Wiki source code of Storing data in user space

Version 4.6 by allan on 2019/11/22 15:13
Show last authors
1 This article describes a workflow that you can follow to use the Collaboratory.drive as a backend for your service to be able to store and read data inside a privatre user space.
2
3 == Solution description ==
4
5 Your Keycloak client can be setup to have a service account linked to it. This service account being seen as a user by Keycloak, it can log in the Collaboratory.drive to have its user account synchronised there.
6
7 From this point, everything is set up to let your service account create and share files and folders to existing users. This can be achieved by using the existing Seafile API (the tool behind the Collaboratory.drive).
8
9 == Creating a service account ==
10
11 If needed, follow the [[guide to create an OpenID Connect client>>doc:Collabs.collab-devs.RFC.Community App Developer Guide.WebHome||anchor="HCreatingyourOpenIDConnectclient"]].
12
13 You will need to [[modify your client>>doc:Collabs.collab-devs.RFC.Community App Developer Guide.WebHome||anchor="HModifyingyourclient"]] to allow service accounts:
14
15 {{code language="bash"}}
16 # Set your registration token
17 clb_reg_token=...
18
19 # Update the client
20 curl -X PUT https://iam.humanbrainproject.eu/auth/realms/hbp/clients-registrations/default/my-awesome-client \
21 -H "Authorization: Bearer ${clb_reg_token}" \
22 -H 'Content-Type: application/json' \
23 -d '{
24 "clientId": "my-awesome-client",
25 "serviceAccountsEnabled": true
26 }' |
27
28 # Prettify the JSON response
29 json_pp;
30 {{/code}}
31
32 == Creating a user account for the service account in the Collaboratory.drive ==
33
34 This step requires admin privileges. Please send a request to [[support@humanbrainproject.eu>>mailto:support@humanbrainproject.eu]] in order to get help.
35
36 The steps for the admins are described are the following:
37
38 1. get the service account sub
39 1. enable the service account user
40 1. impersonate the service account
41 1. log in Collaboratory.drive
42
43 === Getting the service account sub ===
44
45 One way to get the service account is to request a token with its credentials.
46
47 {{code language="bash"}}
48 # Set the client id and secret
49 clb_client_id=...
50 clb_client_secret=...
51
52 # Call the token endpoint
53 curl -X POST https://iam-dev.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
54 -d 'grant_type=client_credentials' \
55 -d "client_id=${clb_client_id}" \
56 -d "client_secret=${clb_client_secret}" |
57
58 # Prettify the JSON response
59 json_pp;
60 {{/code}}
61
62 Fetch the access token from the response and use a tool to decode its payload. [[https://jwt.io/]] is one option. Copy the sub from the payload.
63
64 === Enabling the service account user ===
65
66 Navigate to https://iam.humanbrainproject.eu/auth/admin/master/console/#/realms/hbp/users/$sub (replacing $sub with the value you got at the previous step).
67
68 Set the "Email Verified" value to "On" and remove any "Required User Actions".
69
70 You can now impersonate the user and log in the Collaboratory.drive, which will create the user account for the service account.
71
72 == Creating the user space ==
73
74 The general process is the following:
75
76 1. Fetch a token for your service account to be able to discuss with the drive API.
77 1. Your service needs to get its default library id. It is where it will create the users' spaces.
78 1. For a given user, your service should create a folder, using a unique identifier (either the sub, username or email).
79
80 From this point, your service can now store and read data linked to users accounts.
81
82 If your service needs the data to be available in notebooks, it will need to share it with the user:
83
84 1. Inside the user folder, your service should create a folder with a name that would be common across users.
85 1. Your service should now share the inside folder with the user.
86
87 This way, notebooks will be able to refer to your service data with a common path for every user.
88
89 === Getting an API token ===
90
91 The first step is to fetch an access token for your service account. This can be done with the following request:
92
93 {{code language="bash"}}
94 # Set the client id and secret
95 clb_client_id=...
96 clb_client_secret=...
97
98 # Call the token endpoint
99 curl -X POST https://iam-dev.humanbrainproject.eu/auth/realms/hbp/protocol/openid-connect/token \
100 -d 'grant_type=client_credentials' \
101 -d "client_id=${clb_client_id}" \
102 -d "client_secret=${clb_client_secret}" |
103
104 # Prettify the JSON response
105 json_pp;
106 {{/code}}
107
108 The response will be similar to:
109
110 {{code language="javascript"}}
111 {
112 "expires_in" : 108000,
113 "not-before-policy" : 1563261088,
114 "access_token" : "eyJhbGciOiJSU...",
115 "session_state" : "4882dbae-56dc-4a91-b8ae-8ad07117d4af",
116 "refresh_expires_in" : 14400,
117 "refresh_token" : "eyJhbGciOiJIUz...",
118 "token_type" : "bearer",
119 "scope" : "openid roles email"
120 }
121 {{/code}}
122
123 Fetch the access token from this response.
124
125 The next step is to get an API token with the access token:
126
127 {{code language="bash"}}
128 # Set the access token value
129 clb_access_token=...
130
131 # Call the token endpoint
132 curl -X GET https://drive.humanbrainproject.eu/api2/account/token/ \
133 -H "Authorization: Bearer ${clb_access_token}"
134 {{/code}}
135
136 The response will look like (% class="mark" %)##1c1345da8a99b36168afef92df7f83af8b4ca6f0##(%%). This is the API token that you will need to use in your ##Authorization## header to discuss with the Collaboratory.drive API.
137
138 Note that, unlike access tokens , the API token need a header in the form of (% class="mark" %)##Authorization: **Token** your-api-token##(%%) (and not Bearer).
139
140 === Fetching your service account default library ===
141
142