atoti_plus.security module¶
- class atoti_plus.security.BasicSecurity(_java_api, users)¶
Manage basic authentication on the session.
Note
This requires
AuthenticationConfig
to be configured.- create_user(username, *, password=None, roles=())¶
Add a user able to authenticate against the session using Basic Authentication.
The roles and password of the user can be changed at any time.
Example
>>> session = tt.create_session( ... "tesla", config={"authentication": {"basic": {}}} ... ) >>> sorted(session.security.basic.users.keys()) [] >>> elon = session.security.basic.create_user( ... "elon", password="X Æ A-12", roles=["ROLE_SOUTH_AFRICA"] ... ) >>> # The special ROLE_USER role is automatically added >>> sorted(elon.roles) ['ROLE_SOUTH_AFRICA', 'ROLE_USER'] >>> elon.roles.add("ROLE_USA") >>> sorted(elon.roles) ['ROLE_SOUTH_AFRICA', 'ROLE_USA', 'ROLE_USER'] >>> # Change the password >>> elon.password = "AE A-XII" >>> # Revoke access >>> del session.security.basic.users["elon"] >>> sorted(session.security.basic.users.keys()) []
- Return type
- users: BasicUsers¶
- class atoti_plus.security.BasicUsers(_java_api)¶
- class atoti_plus.security.KerberosSecurity(_java_api, users)¶
Manage Kerberos authentication on the session.
Note
This requires
KerberosConfig
to be configured.- create_user(username, *, roles=())¶
Add a user able to authenticate against the session using Kerberos.
The roles of the user can be changed at any time.
Users without the role ROLE_USER will not have access to the application.
See also
create_user()
for a similar usage example.- Return type
- users: KerberosUsers¶
- class atoti_plus.security.KerberosUsers(_java_api)¶
- class atoti_plus.security.LdapSecurity(_java_api, role_mapping)¶
Allows mapping roles granted by the authentication provider to the roles to use in the session.
Users who do not have the ROLE_USER session role will not be able to access the session.
Note
This requires
LdapConfig
to be configured.- Example
>>> session = tt.create_session( ... config={ ... "authentication": { ... "ldap": { ... "url": "ldap://ldap.forumsys.com:389/", ... "base_dn": "dc=example,dc=com", ... "user_search_filter": "(uid={0})", ... "group_search_filter": "(uniqueMember={0})", ... }, ... }, ... } ... ) >>> mathematicians_role = session.security.create_role( ... "ROLE_MATHS", restrictions={"City": ["Paris"]} ... )
Roles from the authentication provider can be mapped to roles in the session.
>>> session.security.ldap.role_mapping["MATHEMATICIANS"] = [ ... "ROLE_MATHS", ... "ROLE_USER", ... ]
- role_mapping: RoleMapping¶
- class atoti_plus.security.OidcSecurity(_java_api, role_mapping)¶
Allows mapping roles granted by the authentication provider’s ID Token to the roles to use in the session.
Users who do not have the ROLE_USER session role will not be able to access the session.
Note
This requires
OidcConfig
to be configured.Example
>>> import os >>> session = tt.create_session( ... "OpenID", ... config={ ... "authentication": { ... "oidc": { ... "provider_id": "auth0", ... "issuer_url": os.environ["AUTH0_ISSUER"], ... "client_id": os.environ["AUTH0_CLIENT_ID"], ... "client_secret": os.environ["AUTH0_CLIENT_SECRET"], ... "scopes": ["email", "profile", "username"], ... "name_claim": "email", ... "roles_claims": ["https://activeviam:eu:auth0:com/roles"], ... }, ... }, ... "port": 1234, ... }, ... ) >>> france_role = session.security.create_role( ... "ROLE_FRANCE", restrictions={"Country": "France"} ... )
Roles from the authentication provider’s ID Token can be mapped to roles in the session:
>>> session.security.oidc.role_mapping["atoti user"] = ["ROLE_USER"] >>> session.security.oidc.role_mapping["France"] = [france_role.name]
- role_mapping: RoleMapping¶
- class atoti_plus.security.Restrictions(*, _java_api, _role, _restrictions)¶
The restrictions associated with a role can be modified at any time.
Restrictions apply on table columns and are inherited by all hierarchies based on these columns.
Restrictions on different hierarchies are intersected.
However, if a user has several roles with restrictions on the same hierarchies, access to the union of restricted members will be granted.
Example:
>>> role_france = session.security.create_role( ... "ROLE_FRANCE", restrictions={"Country": ["France"]} ... ) >>> sorted(session.security.roles.keys()) ['ROLE_FRANCE'] >>> role_america = session.security.create_role( ... "ROLE_AMERICA", restrictions={"Country": ["Canada", "USA"]} ... ) >>> sorted(role_america.restrictions["Country"]) ['Canada', 'USA'] >>> sorted(session.security.roles.keys()) ['ROLE_AMERICA', 'ROLE_FRANCE'] >>> role_china = session.security.create_role( ... "ROLE_CHINA", restrictions={"Country": ["China"]} ... ) >>> role_france.restrictions["City"] = ["Paris"] >>> sorted(role_france.restrictions.keys()) ['City', 'Country']
In this example:
A user with the role ROLE_AMERICA will only see the data related to USA and Canada and will not see the data for France.
A user with the role ROLE_FRANCE will only see the data where the country is France AND the city is Paris
A user with both ROLE_AMERICA and ROLE_CHINA will see the data where the country is USA, Canada, OR China.
Example:
>>> del session.security.roles["ROLE_FRANCE"] >>> sorted(session.security.roles.keys()) ['ROLE_AMERICA', 'ROLE_CHINA']
- class atoti_plus.security.Role(name, *, restrictions, _java_api)¶
A role and its restrictions.
- restrictions: Restrictions¶
- class atoti_plus.security.RoleMapping(_java_api, _type)¶
Mapping between roles or usernames comming from the authentication provider to those to use in the session.
- class atoti_plus.security.Roles(_java_api)¶
All of the roles defined in the session.
- class atoti_plus.security.Security(java_api)¶
Security management for the current session.
- basic: BasicSecurity¶
- create_role(name, *, restrictions={})¶
Create a role with the given restrictions.
There are special roles which cannot be redefined:
ROLE_USER: required to access the application
ROLE_ADMIN: gives full access (read, write, delete, etc) to the application
- Return type
- kerberos: KerberosSecurity¶
- ldap: LdapSecurity¶
- oidc: OidcSecurity¶
- class atoti_plus.security.User(username, *, _java_api, authentication_type, password=None, roles)¶
- class atoti_plus.security.UserRoles(_data, _user)¶