep a user database. For development and testing purposes, user identifiers and their corresponding tokens can be defined in the settings file. However, Pithos is designed with an external authentication service in mind. This service must handle the details of validating user credentials and communicate with Pithos via a middleware software component that, given a token, fills in the internal request account variable.
Pithos is also compatible with Shibboleth (http://shibboleth.internet2.edu/). The connection between Shibboleth and Pithos is done by ``https://hostname/login``. An application that wishes to connect to Pithos, but does not have a token, should redirect the user to the login URI.
Client software using Pithos, if not already knowing a user's identifier and token, should forward to the ``/login`` URI. The Pithos server, depending on its configuration will redirect to the appropriate login page.
The login URI accepts the following parameters:
......@@ -94,9 +95,9 @@ next The URI to redirect to when the process is finished
renew Force token renewal (no value parameter)
====================== =========================
The login process starts by redirecting the user to an external URI (controlled by Shibboleth), where the actual authentication credentials are entered. Then, the user is redirected back to the login URI from Shibboleth, with various identification information in the request headers.
When done with logging in, the service's login URI should redirect to the URI provided with ``next``, adding ``user`` and ``token`` parameters, which contain the account and token fields respectively.
If the user does not exist in the database, Pithos adds the user and creates a random token. If the user exists, the token has not expired and ``renew`` is not set, the existing token is reused. Finally, the login URI redirects to the URI provided with ``next``, adding the ``user`` and ``token`` parameters, which contain the ``Uniq`` and ``Token`` fields respectively.
A user management service that implements a login URI according to these conventions is Astakos (https://code.grnet.gr/projects/astakos), by GRNET.
The Pithos API
--------------
......
# Copyright 2011 GRNET S.A. All rights reserved.
#
# Redistribution and use in source and binary forms, with or
# without modification, are permitted provided that the following
# conditions are met:
#
# 1. Redistributions of source code must retain the above
# copyright notice, this list of conditions and the following
# disclaimer.
#
# 2. Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials
# provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# The views and conclusions contained in the software and
# documentation are those of the authors and should not be
# interpreted as representing official policies, either expressed
# or implied, of GRNET S.A.
import logging
from django.http import HttpResponseNotFound, HttpResponseRedirect
from django.conf import settings
logger = logging.getLogger(__name__)
def redirect_to_login_service(request):
users = settings.AUTHENTICATION_USERS
host = settings.AUTHENTICATION_HOST
if users is not None or host is None:
return HttpResponseNotFound()
if request.is_secure():
uri = 'https://'
else:
uri = 'http://'
uri = uri + host + '/login'
return HttpResponseRedirect(uri)
\ No newline at end of file
......@@ -38,5 +38,6 @@ urlpatterns = patterns('',
(r'^v1(?:$|/)', include('pithos.api.urls')),
(r'^v1\.0(?:$|/)', include('pithos.api.urls')),
(r'^public/(?P<v_public>.+?)/?$', 'pithos.api.public.public_demux'),
(r'^login/?$', 'pithos.api.login.redirect_to_login_service'),
(r'^ui', include('pithos.ui.urls'))
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment