diff --git a/docs/keycloak.rst b/docs/keycloak.rst new file mode 100644 index 0000000..4d57468 --- /dev/null +++ b/docs/keycloak.rst @@ -0,0 +1,3 @@ +:orphan: + +This page was moved to: :ref:`swh-sysadm:keycloak`. diff --git a/swh/docs/sphinx/conf.py b/swh/docs/sphinx/conf.py index 74b19f1..add7d84 100755 --- a/swh/docs/sphinx/conf.py +++ b/swh/docs/sphinx/conf.py @@ -1,286 +1,287 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- # import logging import os from typing import Dict from sphinx.ext import autodoc from swh.docs.django_settings import force_django_settings # General information about the project. project = "Software Heritage - Development Documentation" copyright = "2015-2021 The Software Heritage developers" author = "The Software Heritage developers" # -- General configuration ------------------------------------------------ # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ "sphinx.ext.autodoc", "sphinx.ext.napoleon", "sphinx.ext.intersphinx", "sphinxcontrib.httpdomain", "sphinx.ext.extlinks", "sphinxcontrib.images", "sphinxcontrib.programoutput", "sphinx.ext.viewcode", "sphinx_tabs.tabs", "sphinx_rtd_theme", "sphinx.ext.graphviz", "sphinx_click.ext", "myst_parser", "sphinx.ext.todo", "sphinx_reredirects", "swh.docs.sphinx.view_in_phabricator", # swh.scheduler inherits some attribute descriptions from celery that use # custom crossrefs (eg. :setting:`task_ignore_result`) "sphinx_celery.setting_crossref", ] # Add any paths that contain templates here, relative to this directory. templates_path = ["_templates"] # The suffix(es) of source filenames. # You can specify multiple suffix as a list of string: # source_suffix = ".rst" # The master toctree document. master_doc = "index" # A string of reStructuredText that will be included at the beginning of every # source file that is read. # A bit hackish but should work both for each swh package and the whole swh-doc rst_prolog = """ .. include:: /../../swh-docs/docs/swh_substitutions """ # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. version = "" # The full version, including alpha/beta/rc tags. release = "" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. language = "en" # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This patterns also effect to html_static_path and html_extra_path exclude_patterns = [ "_build", "swh-icinga-plugins/index.rst", "swh-perfecthash/index.rst", "swh-perfecthash/README.rst", "swh.loader.cvs.rcsparse.setup.rst", "apidoc/swh.loader.cvs.rcsparse.setup.rst", ] # The name of the Pygments (syntax highlighting) style to use. pygments_style = "sphinx" # If true, `todo` and `todoList` produce output, else they produce nothing. todo_include_todos = True # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = "sphinx_rtd_theme" html_favicon = "_static/favicon.ico" # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. # html_theme_options = { "collapse_navigation": True, "sticky_navigation": True, } html_logo = "_static/software-heritage-logo-title-motto-vertical-white.png" # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ["_static"] # make logo actually appear, avoiding gotcha due to alabaster default conf. # https://github.com/bitprophet/alabaster/issues/97#issuecomment-303722935 html_sidebars = { "**": [ "about.html", "globaltoc.html", "relations.html", "sourcelink.html", "searchbox.html", ] } # If not None, a 'Last updated on:' timestamp is inserted at every page # bottom, using the given strftime format. # The empty string is equivalent to '%b %d, %Y'. html_last_updated_fmt = "%Y-%m-%d %H:%M:%S %Z" # refer to the Python standard library. intersphinx_mapping = { "python": ("https://docs.python.org/3", None), "swh-devel": ("https://docs.softwareheritage.org/devel", None), "swh-sysadm": ("https://docs.softwareheritage.org/sysadm", None), } # Redirects for pages that were moved, so we don't break external links. # Uses sphinx-reredirects redirects = { "swh-deposit/spec-api": "api/api-documentation.html", "swh-deposit/metadata": "api/metadata.html", "swh-deposit/specs/blueprint": "../api/use-cases.html", "swh-deposit/user-manual": "api/user-manual.html", "infrastructure/index.html": "../../sysadm/network-architecture/index.html", "infrastructure/network.html": "../../sysadm/network-architecture/index.html", "infrastructure/service-urls.html": "../../sysadm/network-architecture/service-urls.html", # noqa "architecture": "architecture/overview.html", + "keycloak": "../../sysadm/user-management/keycloak/index.html", "mirror": "architecture/mirror.html", "users": "user", } # -- autodoc configuration ---------------------------------------------- autodoc_default_flags = [ "members", "undoc-members", "private-members", "special-members", ] autodoc_member_order = "bysource" autodoc_mock_imports = [ "rados", ] autoclass_content = "both" modindex_common_prefix = ["swh."] # For the todo extension. Todo and todolist produce output only if this is True todo_include_todos = True _swh_web_base_url = "https://archive.softwareheritage.org" # for the extlinks extension, sub-projects should fill that dict extlinks: Dict = { "swh_web": (f"{_swh_web_base_url}/%s", None), "swh_web_api": (f"{_swh_web_base_url}/api/1/%s", None), "swh_web_browse": (f"{_swh_web_base_url}/browse/%s", None), } # SWH_PACKAGE_DOC_TOX_BUILD environment variable is set in a tox environment # named sphinx for each swh package (except the swh-docs package itself). swh_package_doc_tox_build = os.environ.get("SWH_PACKAGE_DOC_TOX_BUILD", False) # override some configuration when building a swh package # documentation with tox to remove warnings and suppress # those related to unresolved references if swh_package_doc_tox_build: swh_substitutions = os.path.join( os.path.dirname(__file__), "../../../docs/swh_substitutions" ) rst_prolog = f".. include:: /{swh_substitutions}" suppress_warnings = ["ref.ref"] html_favicon = "" html_logo = "" class SimpleDocumenter(autodoc.FunctionDocumenter): """ Custom autodoc directive to inline the docstring of a function in a document without the signature header and with no indentation. Example of use:: .. autosimple:: swh.web.api.views.directory.api_directory """ objtype = "simple" # ensure the priority is lesser than the base FunctionDocumenter # to avoid side effects with autodoc processing priority = -1 # do not indent the content content_indent = "" # do not add a header to the docstring def add_directive_header(self, sig): pass # sphinx event handler to set adequate django settings prior reading # apidoc generated rst files when building doc to avoid autodoc errors def set_django_settings(app, env, docname): if any([pattern in app.srcdir for pattern in ("swh-web-client", "DWCLI")]): # swh-web-client is detected as swh-web by the code below but # django is not installed when building standalone swh-web-client doc return package_settings = { "auth": "swh.auth.tests.django.app.apptest.settings", "deposit": "swh.deposit.settings.development", "web": "swh.web.settings.development", } for package, settings in package_settings.items(): if any( [pattern in docname for pattern in (f"swh.{package}", f"swh-{package}")] ): force_django_settings(settings) # when building local package documentation with tox, insert glossary # content at the end of the index file in order to resolve references # to the terms it contains def add_glossary_to_index(app, docname, source): if docname == "index": glossary_path = os.path.join( os.path.dirname(__file__), "../../../docs/glossary.rst" ) with open(glossary_path, "r") as glossary: source[0] += "\n" + glossary.read() def setup(app): # env-purge-doc event is fired before source-read app.connect("env-purge-doc", set_django_settings) # add autosimple directive (used in swh-web) app.add_autodocumenter(SimpleDocumenter) # set an environment variable indicating we are currently building # the documentation os.environ["SWH_DOC_BUILD"] = "1" logger = logging.getLogger("sphinx") if swh_package_doc_tox_build: # ensure glossary will be available in package doc scope app.connect("source-read", add_glossary_to_index) # suppress some httpdomain warnings in non web packages if not any([pattern in app.srcdir for pattern in ("swh-web", "DWAPPS")]): # filter out httpdomain unresolved reference warnings # to not consider them as errors when using -W option of sphinx-build class HttpDomainRefWarningFilter(logging.Filter): def filter(self, record: logging.LogRecord) -> bool: return not record.msg.startswith("Cannot resolve reference to") # insert a custom filter in the warning log handler of sphinx logger.handlers[1].filters.insert(0, HttpDomainRefWarningFilter()) diff --git a/docs/keycloak/keycloak_add_user_01.jpg b/sysadm/images/keycloak_add_user_01.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_01.jpg rename to sysadm/images/keycloak_add_user_01.jpg diff --git a/docs/keycloak/keycloak_add_user_02.jpg b/sysadm/images/keycloak_add_user_02.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_02.jpg rename to sysadm/images/keycloak_add_user_02.jpg diff --git a/docs/keycloak/keycloak_add_user_03.jpg b/sysadm/images/keycloak_add_user_03.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_03.jpg rename to sysadm/images/keycloak_add_user_03.jpg diff --git a/docs/keycloak/keycloak_add_user_permission_01.jpg b/sysadm/images/keycloak_add_user_permission_01.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_permission_01.jpg rename to sysadm/images/keycloak_add_user_permission_01.jpg diff --git a/docs/keycloak/keycloak_add_user_permission_02.jpg b/sysadm/images/keycloak_add_user_permission_02.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_permission_02.jpg rename to sysadm/images/keycloak_add_user_permission_02.jpg diff --git a/docs/keycloak/keycloak_add_user_permission_03.jpg b/sysadm/images/keycloak_add_user_permission_03.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_permission_03.jpg rename to sysadm/images/keycloak_add_user_permission_03.jpg diff --git a/docs/keycloak/keycloak_add_user_permission_04.jpg b/sysadm/images/keycloak_add_user_permission_04.jpg similarity index 100% rename from docs/keycloak/keycloak_add_user_permission_04.jpg rename to sysadm/images/keycloak_add_user_permission_04.jpg diff --git a/sysadm/user-management/keycloak/authentication.rst b/sysadm/user-management/keycloak/authentication.rst index 3f3af1f..bfa937d 100644 --- a/sysadm/user-management/keycloak/authentication.rst +++ b/sysadm/user-management/keycloak/authentication.rst @@ -1,9 +1,66 @@ -.. _authentication: +.. _keycloak: -Reference: Authentication services -==================================== +Authentication +============== -.. todo:: - This page is a work in progress. For now, please refer to the `existing documentation - `_. +.. admonition:: Intended audience + :class: important + Staff members + +.. contents:: + :depth: 3 +.. + +Software Heritage uses `Keycloak `__, an open +source identity and access management solution, to identify and +authenticate users on its services (for instance the +`archive's Web API `_ +and the :ref:`deposit server `). + +Keycloak implements the `OpenID Connect `__ +specification, a simple identity layer on top of the OAuth 2.0 protocol. +It allows to get single sign-on (SSO) on various services. + +The base URL to interact with that authentication service is +https://auth.softwareheritage.org/auth/. + +Introduction +------------ + +Keycloak defines three important concepts to know about: + +Realm + It manages a set of users, credentials, roles, and groups. A user belongs + to and logs into a realm. Realms are isolated from one another and can only manage and + authenticate the users that they control. + +Client + Entities that can request Keycloak to authenticate a user. Most often, + clients are applications and services that want to use Keycloak to secure themselves and + provide a single sign-on solution. Clients can also be entities that just want to + request identity information or an access token so that they can securely invoke other + services on the network that are secured by Keycloak. + +Role + It identifies a type or category of users. Applications (e.g. webapp, + deposit) often assign access and permissions to specific roles rather than individual + users as dealing with users can be too fine grained and hard to manage. There is a + global namespace for roles and each client also has its own dedicated namespace where + roles can be defined. + +.. _software_heritage_realms: + +Software Heritage Realms +------------------------ + +Two realms are available for Software Heritage: + +- `SoftwareHeritageStaging `__, + for testing purposes + +- `SoftwareHeritage `__, + for production use + +The links above target the Admin console of each realm from which everything can be +configured. diff --git a/docs/keycloak/index.rst b/sysadm/user-management/keycloak/how-to-set-user-perms.rst similarity index 55% rename from docs/keycloak/index.rst rename to sysadm/user-management/keycloak/how-to-set-user-perms.rst index 95bb423..5c4b7ec 100644 --- a/docs/keycloak/index.rst +++ b/sysadm/user-management/keycloak/how-to-set-user-perms.rst @@ -1,171 +1,112 @@ -.. _keycloak: - - -Keycloak -======== - - -.. contents:: - :depth: 3 -.. - -Software Heritage uses `Keycloak `__, an open -source identity and access management solution, to identify and -authenticate users on its services (for instance the -`archive's Web API `_ -and the :ref:`deposit server `). - -Keycloak implements the `OpenID Connect `__ -specification, a simple identity layer on top of the OAuth 2.0 protocol. -It allows to get single sign-on (SSO) on various services. - -The base URL to interact with that authentication service is -https://auth.softwareheritage.org/auth/. - -Introduction ------------- - -Keycloak defines three important concepts to know about: - -Realm - It manages a set of users, credentials, roles, and groups. A user belongs - to and logs into a realm. Realms are isolated from one another and can only manage and - authenticate the users that they control. - -Client - Entities that can request Keycloak to authenticate a user. Most often, - clients are applications and services that want to use Keycloak to secure themselves and - provide a single sign-on solution. Clients can also be entities that just want to - request identity information or an access token so that they can securely invoke other - services on the network that are secured by Keycloak. - -Role - It identifies a type or category of users. Applications (e.g. webapp, - deposit) often assign access and permissions to specific roles rather than individual - users as dealing with users can be too fine grained and hard to manage. There is a - global namespace for roles and each client also has its own dedicated namespace where - roles can be defined. - -.. _software_heritage_realms: - -Software Heritage Realms ------------------------- - -Two realms are available for Software Heritage: - -- `SoftwareHeritageStaging `__, - for testing purposes - -- `SoftwareHeritage `__, - for production use - -The links above target the Admin console of each realm from which -everything can be configured. - .. _realm_administration: Realm administration --------------------- +==================== + +.. admonition:: Intended audience + :class: important + + Operation Staff members .. _user_registration: User registration ^^^^^^^^^^^^^^^^^ While public user registration is available by clicking on the "Register" link from the login page, realm administrators can still manually create a new user by following that guide. To register and invite a new user in a realm, click on the **Users** menu entry on the left part of the admin interface, then click on the **Add user** button on the top right part of the users page. -.. figure:: keycloak_add_user_01.jpg +.. figure:: ../../images/keycloak_add_user_01.jpg :alt: keycloak_add_user_01.jpg :width: 1000px Click on the Add user button Then fill in the form with basic information about the user: username, email, first name and last name. Save the user and then go to the **Credentials** tab. -.. figure:: keycloak_add_user_02.jpg +.. figure:: ../../images/keycloak_add_user_02.jpg :alt: keycloak_add_user_02.jpg Fill in information on user We are now going to send a mail to the user telling him that an account has been created for him with a link to verify his email, set his password and update its profile if needed. Go to **Credential Reset** section and insert the **Verify Email** , **Update Password** and **Update Profile** actions into the **Reset Actions** field. Increase the **Expires In** value to 24 hours and then click on **Send Mail**. -.. figure:: keycloak_add_user_03.jpg +.. figure:: ../../images/keycloak_add_user_03.jpg :alt: keycloak_add_user_03.jpg :width: 1000px Send the invite and reset password email The user account will be active once the email verified, the password changed and the profile validated. .. _setting_user_permissions_for_a_given_client: Setting user permissions for a given client ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ User permissions are defined as client roles in the Keycloak semantics. That guide explains how to set client roles for an existing user. As an example, we will set the **swh.web.api.throttling_exempted** role associated to the **swh-web** client enabling to lift rate limit for the Software Heritage Web API. To edit a user, click on the **Users** menu entry on the left part of the admin interface, then click on the **View all users** button on the top left part of the users page. Then select the user you want to set permission and click on the **Edit** action. -.. figure:: keycloak_add_user_permission_01.jpg +.. figure:: ../../images/keycloak_add_user_permission_01.jpg :alt: keycloak_add_user_permission_01.jpg :width: 1400px List and select user for edition Once the user details interface is displayed, click on the **Role Mappings** tab then type the name of the client containing the roles to add for the user in the **Client roles** combobox and select it. The client roles will then be displayed in multiple lists. -.. figure:: keycloak_add_user_permission_02.jpg +.. figure:: ../../images/keycloak_add_user_permission_02.jpg :alt: keycloak_add_user_permission_02.jpg :width: 1400px Edit the client role To add a client role for the user, select the one of interest in the **Available Roles** list and click on the **Add selected** button. To remove a client role for the user, select the one of interest in the **Assigned Roles** list and click on the **Removed selected** button. And that's it, assigned roles can then be found in the JSON Web Tokens generated by Keycloak. -.. figure:: keycloak_add_user_permission_03.jpg +.. figure:: ../../images/keycloak_add_user_permission_03.jpg :alt: keycloak_add_user_permission_03.jpg :width: 1400px Assign client role -.. figure:: keycloak_add_user_permission_04.jpg +.. figure:: ../../images/keycloak_add_user_permission_04.jpg :alt: keycloak_add_user_permission_04.jpg :width: 1400px Client role assigned diff --git a/sysadm/user-management/keycloak/how-to-user-perms.rst b/sysadm/user-management/keycloak/how-to-user-perms.rst deleted file mode 100644 index 3fc3661..0000000 --- a/sysadm/user-management/keycloak/how-to-user-perms.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. _how_to_user_perms: - -How to set user permissions in keycloak -======================================= - -.. todo:: - This page is a work in progress. For now, please refer to the `existing documentation - `_. - diff --git a/sysadm/user-management/keycloak/index.rst b/sysadm/user-management/keycloak/index.rst index ea9932c..755420d 100644 --- a/sysadm/user-management/keycloak/index.rst +++ b/sysadm/user-management/keycloak/index.rst @@ -1,9 +1,9 @@ Keycloak -------- .. toctree:: :titlesonly: - how-to-user-perms authentication + how-to-set-user-perms