Wiki source code of Storing data in user space
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | This article describes a workflow that you can follow to use the Collaboratory.drive as a backend for your service to be able to store and read data inside a privatre user space. | ||
| 2 | |||
| 3 | == Solution description == | ||
| 4 | |||
| 5 | Your Keycloak client can be setup to have a service account linked to it. This service account being seen as a user by Keycloak, it can log in the Collaboratory.drive to have its user account synchronised there. | ||
| 6 | |||
| 7 | From this point, everything is set up to let your service account create and share files and folders to existing users. This can be achieved by using the existing Seafile API (the tool behind the Collaboratory.drive). | ||
| 8 | |||
| 9 | == Creating a service account == | ||
| 10 | |||
| 11 | If needed, follow the [[guide to create an OpenID Connect client>>doc:Collabs.collab-devs.RFC.Community App Developer Guide.WebHome||anchor="HCreatingyourOpenIDConnectclient"]]. | ||
| 12 | |||
| 13 | You will need to [[modify your client>>doc:Collabs.collab-devs.RFC.Community App Developer Guide.WebHome||anchor="HModifyingyourclient"]] to allow service accounts: | ||
| 14 | |||
| 15 | {{code language="bash"}} | ||
| 16 | # Set your registration token | ||
| 17 | clb_reg_token=... | ||
| 18 | |||
| 19 | # Update the client | ||
| 20 | curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \ | ||
| 21 | -H "Authorization: Bearer ${clb_reg_token}" \ | ||
| 22 | -H 'Content-Type: application/json' \ | ||
| 23 | -d '{ | ||
| 24 | "clientId": "my-awesome-client", | ||
| 25 | "serviceAccountsEnabled": true | ||
| 26 | }' | | ||
| 27 | |||
| 28 | # Prettify the JSON response | ||
| 29 | json_pp; | ||
| 30 | {{/code}} | ||
| 31 | |||
| 32 | == Creating a user account for the service account in the Collaboratory.drive == | ||
| 33 | |||
| 34 | This step requires admin privileges. Please send a request to [[support@humanbrainproject.eu>>mailto:support@humanbrainproject.eu]] in order to get help. | ||
| 35 | |||
| 36 | The steps for the admins are described are the following: | ||
| 37 | |||
| 38 | 1. get the service account sub | ||
| 39 | 1. enable the service account user | ||
| 40 | 1. impersonate the service account | ||
| 41 | 1. log in Collaboratory.drive | ||
| 42 | |||
| 43 | === Getting the service account sub === | ||
| 44 | |||
| 45 | One way to get the service account is to request a token with its credentials. | ||
| 46 | |||
| 47 | {{code language="bash"}} | ||
| 48 | # Set the client id and secret | ||
| 49 | clb_client_id=... | ||
| 50 | clb_client_secret=... | ||
| 51 | |||
| 52 | # Update the client | ||
| 53 | curl -X POST https://iam-dev.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \ | ||
| 54 | -d 'grant_type=client_credentials' \ | ||
| 55 | -d "client_id=${clb_client_id}" \ | ||
| 56 | -d "client_secret=${clb_client_secret}" | | ||
| 57 | |||
| 58 | # Prettify the JSON response | ||
| 59 | json_pp; | ||
| 60 | {{/code}} | ||
| 61 | |||
| 62 | Fetch the access token from the response and use a tool to decode its payload. [[https://jwt.io/]] is one option. Copy the sub from the payload. | ||
| 63 | |||
| 64 | === Enabling the service account user === | ||
| 65 | |||
| 66 | Navigate to https://iam.humanbrainproject.eu/auth/admin/master/console/#/realms/hbp/users/$sub (replacing $sub with the value you got at the previous step). | ||
| 67 | |||
| 68 | Set the "Email Verified" value to "On" and remove any "Required User Actions". | ||
| 69 | |||
| 70 | You can now impersonate the user and log in the Collaboratory.drive, which will create the user account for the service account. |