SMART COSMOS Extension: User Details Service
Important
|
This is a deprecated repository, in favor of: smartcosmos-user-details-devkit. |
The User Details Service is slight modification of the Directory Service in Objects v2. The concept behind the directory service was that it provided a means to look up individual credentials from an external source, and that external source would provide a means for authentication. The User Details Service plays a similar role, but allows greater flexibility in what the particular service is looking up. This allows expansion later on into a client details service, and an extension details service. All of these roles could be filled by the same service. For example, in an industrial setting there is no concept of someone logging in, you merely want to make sure all data in the cluster is authenticated and more importantly you can instantly establish non-repudiation (authenticity). You might be using certificates to authenticate in this case, and you need another service to manage certificates rather than usernames and passwords.
Retrieving User Authorities
This assumes your relative location is this folder. The Auth Server needs to authenticate against the User Details Service with a secure login and password. This is defined inside your SMART COSMOS Configuration under smartcosmos.security.resource.user-details.name
and smartcosmos.security.resource.user-details.password
curl -X POST http://user:password@localhost:42000/authenticate \ --data '{"details":{"grant_type":"password","scope":"read","username":"test"},"authorities":[],"authenticated":false,"principal":"test","credentials":"password","":"test"}' \ -H "Content-Type: application/json" | json_pp
If you changed user
and password
in the request to match correctly, you should see something similar to the following:
{ "authorities" : [ "https://authorities.smartcosmos.net/things/read" ], "tenantUrn" : "urn:account:uuid:53f452c2-5a01-44fd-9956-3ecff7c32b30", "userUrn" : "urn:user:uuid:53f452c2-5a01-44fd-9956-3ecff7c32b30", "username" : "test", "passwordHash" : "" }
This represents the array of authorities that the user (in this case with username test and empty credentials) has on the cluster.
Not to be confused with the credentials the Auth Server used to authenticate against the User Details Service.
Configuration
The user information and authorities returned by the service are configured in the service config. Multiple users can be configured as shown in the following example.
smartcosmos:
security:
users[user]:
username: user
password: password
tenant-urn: urn:tenant:uuid:DAF0D088-75A5-4C65-B331-24F26A30A331
user-urn: urn:user:uuid:6E3718FA-3DDD-4079-89C4-D401FAC78CA1
authorities:
- https://authorities.smartcosmos.net/things/create
- https://authorities.smartcosmos.net/things/read
- https://authorities.smartcosmos.net/things/update
- https://authorities.smartcosmos.net/things/delete
- https://authorities.smartcosmos.net/metadata/create
- https://authorities.smartcosmos.net/metadata/read
- https://authorities.smartcosmos.net/metadata/update
- https://authorities.smartcosmos.net/metadata/delete
- https://authorities.smartcosmos.net/relationships/create
- https://authorities.smartcosmos.net/relationships/read
- https://authorities.smartcosmos.net/relationships/delete
users[jim]:
username: jim
password: jimpassword
tenant-urn: urn:tenant:uuid:13977FE9-6B12-4273-9522-2789D51F4A6E
user-urn: urn:user:uuid:F0586109-CD90-4645-BFD5-BC641D7EC635
authorities:
- https://authorities.smartcosmos.net/things/read
- https://authorities.smartcosmos.net/things/delete
- https://authorities.smartcosmos.net/metadata/read
- https://authorities.smartcosmos.net/relationships/read
Not a Production Service
The User Details Service outlined here is not meant for production use, and is merely provided here as an example and tool for use in development. In a production environment, you would want to provide a robust backend authentication device using something like LDAP or Stormpath