| <!DOCTYPE html> |
| <!--[if lt IE 7]> |
| <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]--> |
| <!--[if IE 7]> |
| <html class="no-js lt-ie9 lt-ie8"> <![endif]--> |
| <!--[if IE 8]> |
| <html class="no-js lt-ie9"> <![endif]--> |
| <!--[if gt IE 8]><!--> |
| <html class="no-js"> <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1"/> |
| <title>UI Dashboard Authentication and Authorization - Gearpump 0.8.1 Documentation</title> |
| |
| |
| |
| |
| <link rel="stylesheet" href="css/bootstrap-3.3.5.min.css"> |
| <style> |
| body { |
| padding-top: 60px; |
| padding-bottom: 40px; |
| } |
| </style> |
| <link rel="stylesheet" href="css/main.css"> |
| <link rel="stylesheet" href="css/pygments-default.css"> |
| <script src="js/vendor/modernizr-2.6.1-respond-1.1.0.min.js"></script> |
| </head> |
| <body> |
| <!--[if lt IE 7]> |
| <p class="chromeframe">You are using an outdated browser. <a href="http://browsehappy.com/">Upgrade |
| your browser today</a> or <a href="http://www.google.com/chromeframe/?redirect=true">install |
| Google Chrome Frame</a> to better experience this site.</p> |
| <![endif]--> |
| |
| <div class="navbar navbar-inverse navbar-fixed-top" id="topbar"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" |
| data-target="#navbar" aria-expanded="false" aria-controls="navbar"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a class="navbar-brand" href="http://gearpump.apache.org">Gearpump |
| <span class="label label-primary" style="font-size: .6em">0.8.1</span> |
| </a> |
| </div> |
| <div id="navbar" class="collapse navbar-collapse"> |
| <ul class="nav navbar-nav"> |
| <li><a href="index.html">Overview</a></li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Introduction<b |
| class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="submit-your-1st-application.html">Submit Your 1st Application</a></li> |
| <li><a href="commandline.html">Client Command Line</a></li> |
| <li class="divider"></li> |
| <li><a href="basic-concepts.html">Basic Concepts</a></li> |
| <li><a href="features.html">Technical Highlights</a></li> |
| <li><a href="message-delivery.html">Reliable Message Delivery</a></li> |
| <li><a href="performance-report.html">Performance</a></li> |
| <li><a href="gearpump-internals.html">Gearpump Internals</a></li> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Deploying<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li class="dropdown-header">Deployment</li> |
| <li><a href="deployment-local.html">Local Mode</a> |
| <li> |
| <li><a href="deployment-standalone.html">Standalone Mode</a></li> |
| <li><a href="deployment-yarn.html">YARN Mode</a></li> |
| <li><a href="deployment-docker.html">Docker Mode</a> |
| <li> |
| <li class="divider"></li> |
| <li><a href="deployment-ui-authentication.html">UI Authentication</a></li> |
| <li><a href="deployment-ha.html">High Availability</a></li> |
| <li><a href="deployment-msg-delivery.html">Reliable Message Delivery</a></li> |
| <li><a href="deployment-configuration.html">Configuration</a></li> |
| <li><a href="deployment-resource-isolation.html">Resource Isolation</a></li> |
| <li class="divider"></li> |
| <li><a href="deployment-security.html">YARN Security Guide</a></li> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Programming Guide<b |
| class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="dev-write-1st-app.html">Write Your 1st App</a></li> |
| <li><a href="dev-custom-serializer.html">Customized Message Passing</a></li> |
| <li class="divider"></li> |
| <li><a href="api/scala/index.html">Scala API</a></li> |
| <li><a href="api/java/index.html">Java API</a></li> |
| <li><a href="dev-rest-api.html">RESTful API</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-connectors.html">Gearpump Connectors</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-storm.html">Storm Compatibility</a></li> |
| <!-- |
| <li><a href="dev-samoa.html">Samoa Compatibility</a></li> |
| <li class="divider"></li> |
| <li><a href="dev-iot.html">Gearpump with IoT</a></li> |
| --> |
| </ul> |
| </li> |
| |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">More<b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="faq.html">FAQ</a></li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| |
| <div class="container" id="content"> |
| |
| <h1 class="title">UI Dashboard Authentication and Authorization</h1> |
| |
| |
| <h2 id="what-is-this-about">What is this about?</h2> |
| |
| <h2 id="how-to-enable-ui-authentication">How to enable UI authentication?</h2> |
| |
| <ol> |
| <li> |
| <p>Change config file gear.conf, find entry <code>gearpump-ui.gearpump.ui-security.authentication-enabled</code>, change the value to true</p> |
| |
| <div class="highlight"><pre><code>gearpump-ui.gearpump.ui-security.authentication-enabled = true |
| </code></pre></div> |
| |
| <p>Restart the UI dashboard, and then the UI authentication is enabled. It will prompt for user name and password.</p> |
| </li> |
| </ol> |
| |
| <h2 id="how-many-authentication-methods-gearpump-ui-server-support">How many authentication methods Gearpump UI server support?</h2> |
| |
| <p>Currently, It supports:</p> |
| |
| <ol> |
| <li>Username-Password based authentication and</li> |
| <li>OAuth2 based authentication.</li> |
| </ol> |
| |
| <p>User-Password based authentication is enabled when <code>gearpump-ui.gearpump.ui-security.authentication-enabled</code>, |
| and <strong>CANNOT</strong> be disabled.</p> |
| |
| <p>UI server admin can also choose to enable <strong>auxiliary</strong> OAuth2 authentication channel.</p> |
| |
| <h2 id="user-password-based-authentication">User-Password based authentication</h2> |
| |
| <p>User-Password based authentication covers all authentication scenarios which requires |
| user to enter an explicit username and password.</p> |
| |
| <p>Gearpump provides a built-in ConfigFileBasedAuthenticator which verify user name and password |
| against password hashcode stored in config files.</p> |
| |
| <p>However, developer can choose to extends the <code>org.apache.gearpump.security.Authenticator</code> to provide a custom |
| User-Password based authenticator, to support LDAP, Kerberos, and Database-based authentication…</p> |
| |
| <h3 id="configfilebasedauthenticator-built-in-user-password-authenticator">ConfigFileBasedAuthenticator: built-in User-Password Authenticator</h3> |
| |
| <p>ConfigFileBasedAuthenticator store all user name and password hashcode in configuration file gear.conf. Here |
| is the steps to configure ConfigFileBasedAuthenticator.</p> |
| |
| <h4 id="how-to-add-or-remove-user">How to add or remove user?</h4> |
| |
| <p>For the default authentication plugin, it has three categories of users: admins, users, and guests.</p> |
| |
| <ul> |
| <li>admins: have unlimited permission, like shutdown a cluster, add/remove machines.</li> |
| <li>users: have limited permission to submit an application and etc..</li> |
| <li>guests: can not submit/kill applications, but can view the application status.</li> |
| </ul> |
| |
| <p>System administrator can add or remove user by updating config file <code>conf/gear.conf</code>.</p> |
| |
| <p>Suppose we want to add user jerry as an administrator, here are the steps:</p> |
| |
| <ol> |
| <li> |
| <p>Pick a password, and generate the digest for this password. Suppose we use password <code>ilovegearpump</code>, |
| to generate the digest:</p> |
| |
| <div class="highlight"><pre><code>bin/gear org.apache.gearpump.security.PasswordUtil -password ilovegearpump |
| </code></pre></div> |
| |
| <p>It will generate a digest value like this:</p> |
| |
| <div class="highlight"><pre><code>CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA== |
| </code></pre></div> |
| </li> |
| <li> |
| <p>Change config file conf/gear.conf at path <code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.admins</code>, |
| add user <code>jerry</code> in this list:</p> |
| |
| <div class="highlight"><pre><code>admins = { |
| ## Default Admin. Username: admin, password: admin |
| ## !!! Please replace this builtin account for production cluster for security reason. !!! |
| "admin" = "AeGxGOxlU8QENdOXejCeLxy+isrCv0TrS37HwA==" |
| "jerry" = "CgGxGOxlU8ggNdOXejCeLxy+isrCv0TrS37HwA==" |
| } |
| </code></pre></div> |
| </li> |
| <li> |
| <p>Restart the UI dashboard by <code>bin/services</code> to make the change effective.</p> |
| </li> |
| <li> |
| <p>Group “admins” have very unlimited permission, you may want to restrict the permission. In that case |
| you can modify <code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.users</code> or |
| <code>gearpump-ui.gearpump.ui-security.config-file-based-authenticator.guests</code>.</p> |
| </li> |
| <li> |
| <p>See description at <code>conf/gear.conf</code> to find more information.</p> |
| </li> |
| </ol> |
| |
| <h4 id="what-is-the-default-user-and-password">What is the default user and password?</h4> |
| |
| <p>For ConfigFileBasedAuthenticator, Gearpump distribution is shipped with two default users:</p> |
| |
| <ol> |
| <li>username: admin, password: admin</li> |
| <li>username: guest, password: guest</li> |
| </ol> |
| |
| <p>User <code>admin</code> has unlimited permissions, while <code>guest</code> can only view the application status.</p> |
| |
| <p>For security reason, you need to remove the default users <code>admin</code> and <code>guest</code> for cluster in production.</p> |
| |
| <h4 id="is-this-secure">Is this secure?</h4> |
| |
| <p>Firstly, we will NOT store any user password in any way so only the user himself knows the password. |
| We will use one-way hash digest to verify the user input password.</p> |
| |
| <h3 id="how-to-develop-a-custom-user-password-authenticator-for-ldap-database-and-etc">How to develop a custom User-Password Authenticator for LDAP, Database, and etc..</h3> |
| |
| <p>If developer choose to define his/her own User-Password based authenticator, it is required that user |
| modify configuration option:</p> |
| |
| <div class="highlight"><pre><code>## Replace "org.apache.gearpump.security.CustomAuthenticator" with your real authenticator class. |
| gearpump.ui-security.authenticator = "org.apache.gearpump.security.CustomAuthenticator" |
| </code></pre></div> |
| |
| <p>Make sure CustomAuthenticator extends interface: |
| ```scala |
| trait Authenticator {</p> |
| |
| <p>def authenticate(user: String, password: String, ec: ExecutionContext): Future[AuthenticationResult] |
| } |
| ```</p> |
| |
| <h2 id="oauth2-based-authentication">OAuth2 based authentication</h2> |
| |
| <p>OAuth2 based authentication is commonly use to achieve social login with social network account.</p> |
| |
| <p>Gearpump provides generic OAuth2 Authentication support which allow user to extend to support new authentication sources.</p> |
| |
| <p>Basically, OAuth2 based Authentication contains these steps: |
| 1. User accesses Gearpump UI website, and choose to login with OAuth2 server. |
| 2. Gearpump UI website redirects user to OAuth2 server domain authorization endpoint. |
| 3. End user complete the authorization in the domain of OAuth2 server. |
| 4. OAuth2 server redirects user back to Gearpump UI server. |
| 5. Gearpump UI server verify the tokens and extract credentials from query |
| parameters and form fields.</p> |
| |
| <h3 id="terminologies">Terminologies</h3> |
| |
| <p>For terms like client Id, and client secret, please refers to guide <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a></p> |
| |
| <h3 id="enable-web-proxy-for-ui-server">Enable web proxy for UI server</h3> |
| |
| <p>To enable OAuth2 authentication, the Gearpump UI server should have network access to OAuth2 server, as |
| some requests are initiated directly inside Gearpump UI server. So, if you are behind a firewall, make |
| sure you have configured the proxy properly for UI server.</p> |
| |
| <h4 id="if-you-are-on-windows">If you are on Windows</h4> |
| |
| <div class="highlight"><pre><code class="language-bash"> > <span class="nb">set </span><span class="nv">JAVA_OPTS</span><span class="o">=</span>-Dhttp.proxyHost<span class="o">=</span>xx.com -Dhttp.proxyPort<span class="o">=</span><span class="m">8088</span> -Dhttps.proxyHost<span class="o">=</span>xx.com -Dhttps.proxyPort<span class="o">=</span>8088 |
| > bin<span class="se">\s</span>ervices</code></pre></div> |
| |
| <h4 id="if-you-are-on-linux">If you are on Linux</h4> |
| |
| <div class="highlight"><pre><code class="language-bash"> <span class="nv">$ </span><span class="nb">export </span><span class="nv">JAVA_OPTS</span><span class="o">=</span><span class="s2">"-Dhttp.proxyHost=xx.com -Dhttp.proxyPort=8088 -Dhttps.proxyHost=xx.com -Dhttps.proxyPort=8088"</span> |
| <span class="nv">$ </span>bin/services</code></pre></div> |
| |
| <h3 id="google-plus-oauth2-authenticator">Google Plus OAuth2 Authenticator</h3> |
| |
| <p>Google Plus OAuth2 Authenticator does authentication with Google OAuth2 service. It extracts the email address |
| from Google user profile as credentials.</p> |
| |
| <p>To use Google OAuth2 Authenticator, there are several steps:</p> |
| |
| <ol> |
| <li>Register your application (Gearpump UI server here) as an application to Google developer console.</li> |
| <li>Configure the Google OAuth2 information in gear.conf</li> |
| <li>Configure network proxy for Gearpump UI server if applies.</li> |
| </ol> |
| |
| <h4 id="step1-register-your-website-as-an-oauth2-application-on-google">Step1: Register your website as an OAuth2 Application on Google</h4> |
| |
| <ol> |
| <li>Create an application representing your website at <a href="https://console.developers.google.com">https://console.developers.google.com</a></li> |
| <li>In “API Manager” of your created application, enable API “Google+ API”</li> |
| <li>Create OAuth client ID for this application. In “Credentials” tab of “API Manager”, |
| choose “Create credentials”, and then select OAuth client ID. Follow the wizard |
| to set callback URL, and generate client ID, and client Secret.</li> |
| </ol> |
| |
| <p><strong>NOTE:</strong> Callback URL is NOT optional.</p> |
| |
| <h4 id="step2-configure-the-oauth2-information-in-gearconf">Step2: Configure the OAuth2 information in gear.conf</h4> |
| |
| <ol> |
| <li>Enable OAuth2 authentication by setting <code>gearpump.ui-security.oauth2-authenticator-enabled</code> |
| as true.</li> |
| <li>Configure section <code>gearpump.ui-security.oauth2-authenticators.google</code> in gear.conf. Please make sure |
| class name, client ID, client Secret, and callback URL are set properly.</li> |
| </ol> |
| |
| <p><strong>NOTE:</strong> Callback URL set here should match what is configured on Google in step1.</p> |
| |
| <h4 id="step3-configure-the-network-proxy-if-applies">Step3: Configure the network proxy if applies.</h4> |
| |
| <p>To enable OAuth2 authentication, the Gearpump UI server should have network access to Google service, as |
| some requests are initiated directly inside Gearpump UI server. So, if you are behind a firewall, make |
| sure you have configured the proxy properly for UI server.</p> |
| |
| <p>For guide of how to configure web proxy for UI server, please refer to section “Enable web proxy for UI server” above.</p> |
| |
| <h4 id="step4-restart-the-ui-server-and-try-to-click-the-google-login-icon-on-ui-server">Step4: Restart the UI server and try to click the Google login icon on UI server.</h4> |
| |
| <h3 id="cloudfoundry-uaa-server-oauth2-authenticator">CloudFoundry UAA server OAuth2 Authenticator</h3> |
| |
| <p>CloudFoundryUaaAuthenticator does authentication by using CloudFoundry UAA OAuth2 service. It extracts the email address |
| from Google user profile as credentials.</p> |
| |
| <p>For what is UAA (User Account and Authentication Service), please see guide: <a href="https://github.com/cloudfoundry/uaa">UAA</a></p> |
| |
| <p>To use Google OAuth2 Authenticator, there are several steps:</p> |
| |
| <ol> |
| <li>Register your application (Gearpump UI server here) as an application to UAA with helper tool <code>uaac</code>.</li> |
| <li>Configure the Google OAuth2 information in gear.conf</li> |
| <li>Configure network proxy for Gearpump UI server if applies.</li> |
| </ol> |
| |
| <h4 id="step1-register-your-application-to-uaa-with-uaac">Step1: Register your application to UAA with <code>uaac</code></h4> |
| |
| <ol> |
| <li>Check tutorial on uaac at <a href="https://docs.cloudfoundry.org/adminguide/uaa-user-management.html">https://docs.cloudfoundry.org/adminguide/uaa-user-management.html</a></li> |
| <li>Open a bash shell, set the UAA server by command <code>uaac target</code> |
| <code> |
| uaac target [your uaa server url] |
| </code></li> |
| <li> |
| <p>Login in as user admin by</p> |
| |
| <div class="highlight"><pre><code> uaac token client get admin -s MyAdminPassword |
| </code></pre></div> |
| </li> |
| <li>Create a new Application (Client) in UAA, |
| <code> |
| uaac client add [your_client_id] |
| --scope "openid cloud_controller.read" |
| --authorized_grant_types "authorization_code client_credentials refresh_token" |
| --authorities "openid cloud_controller.read" |
| --redirect_uri [your_redirect_url] |
| --autoapprove true |
| --secret [your_client_secret] |
| </code></li> |
| </ol> |
| |
| <h4 id="step2-configure-the-oauth2-information-in-gearconf-1">Step2: Configure the OAuth2 information in gear.conf</h4> |
| |
| <ol> |
| <li>Enable OAuth2 authentication by setting <code>gearpump.ui-security.oauth2-authenticator-enabled</code> as true.</li> |
| <li>Navigate to section <code>gearpump.ui-security.oauth2-authenticators.cloudfoundryuaa</code></li> |
| <li>Config gear.conf <code>gearpump.ui-security.oauth2-authenticators.cloudfoundryuaa</code> section. |
| Please make sure class name, client ID, client Secret, and callback URL are set properly.</li> |
| </ol> |
| |
| <p><strong>NOTE:</strong> The callback URL here should match what you set on CloudFoundry UAA in step1.</p> |
| |
| <h4 id="step3-configure-network-proxy-for-gearpump-ui-server-if-applies">Step3: Configure network proxy for Gearpump UI server if applies</h4> |
| |
| <p>To enable OAuth2 authentication, the Gearpump UI server should have network access to Google service, as |
| some requests are initiated directly inside Gearpump UI server. So, if you are behind a firewall, make |
| sure you have configured the proxy properly for UI server.</p> |
| |
| <p>For guide of how to configure web proxy for UI server, please refer to please refer to section “Enable web proxy for UI server” above.</p> |
| |
| <h4 id="step4-restart-the-ui-server-and-try-to-click-the-cloudfoundry-login-icon-on-ui-server">Step4: Restart the UI server and try to click the CloudFoundry login icon on UI server.</h4> |
| |
| <h4 id="step5-you-can-also-enable-additional-authenticator-for-cloudfoundry-uaa-by-setting-config">Step5: You can also enable additional authenticator for CloudFoundry UAA by setting config:</h4> |
| |
| <div class="highlight"><pre><code>additional-authenticator-enabled = true |
| </code></pre></div> |
| |
| <p>Please see description in gear.conf for more information.</p> |
| |
| <h4 id="extends-oauth2authenticator-to-support-new-authorization-service-like-facebook-or-twitter">Extends OAuth2Authenticator to support new Authorization service like Facebook, or Twitter.</h4> |
| |
| <p>You can follow the Google OAuth2 example code to define a custom OAuth2Authenticator. Basically, the steps includes:</p> |
| |
| <ol> |
| <li> |
| <p>Define an OAuth2Authenticator implementation.</p> |
| |
| <div class="highlight"><pre><code class="language-scala"><span class="cm">/**</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * Uses OAuth2 social-login as the mechanism for authentication.</span> |
| <span class="cm"> * @see [[https://tools.ietf.org/html/rfc6749]] to find what is OAuth2, and how it works.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * Basically flow for OAuth2 Authentication:</span> |
| <span class="cm"> * 1. User accesses Gearpump UI website, and choose to login with OAuth2 server.</span> |
| <span class="cm"> * 2. Gearpump UI website redirects user to OAuth2 server domain authorization endpoint.</span> |
| <span class="cm"> * 3. End user complete the authorization in the domain of OAuth2 server.</span> |
| <span class="cm"> * 4. OAuth2 server redirects user back to Gearpump UI server.</span> |
| <span class="cm"> * 5. Gearpump UI server verify the tokens and extract credentials from query</span> |
| <span class="cm"> * parameters and form fields.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @note '''Thread-safety''' is a MUST requirement. Developer need to ensure the sub-class is thread-safe.</span> |
| <span class="cm"> * Sub-class should have a parameter-less constructor.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @note OAuth2 Authenticator requires access of Internet. Please make sure HTTP proxy are</span> |
| <span class="cm"> * set properly if applied.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @example Config proxy when UI server is started on Windows:</span> |
| <span class="cm"> * }</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @example Config proxy when UI server is started on Linux:</span> |
| <span class="cm"> * }</span> |
| <span class="cm"> *</span> |
| <span class="cm"> */</span> |
| <span class="k">trait</span> <span class="nc">OAuth2Authenticator</span> <span class="o">{</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * Inits authenticator with config which contains client ID, client secret, and etc..</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * Typically, the client key and client secret is provided by OAuth2 Authorization server when user</span> |
| <span class="cm"> * register an application there.</span> |
| <span class="cm"> * @see [[https://tools.ietf.org/html/rfc6749]] for definition of client, client Id,</span> |
| <span class="cm"> * and client secret.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * See [[https://developer.github.com/v3/oauth/]] for an actual example of how Github</span> |
| <span class="cm"> * use client key, and client secret.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @note '''Thread-Safety''': Framework ensures this call is synchronized.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @param config Client Id, client secret, callback URL and etc..</span> |
| <span class="cm"> */</span> |
| <span class="k">def</span> <span class="n">init</span><span class="o">(</span><span class="n">config</span><span class="k">:</span> <span class="kt">Config</span><span class="o">)</span><span class="k">:</span> <span class="kt">Unit</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * Returns the OAuth Authorization URL so for redirection to that address to do OAuth2</span> |
| <span class="cm"> * authorization.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @note '''Thread-Safety''': This can be called in a multi-thread environment. Developer</span> |
| <span class="cm"> * need to ensure thread safety.</span> |
| <span class="cm"> */</span> |
| <span class="k">def</span> <span class="n">getAuthorizationUrl</span><span class="k">:</span> <span class="kt">String</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * After authorization, OAuth2 server redirects user back with tokens. This verify the</span> |
| <span class="cm"> * tokens, retrieve the profiles, and return [[UserSession]] information.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @note This is an Async call.</span> |
| <span class="cm"> * @note This call requires external internet access.</span> |
| <span class="cm"> * @note '''Thread-Safety''': This can be called in a multi-thread environment. Developer</span> |
| <span class="cm"> * need to ensure thread safety.</span> |
| <span class="cm"> *</span> |
| <span class="cm"> * @param parameters HTTP Query and Post parameters, which typically contains Authorization code.</span> |
| <span class="cm"> * @return UserSession if pass authentication.</span> |
| <span class="cm"> */</span> |
| <span class="k">def</span> <span class="n">authenticate</span><span class="o">(</span><span class="n">parameters</span><span class="k">:</span> <span class="kt">Map</span><span class="o">[</span><span class="kt">String</span>, <span class="kt">String</span><span class="o">])</span><span class="k">:</span> <span class="kt">Future</span><span class="o">[</span><span class="kt">UserSession</span><span class="o">]</span> |
| |
| <span class="cm">/**</span> |
| <span class="cm"> * Clean resource</span> |
| <span class="cm"> */</span> |
| <span class="k">def</span> <span class="n">close</span><span class="o">()</span><span class="k">:</span> <span class="kt">Unit</span> |
| <span class="o">}</span></code></pre></div> |
| </li> |
| <li> |
| <p>Add an configuration entry under <code>gearpump.ui-security.oauth2-authenticators</code>. For example:</p> |
| |
| <div class="highlight"><pre><code> ## name of this authenticator |
| "socialnetworkx" { |
| "class" = "org.apache.gearpump.services.security.oauth2.impl.SocialNetworkXAuthenticator" |
| |
| ## Please make sure this URL matches the name |
| "callback" = "http://127.0.0.1:8090/login/oauth2/socialnetworkx/callback" |
| |
| "clientId" = "gearpump_test2" |
| "clientSecret" = "gearpump_test2" |
| "defaultUserRole" = "guest" |
| |
| ## Make sure socialnetworkx.png exists under dashboard/icons |
| icon = "/icons/socialnetworkx.png" |
| } |
| </code></pre></div> |
| <p>The configuration entry is supposed to be used by class <code>SocialNetworkXAuthenticator</code>.</p> |
| </li> |
| </ol> |
| |
| |
| |
| </div> |
| <!-- /container --> |
| |
| <script src="js/vendor/jquery-2.1.4.min.js"></script> |
| <script src="js/vendor/bootstrap-3.3.5.min.js"></script> |
| <script src="js/vendor/anchor-1.1.1.min.js"></script> |
| <script src="js/main.js"></script> |
| |
| <!-- MathJax Section --> |
| <script type="text/x-mathjax-config"> |
| MathJax.Hub.Config({ |
| TeX: { equationNumbers: { autoNumber: "AMS" } } |
| }); |
| |
| </script> |
| <script> |
| // Note that we load MathJax this way to work with local file (file://), HTTP and HTTPS. |
| // We could use "//cdn.mathjax...", but that won't support "file://". |
| (function (d, script) { |
| script = d.createElement('script'); |
| script.type = 'text/javascript'; |
| script.async = true; |
| script.onload = function () { |
| MathJax.Hub.Config({ |
| tex2jax: { |
| inlineMath: [["$", "$"], ["\\\\(", "\\\\)"]], |
| displayMath: [["$$", "$$"], ["\\[", "\\]"]], |
| processEscapes: true, |
| skipTags: ['script', 'noscript', 'style', 'textarea', 'pre'] |
| } |
| }); |
| }; |
| script.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + |
| 'cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML'; |
| d.getElementsByTagName('head')[0].appendChild(script); |
| }(document)); |
| </script> |
| </body> |
| </html> |