bluesky_httpserver.authorization.ServerBasedAPIAccessControl¶

class bluesky_httpserver.authorization.ServerBasedAPIAccessControl(*, instrument=None, roles=None, server='localhost', port=8000, update_period=600, expiration_period=None, http_timeout=5)[source]¶

Access policy based on external Access Control Server. The user access data is periodically requested from the server using REST API. The access control server is expected to expose /instrument/{instrument}/qserver/access API, where instrument is the lowercase name of the instrument passed to the class constructor. The API is expected to return a dictionary which maps roles (‘admin’, ‘expert’, ‘advanced’, ‘user’, ‘observer’) to dictionaries with information on users that are assigned the role, for example

{
    "admin": {
        "bob": {"email": "bob@gmail.com"},
        "tom": {},
    },
    "expert": {
        "bob": {"email": "bob@gmail.com"}
    },
    "advanced": {
        "jdoe": {"email": "jdoe@gmail.com", "first_name": "John", "last_name": "Doe"}
    },
    "user": {},
    "observer": {},
}

User information consists of the username (dictionary key, which makes it mandatory) and optional 'email' and 'displayed_name'. Additional user information is ignored.

Access information is requested from the server at startup and periodically updated during operation with the period update_period +/-20%. If the server is not accessible, the user access rights do not change until access information expires. The expiration period is set using the parameter expiration_period. If the access information expires and an attempt to update it fails, all users lose access to the HTTP server.

The scopes for the roles can be modified by passing the parameter dictionary with the parameter roles. The dictionary is handled by the constructor of BasicAPIAccessControl. See the class documentation for more details.

Parameters:

instrument: str: Instrument ID, such as ‘SRX’ or ‘TES’. This is the required parameter.
roles: dict or None, optional: The dictionary that defines new and/or modifies existing roles. The dictionary is passed to the BasicAPIAccessControl constructor. Default: None.
server: str, optional: Access Control server address, such as 'accesscontrol.server.com' or '110.43.6.45'. The default address is localhost.
port: int, optional: Access Control server port. The default port is 8000.
update_period: int, optional: Average period in seconds between consecutive requests for updated access data. The actual period is randomized (uniform distribution in the range +/-20% of the update period). Default: 600.
expiration_period: int or None, optional: Expiration period for the current access data. If a request to the API server fails and the data is expired, then users lose access. Longer expiration period allows users to continue operation if the API server is temporarily unavailable. If the value is None, then the period is set to 1.5 * update_period. Default: None.
http_timeout: int, optional: Timeout for requests to the API server.

__init__(*, instrument=None, roles=None, server='localhost', port=8000, update_period=600, expiration_period=None, http_timeout=5)[source]¶

Methods

`__init__`(*[, instrument, roles, server, ...])
`get_displayed_user_name`(username)	Returns the displayed user name for the user. The displayed user name is assembled from `username`, full 'displayed' user name and user's email. The formatting depends on the available data, i.e. if no additional data is available, then `username` is returned. If the user is not found, then `username` is returned. The following output is possible for the user 'jdoe'::.
`get_user_info`(username)	Returns complete user information, including a set of roles, set of scopes and displayed user name.
`get_user_roles`(username)	Returns a set of roles assigned to the user.
`get_user_scopes`(username)	Returns a set of scopes assigned to the user.
`is_user_known`(username)	Performs quick check whether the user is known.
`update_access_info`()	Send a single request to the API server and update locally stored access control info.