atoti_plus.security module

class atoti_plus.security.BasicSecurity(_java_api, users)

Manage basic authentication on the session.

Note

This requires AuthenticationConfig to be configured.

create_user(username, *, password=None, roles=())

Add a user able to authenticate against the session using Basic Authentication.

The roles and password of the user can be changed at any time.

Example

>>> session = tt.create_session(
...     "tesla", config={"authentication": {"basic": {}}}
... )
>>> sorted(session.security.basic.users.keys())
[]
>>> elon = session.security.basic.create_user(
...     "elon", password="X Æ A-12", roles=["ROLE_SOUTH_AFRICA"]
... )
>>> # The special ROLE_USER role is automatically added
>>> sorted(elon.roles)
['ROLE_SOUTH_AFRICA', 'ROLE_USER']
>>> elon.roles.add("ROLE_USA")
>>> sorted(elon.roles)
['ROLE_SOUTH_AFRICA', 'ROLE_USA', 'ROLE_USER']
>>> # Change the password
>>> elon.password = "AE A-XII"
>>> # Revoke access
>>> del session.security.basic.users["elon"]
>>> sorted(session.security.basic.users.keys())
[]

Return type

User

users: BasicUsers

class atoti_plus.security.BasicUsers(_java_api)

authentication_type()

Get the type of user this contains.

Return type

str

class atoti_plus.security.KerberosSecurity(_java_api, users)

Manage Kerberos authentication on the session.

Note

This requires KerberosConfig to be configured.

create_user(username, *, roles=())

Add a user able to authenticate against the session using Kerberos.

The roles of the user can be changed at any time.

Users without the role ROLE_USER will not have access to the application.

See also

create_user() for a similar usage example.

Return type

User

users: KerberosUsers

class atoti_plus.security.KerberosUsers(_java_api)

authentication_type()

Get the type of user this contains.

Return type

str

class atoti_plus.security.LdapSecurity(_java_api, role_mapping)

Allows mapping roles granted by the authentication provider to the roles to use in the session.

Users who do not have the ROLE_USER session role will not be able to access the session.

Note

This requires LdapConfig to be configured.

Example

>>> session = tt.create_session(
...     config={
...         "authentication": {
...             "ldap": {
...                 "url": "ldap://ldap.forumsys.com:389/",
...                 "base_dn": "dc=example,dc=com",
...                 "user_search_filter": "(uid={0})",
...                 "group_search_filter": "(uniqueMember={0})",
...             },
...         },
...     }
... )
>>> mathematicians_role = session.security.create_role(
...     "ROLE_MATHS", restrictions={"City": ["Paris"]}
... )

Roles from the authentication provider can be mapped to roles in the session.

>>> session.security.ldap.role_mapping["MATHEMATICIANS"] = [
...     "ROLE_MATHS",
...     "ROLE_USER",
... ]

role_mapping: RoleMapping

class atoti_plus.security.OidcSecurity(_java_api, role_mapping)

Allows mapping roles granted by the authentication provider’s ID Token to the roles to use in the session.

Users who do not have the ROLE_USER session role will not be able to access the session.

Note

This requires OidcConfig to be configured.

Example

>>> import os
>>> session = tt.create_session(
...     "OpenID",
...     config={
...         "authentication": {
...             "oidc": {
...                 "provider_id": "auth0",
...                 "issuer_url": os.environ["AUTH0_ISSUER"],
...                 "client_id": os.environ["AUTH0_CLIENT_ID"],
...                 "client_secret": os.environ["AUTH0_CLIENT_SECRET"],
...                 "scopes": ["email", "profile", "username"],
...                 "name_claim": "email",
...                 "roles_claims": ["https://activeviam:eu:auth0:com/roles"],
...             },
...         },
...         "port": 1234,
...     },
... )
>>> france_role = session.security.create_role(
...     "ROLE_FRANCE", restrictions={"Country": "France"}
... )

Roles from the authentication provider’s ID Token can be mapped to roles in the session:

>>> session.security.oidc.role_mapping["atoti user"] = ["ROLE_USER"]
>>> session.security.oidc.role_mapping["France"] = [france_role.name]

role_mapping: RoleMapping

class atoti_plus.security.Restrictions(*, _java_api, _role, _restrictions)

The restrictions associated with a role can be modified at any time.

• Restrictions apply on table columns and are inherited by all hierarchies based on these columns.

• Restrictions on different hierarchies are intersected.

• However, if a user has several roles with restrictions on the same hierarchies, access to the union of restricted members will be granted.

  Example:

  >>> role_france = session.security.create_role(
  ...     "ROLE_FRANCE", restrictions={"Country": ["France"]}
  ... )
  >>> sorted(session.security.roles.keys())
  ['ROLE_FRANCE']
  >>> role_america = session.security.create_role(
  ...     "ROLE_AMERICA", restrictions={"Country": ["Canada", "USA"]}
  ... )
  >>> sorted(role_america.restrictions["Country"])
  ['Canada', 'USA']
  >>> sorted(session.security.roles.keys())
  ['ROLE_AMERICA', 'ROLE_FRANCE']
  >>> role_china = session.security.create_role(
  ...     "ROLE_CHINA", restrictions={"Country": ["China"]}
  ... )
  >>> role_france.restrictions["City"] = ["Paris"]
  >>> sorted(role_france.restrictions.keys())
  ['City', 'Country']
  

  In this example:

  • A user with the role ROLE_AMERICA will only see the data related to USA and Canada and will not see the data for France.

  • A user with the role ROLE_FRANCE will only see the data where the country is France AND the city is Paris

  • A user with both ROLE_AMERICA and ROLE_CHINA will see the data where the country is USA, Canada, OR China.

  Example:

  >>> del session.security.roles["ROLE_FRANCE"]
  >>> sorted(session.security.roles.keys())
  ['ROLE_AMERICA', 'ROLE_CHINA']
  

class atoti_plus.security.Role(name, *, restrictions, _java_api)

A role and its restrictions.

name: str

restrictions: Restrictions

class atoti_plus.security.RoleMapping(_java_api, _type)

Mapping between roles or usernames comming from the authentication provider to those to use in the session.

update(other, **kwargs)

Update the mapping.

Return type

None

class atoti_plus.security.Roles(_java_api)

All of the roles defined in the session.

class atoti_plus.security.Security(java_api)

Security management for the current session.

basic: BasicSecurity

create_role(name, *, restrictions={})

Create a role with the given restrictions.

There are special roles which cannot be redefined:

• ROLE_USER: required to access the application

• ROLE_ADMIN: gives full access (read, write, delete, etc) to the application

Return type

Role

kerberos: KerberosSecurity

ldap: LdapSecurity

oidc: OidcSecurity

roles: Roles

class atoti_plus.security.User(username, *, _java_api, authentication_type, password=None, roles)

password: Optional[str]

roles: UserRoles

username: str

class atoti_plus.security.UserRoles(_data, _user)

class atoti_plus.security.Users(_java_api)

abstract authentication_type()

Get the type of user this contains.

Return type

str