Commit f15941b2 authored by Sofia Papagiannaki's avatar Sofia Papagiannaki
Browse files

update snf-astakos documentation

parent fd3e4602
......@@ -6,27 +6,14 @@ This is Astakos API guide.
Overview
--------
Astakos serves as the point of authentication for GRNET (http://www.grnet.gr)
services. It is a platform-wide service, allowing users to register, login, and
keep track of permissions.
Users in astakos can be authenticated via several identity providers:
* Local
* Twitter
* Shibboleth
It provides also a command line tool for managing user accounts.
It is build over django and extends its authentication mechanism.
Astakos service co-ordinates the access to resources (and the subsequent
permission model) and acts as the single point of registry and entry to the
GRNET cloud services.
This document's goals is to describe the APIs to the outer world.
Make sure you have read the :ref:`astakos` general architecture first.
The present document is meant to be read alongside the Django documentation
(https://www.djangoproject.com/). Thus, it is suggested that the reader is
familiar with associated technologies.
Document Revisions
^^^^^^^^^^^^^^^^^^
......
.. _astakos:
Identity Management Service (astakos)
Identity Management Service (Astakos)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Astakos is the synnefo Identity Management Service.
Astakos is GRNET project that provides identity management, catalog and policy services.
It is designed to be used by the synnefo family software,
but is free and open to use by anybody, under a BSD-2 clause license.
Introduction
============
Astakos serves as the point of authentication for GRNET (http://www.grnet.gr)
services. It is a platform-wide service, allowing users to register, login, and
keep track of permissions.
Astakos serves as a unique point of authentication for `GRNET <http://www.grnet.gr>`_
cloud services. It is a platform-wide service that allows users to manage their accounts.
Users in astakos can be authenticated via several identity providers:
* Local
* Twitter
* Shibboleth
It provides also a command line tool for managing user accounts.
It extends the ``snf-manage`` command line tool by introducing commands for managing the user accounts.
It is build over django and extends its authentication mechanism.
......@@ -27,8 +27,8 @@ This document's goals are:
* present the overall architectural design.
* provide basic use cases.
The present document is meant to be read alongside the Django documentation
(https://www.djangoproject.com/). Thus, it is suggested that the reader is
The present document is meant to be read alongside the `Django documentation
<https://www.djangoproject.com/>`_. Thus, it is suggested that the reader is
familiar with associated technologies.
......@@ -50,7 +50,7 @@ Registration Use Cases
----------------------
The following subsections describe two basic registration use cases. All the
registration cases are covered in :ref:`registration-flow-label`
registration cases are illustrated in :ref:`registration-flow-label`
Invited user
~~~~~~~~~~~~
......@@ -58,12 +58,12 @@ Invited user
A registered ~okeanos user, invites student Alice to subscribe to ~okeanos
services. Alice receives an email and through a link is navigated to Astakos's
signup page. The system prompts her to select one of the available
authentication mechanisms (Shibboleth, Twitter or local authentication) in
authentication mechanisms (Shibboleth, local authentication) in
order to register to the system. Alice already has a Shibboleth account so
chooses that and then she is redirected to her institution's login page. Upon
successful login, her account is created.
Since she is invited his account is automaticaly activated and she is
Since she is invited her account is automaticaly activated and she is
redirected to Astakos's login page. As this is the first time Alice has
accessed the system she is redirected to her profile page where she can edit or
provide more information.
......@@ -72,15 +72,10 @@ Not invited user
~~~~~~~~~~~~~~~~
Tony while browsing in the internet finds out about ~okeanos services. He
visits the signup page and since his has already a twitter account selects the
twitter authentication mechanism and he is redirected to twitter login page
where he is promted to provide his credentials. Upon successful login, twitter
redirects him back to the Astakos and the account is created.
Since his not an invited user his account has to be activated from an
administrator first, in order to be able to login. Upon the account's
activation he receives an email and through a link he is redirected to the
login page.
visits the signup page and fills the signup form. Since his not an invited
user his account has to be activated from an administrator first,
in order to be able to login. Upon the account's activation he receives
an email and through a link he is redirected to the login page.
Authentication Use Cases
------------------------
......@@ -88,7 +83,7 @@ Authentication Use Cases
Cloud service user
~~~~~~~~~~~~~~~~~~
Alice requests a specific resource from a cloud service ex. Pithos. In the
Alice requests a specific resource from a cloud service ex. Pithos+. In the
request supplies the `X-Auth-Token`` to identify whether she is eligible to
perform the specific task. The service contacts Astakos through its
``/im/authenticate`` api call (see :ref:`authenticate-api-label`) providing the
......@@ -102,14 +97,40 @@ the dictionary as the account string to identify the user accessible resources.
Registration Flow
-----------------
Responsible for handling the account registration and activation requests is the ``signup`` view. This view checks whether it is a request for a local account. If this is not the case, the user is navigated to the third-party provider to authenticate against it and upon success is redirected back in the ``signup`` view. If the supplied information is valid an inactive account is created. Then the appropriate ``ActivationBackend`` handles the account activation: the ``InvitationsBackend`` if the invitation mechanism is enabled and the ``SimpleBackend`` otherwise.
In the first case, if the request is accompanied with a valid invitation code the user is automatically activated and since it's email address (where received the invitation) is verified, acquires a valid token and is logged in the system. If there is no invitation associated with the request, the system check whether the email matches any of the ASTAKOS_RE_USER_EMAIL_PATTERNS and if it does it sends an email to the user to verify the email address, otherwise the system sends a notification email to the administrators and informs the user that the account activation will be moderated by them.
If the invitation mechanism is not enabled, the ``SimpleBackend`` checks if the email address matches any of the ASTAKOS_RE_USER_EMAIL_PATTERNS or the moderation is not enabled and it sends a verification email, otherwise informs the user that the account is pending approval and sends a notification email to the admins.
The verification email contains a link that navigates the user to ``activate`` view through a URI that contains also a temporary user token. If this token is valid the user account is activated and the user is logged in the system, after renewing the token and setting the cookie identified by ASTAKOS_COOKIE_NAME (used by the ~okeanos subcomponents).
If FORCE_PROFILE_UPDATE is set, after the first successful login the user is navigated first to the ``profile`` view, before been redirected to the ``next`` parameter value.
.. image:: images/astakos-signup.jpg
:scale: 100%
Login Flow
----------
During loging procedure the user is authenticated by the respective identity provider.
If ASTAKOS_RECAPTCHA_ENABLED is set and the user fails several times (ASTAKOS_RATELIMIT_RETRIES_ALLOWED setting) to provide the correct credentials for a local account, is prompted to solve a captcha challenge.
Upon success, the system renews the token (if it has been expired), logins the user and sets the cookie, before redirecting the user to the ``next`` parameter value.
.. image:: images/astakos-login.jpg
:scale: 100%
Approval Terms
--------------
The ``snf-manage addterms`` command serves to add new approval terms.
During the account registration, if there are approval terms, the user has to agree with them in order to proceed.
In case there are later approval terms that the user has not signed, the ``signed_terms_required`` view decorator redirects to the ``approval_terms`` view.
.. _authentication-label:
Astakos Users and Authentication
......@@ -136,17 +157,11 @@ Logged on users can perform a number of actions:
* send feedback for grnet services via: ``/im/send_feedback``
* logout (and delete cookie) via: ``/im/logout``
User entries can also be modified/added via the ``snf-manage activateuser`` command.
A superuser account can be created the first time you run the ``manage.py
syncdb`` django command and then loading the extra user data from the
``admin_user`` fixture. At a later date, the ``manage.py createsuperuser``
command line utility can be used (as long as the extra user data for Astakos is
added with a fixture or by hand).
User entries can also be modified/added via the ``snf-manage`` commands.
Internal Astakos requests are handled using cookie-based django user sessions.
External systems in the same domain can delgate ``/login`` URI. The server,
External systems can delgate ``/login`` URI. The server,
depending on its configuration will redirect to the appropriate login page.
When done with logging in, the service's login URI should redirect to the URI
provided with next, adding user and token parameters, which contain the email
......@@ -162,8 +177,8 @@ renew Force token renewal (no value parameter)
force Force logout current user (no value parameter)
====================== =========================
External systems outside the domain scope can acquire the user information by a
cookie set identified by ASTAKOS_COOKIE_NAME setting.
External systems inside the ASTAKOS_COOKIE_DOMAIN scope can acquire the user information by the
cookie identified by ASTAKOS_COOKIE_NAME setting (set during the login procedure).
Finally, backend systems having acquired a token can use the
:ref:`authenticate-api-label` api call from a private network or through HTTPS.
......
docs/images/astakos-signup.jpg

120 KB | W: | H:

docs/images/astakos-signup.jpg

143 KB | W: | H:

docs/images/astakos-signup.jpg
docs/images/astakos-signup.jpg
docs/images/astakos-signup.jpg
docs/images/astakos-signup.jpg
  • 2-up
  • Swipe
  • Onion skin
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment