nerc-project / coldfront-plugin-api Goto Github PK
View Code? Open in Web Editor NEWSimple REST API plugin for ColdFront
License: GNU General Public License v3.0
Simple REST API plugin for ColdFront
License: GNU General Public License v3.0
Currently there is no way to search a username based on the user's email address through the SCIM User API.
This functionality is necessary since some users have changed their username and we need to be able to find their corresponding account through the email address.
Also update the registration script to make use of the new filtering functionality once it is in place.
The ColdFront API already supports authentication via OAuth (NERC Keycloak), so it can work with a user's own account.
In the current state of our API, only administrators can manage user/group memberships (staff
flag in ColdFront,) and the user registration script supports authentication only using client credentials.
We should allow PIs and managers to issue API requests with their OAuth token to manage a project are PI or have the manager role on.
(Optionally, Investigate) Another advantage for implementing assignment of users to a project through the SCIM v2 API is to also to allow the possibility of universities to integrate their own tooling into the SCIM API. There is a myriad of tools already providing support for provisioning of users and group memberships into a SCIM API as listed here http://simplecloud.info and I would bet that a lot of the university and partner organizations are already making use of SCIM already for provisioning Google Workspace, Office 365, etc.
Currently am the only person with experience in running it. More people should know how so that there isn't any single person bottleneck for the operation.
Currently it is not possible to add someone with a manager role through the API, so we've had to do this manually for TAs of a class.
There are two design issues to work out
One possible solutions is to expose both memberships through the API as different groups:
Ex.
/Groups/allocation-123
would return the users of Resource Allocation 123 (currently /Groups/123
).
/Groups/project-1234-users
would return the users with a User role on Project 123.
/Groups/project-1234-managers
would return the users with a Manager role on Project 123.
Currently the invoicing tools make an API request to /api/allocations?all=true
. This responds with ALL the allocations, which doesn't scale.
We need to allow filtering by a specific attribute so that we can search for the allocation that we need.
This should be based on SCIM, to allow for interoperability with external provisioning tools.
The repo currently does not have a linter workflow or any provided linter pre-commit hook to help with enforcing a uniform Python formatting convention.
#31 moved over the SCIM Users endpoint to using django_scim2
, we should do the same for Groups.
The script to register users currently requires a service account to authenticate with Keycloak, however Keycloak also supports OAuth 2.0 Device Authorization Grant. This is the flow in which the CLI generates a code and link, you open a browser and authenticate using that link, which gives you a token, and you insert that into the CLI. This is the flow that you authenticate to streaming services on your TV and the flow that OpenShift uses for CLI authentication.
If we support/document this flow, we can allow users to interact with the API through the CLI without requiring a Keycloak service account.
If we additionally support #11 we could allow PIs themselves to bulk add through the script.
In the current flow of using ColdFront through the web browser, a PI and all members of a project register through RegApp, which creates for them an account in Keycloak. Afterwards the PI logs in to ColdFront with their institutional account and requests PI status, creates a project, resource allocation, and then adds users to the project through a search box. The search box finds users that are registered with the NERC Keycloak even though ColdFront is unaware of them since they haven’t logged in to it.
#9 that merged today, allows adding/removing users that are present in ColdFront. However it is unlikely that normal members log in to ColdFront since it doesn’t provide them any functionality, but just register through RegApp.
Solution
Currently, /api/allocations
only returns resource allocations that are in Active
state.
As an API consumer, I want the ability to query resource allocations that are not Active
.
This is important for invoicing as a resource allocation may have been active at some point during the last month and therefore its information needs to be queried when generating the invoices.
Should return 404.
Access to the resource allocation will work fine, but the user won't see it show up in their ColdFront list.
As a ColdFront administrator or PI, I want to be able to manage users and membership to my Resource Allocations through an API.
This will enable mass subscriptions.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.