From c8aa0a666304d3b4d24abc9e05aa0db764b1ca41 Mon Sep 17 00:00:00 2001 From: Jason Fox Date: Thu, 30 May 2024 10:20:11 +0200 Subject: [PATCH] Remove tutorial from master --- .env | 9 - .gitpod.yml | 41 - ...dentity Management.postman_collection.json | 882 ----------- README.ja.md | 1332 ----------------- README.md | 1161 +------------- docker-compose.yml | 89 -- mysql-data/backup.sql | 814 ---------- secrets.txt | 1 - services | 122 +- 9 files changed, 18 insertions(+), 4433 deletions(-) delete mode 100644 .env delete mode 100644 .gitpod.yml delete mode 100644 FIWARE Identity Management.postman_collection.json delete mode 100644 README.ja.md delete mode 100644 docker-compose.yml delete mode 100644 mysql-data/backup.sql delete mode 100644 secrets.txt diff --git a/.env b/.env deleted file mode 100644 index 2bade52..0000000 --- a/.env +++ /dev/null @@ -1,9 +0,0 @@ -# Keyrock variables -KEYROCK_VERSION=8.4.0 -KEYROCK_PORT=3005 -KEYROCK_HTTPS_PORT=3443 -IDM_HTTPS_ENABLED=false - -# MySQL variables -MYSQL_DB_VERSION=8.0 -MYSQL_DB_PORT=3306 \ No newline at end of file diff --git a/.gitpod.yml b/.gitpod.yml deleted file mode 100644 index 6fb63c9..0000000 --- a/.gitpod.yml +++ /dev/null @@ -1,41 +0,0 @@ -tasks: - - name: Pull Images - init: ./services create - -ports: - - name: Orion - description: Context Broker - port: 1026 - onOpen: notify - - name: Wilma - description: PEP Proxy - port: 1027 - onOpen: ignore - - name: Tutorial App - description: Web app displaying context data - port: 3000 - onOpen: open-preview - - name: Tutorial Devices - description: Dummy IoT Sensors over HTTP - port: 3001 - onOpen: ignore - - name: Keyrock - description: Identity Manager - port: 3005 - onOpen: open-preview - - name: MySQL - description: Database for Keyrock - port: 3306 - onOpen: ignore - - name: IoT Agent (North Port) - description: NGSI data and device provisioning - port: 4041 - onOpen: ignore - - name: IoT Agent (South Port) - description: Ultralight HTTP measures - port: 7896 - onOpen: ignore - - name: MongoDB - description: Database for Orion + IoT Agent - port: 27017 - onOpen: ignore \ No newline at end of file diff --git a/FIWARE Identity Management.postman_collection.json b/FIWARE Identity Management.postman_collection.json deleted file mode 100644 index 4e1f2db..0000000 --- a/FIWARE Identity Management.postman_collection.json +++ /dev/null @@ -1,882 +0,0 @@ -{ - "info": { - "_postman_id": "83b05e2a-e6d6-4869-a632-afcbb2072759", - "name": "FIWARE Identity Management", - "description": "This tutorial is an introduction to [FIWARE Keyrock](http://fiware-idm.readthedocs.io/en/latest/) - a generic enabler which introduces\n**Identity Management** into FIWARE services. The tutorial explains how to create users and organizations in preparation to assign\nroles and permissions to them in a later tutorial.\n\nThe `docker-compose` files for this tutorial can be found on GitHub: \n\n![GitHub](https://fiware.github.io/tutorials.Identity-Management/icon/GitHub-Mark-32px.png) [FIWARE 401: Identity Management](https://github.com/Fiware/tutorials.Identity-Management)\n\n# Identity Management\n\n> \"If one meets a powerful person — ask them five questions: ‘What power have you got?\n> Where did you get it from? In whose interests do you exercise it? To whom are you\n> accountable? And how can we get rid of you?’\"\n>\n> — Anthony Wedgwood Benn (The Five Essential Questions of Democracy)\n\n\nIn computer security terminology, Identity management is the security and business discipline that \"enables the right\nindividuals to access the right resources at the right times and for the right reasons\". It addresses the need to\nensure appropriate access to resources across disparate systems.\n\nThe FIWARE framework consists of a series of separate components, and the security chapter aims to implement\nthe common needs of these components regarding who (or what) gets to access which resources within the system,\nbut before access to resources can be locked down, the identity of the person (or service) making the request\nneeds to be known. The FIWARE **Keyrock** Generic Enabler sets up all of the common characteristics of an\nIdentity Management System out-of-the-box, so that other components are able to use standard authentication\nmechanisms to accept or reject requests based on industry standard protocols.\n\nIdentity Management therefore covers the issues of how to gain an identity within the system, the protection\nof that identity and the surrounding technologies such as passwords and network protocols.\n\n## Standard Concepts of Identity Management\n\nThe following common objects are found with the **Keyrock** Identity Management database:\n\n* **User** - Any signed up user able to identify themselves with an eMail and password. Users can be assigned\n rights individually or as a group\n* **Application** - Any securable FIWARE application consisting of a series of microservices\n* **Organization** - A group of users who can be assigned a series of rights. Altering the rights of the organization\n effects the access of all users of that organization\n* **OrganizationRole** - Users can either be members or admins of an organization - Admins are able to add and remove users\n from their organization, members merely gain the roles and permissions of an organization. This allows each organization\n to be responsible for their members and removes the need for a super-admin to administer all rights\n* **Role** - A role is a descriptive bucket for a set of permissions. A role can be assigned to either a single user\n or an organization. A signed-in user gains all the permissions from all of their own roles plus all of the roles associated\n to their organization\n* **Permission** - An ability to do something on a resource within the system\n\nAdditionally two further non-human application objects can be secured within a FIWARE application:\n\n* **IoTAgent** - a proxy between IoT Sensors and the Context Broker\n* **PEPProxy** - a middleware for use between generic enablers challenging the rights of a user.\n\n\n The relationship between the objects can be seen below - the entities marked in red are used directly within this tutorial:\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/entities.png)\n\n## Video : Introduction to Keyrock\n\n[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=dHyVTan6bUY \"Introduction\")\n\nClick on the image above to watch an introductory video describing the **Keyrock** Generic Enabler\n\n# Prerequisites\n\n## Docker\n\nTo keep things simple both components will be run using [Docker](https://www.docker.com). **Docker** is a\ncontainer technology which allows to different components isolated into their respective environments.\n\n* To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/)\n* To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/)\n* To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/)\n\n**Docker Compose** is a tool for defining and running multi-container Docker applications. A\n[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Entity-Relationships/master/docker-compose.yml) is used\nconfigure the required services for the application. This means all container services can be brought up in a single\ncommand. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users\nwill need to follow the instructions found [here](https://docs.docker.com/compose/install/)\n\n## Cygwin\n\nWe will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) to provide a\ncommand line functionality similar to a Linux distribution on Windows.\n\n# Architecture\n\nThis introduction will only make use of one FIWARE component - the [Keyrock](http://fiware-idm.readthedocs.io/)\nIdentity Management Generic Enabler. Usage of **Keyrock** alone alone is insufficient for an application to qualify\n as *“Powered by FIWARE”*. Additionally will be persisting user data in a **MySQL** database.\n\n\nThe overall architecture will consist of the following elements:\n\n* One **FIWARE Generic Enabler**:\n * FIWARE [Keyrock](http://fiware-idm.readthedocs.io/) offer a complement Identity Management System including:\n * An OAuth2 authentication system for Applications and Users\n * A website graphical front-end for Identity Management Administration\n * An equivalent REST API for Identity Management via HTTP requests\n\n* One [MySQL](https://www.mysql.com/) database :\n * Used to persist user identities, applications, roles and permissions\n\n\nSince all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run from exposed ports.\n\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/architecture.png)\n\nThe specific architecture of each section of the tutorial is discussed below.\n\n## Keyrock Configuration\n\n```yaml\n keyrock:\n image: quay.io/fiware/idm\n container_name: fiware-keyrock\n hostname: keyrock\n depends_on:\n - mysql-db\n ports:\n - \"3005:3005\"\n - \"3443:3443\"\n environment:\n - DATABASE_HOST=mysql-db\n - IDM_DB_PASS_FILE=/run/secrets/my_secret_data\n - IDM_DB_USER=root\n - IDM_HOST=http://localhost:3005\n - IDM_PORT=3005\n - IDM_HTTPS_ENABLED=true\n - IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT}\n - IDM_ADMIN_USER=admin\n - IDM_ADMIN_EMAIL=admin@test.com\n - IDM_ADMIN_PASS=1234\n secrets:\n - my_secret_data\n```\n\nThe `idm` container is a web application server listening on two ports:\n\n* Port `3005` has been exposed for HTTP traffic so we can display the web page and interact with the REST API.\n* Port `3443` has been exposed for secure HTTPS traffic for the website and REST API\n\n> **Note** HTTPS should be used throughout for any secured application, but to do this properly,\n> **Keyrock** requires a trusted SSL certificate - the default certificate is self-certified and\n> available for testing purposes. The certificates can be overridden by attaching a volume to\n> replace the files under `/opt/fiware-idm/certs`.\n>\n> In a production environment, all access should occur over HTTPS, to avoid sending\n> any sensitive information using plain-text. Alternatively HTTP can be used within a\n> private network behind a configured HTTPS Reverse Proxy\n>\n> The port `3005` offering the HTTP protocol is being exposed for demonstration purposes only and to\n> simplify the interactions within this tutorial - you may also use HTTPS on port `3443` with certain\n> caveats.\n>\n> If you want to use HTTPS to access the REST API when you are using Postman, ensure that SSL\n> certificate verfication is OFF. If you want to use HTTPS to access the web front-end, please\n> accept any security warnings issued.\n\n\n\nThe `idm` container is driven by environment variables as shown:\n\n| Key |Value|Description|\n|-----|-----|-----------|\n|IDM_DB_PASS|`idm`| Password of the attached MySQL Database - secured by **Docker Secrets** (see below) |\n|IDM_DB_USER|`root`|User name of the default MySQL user - left in plain-text |\n|IDM_HOST|`http://localhost:3005`| Host name of the **Keyrock** App Server - used in activation eMails when signing up users|\n|IDM_PORT|`3005`| Port used by the **Keyrock** App Server for HTTP traffic - this has been altered from the default 3000 port to avoid clashes |\n|IDM_HTTPS_ENABLED|`true`| Whether to offer HTTPS Support - this will use the self-signed certs unless overridden |\n|IDM_HTTPS_PORT|`3443`| Port used by the **Keyrock** App Server for HTTP traffic this has been altered from the default 443 |\n\n\n> :information_source: **Note** that this example has secured the MySQL password using **Docker Secrets**\n> By using `IDM_DB_PASS` with the `_FILE` suffix and referring to a secrets file location.\n> This avoids exposing the password as an `ENV` variable in plain-text - either in the `Dockerfile` Image or\n> as an injected variable which could be read using `docker inspect`.\n>\n> The following list of variables (where used) should be set via secrets with the `_FILE` suffix in a Production System:\n>\n> * `IDM_SESSION_SECRET`\n> * `IDM_ENCRYPTION_KEY`\n> * `IDM_DB_PASS`\n> * `IDM_DB_USER`\n> * `IDM_ADMIN_ID`\n> * `IDM_ADMIN_USER`\n> * `IDM_ADMIN_EMAIL`\n> * `IDM_ADMIN_PASS`\n> * `IDM_EX_AUTH_DB_USER`\n> * `IDM_EX_AUTH_DB_PASS`\n\n\n\n## MySQL Configuration\n\n```yaml\n mysql-db:\n image: mysql:5.7\n hostname: mysql-db\n container_name: db-mysql\n expose:\n - \"3306\"\n ports:\n - \"3306:3306\"\n networks:\n default:\n environment:\n - \"MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data\"\n - \"MYSQL_ROOT_HOST=172.18.1.5\"\n volumes:\n - mysql-db:/var/lib/mysql\n secrets:\n - my_secret_data\n```\n\n\nThe `mysql-db` container is listening on a single port:\n\n* Port `3306` is the default port for a MySQL server. It has been exposed so you can also run other database tools to display data if you wish\n\nThe `mysql-db` container is driven by environment variables as shown:\n\n| Key |Value. |Description |\n|-------------------|----------|------------------------------------------|\n|MYSQL_ROOT_PASSWORD|`123`. | specifies a password that is set for the MySQL `root` account - secured by **Docker Secrets** (see below)|\n|MYSQL_ROOT_HOST |`root`| By default, MySQL creates the `root'@'localhost` account. This account can only be connected to from inside the container. Setting this environment variable allows root connections from other hosts |\n\n# Start Up\n\nTo start the installation, do the following:\n\n```console\ngit clone git@github.com:Fiware/tutorials.Identity-Management.git\ncd tutorials.Identity-Management\n\n./services create\n```\n\n>**Note** The initial creation of Docker images can take up to three minutes\n\n\nThereafter, all services can be initialized from the command line by running the [services](https://github.com/Fiware/tutorials.Identity-Management/blob/master/services) Bash script provided within the repository:\n\n```console\n./services \n```\n\nWhere `` will vary depending upon the exercise we wish to activate.\n\n>:information_source: **Note:** If you want to clean up and start over again you can do so with the following command:\n>\n>```console\n>./services stop\n>```\n>\n\n\n### Reading directly from the Keyrock MySQL Database\n\nAll Identify Management records and relationships are held within the the attached MySQL database. This can be\naccessed by entering the running Docker container as shown:\n\n```console\ndocker exec -it db-mysql bash\n```\n\n```console\nmysql -u -p idm\n```\n\nWhere `` and `` match the values defined in the `docker-compose` file for `MYSQL_ROOT_PASSWORD`\nand `MYSQL_ROOT_USER`. The default values for the tutorial are usually `root` and `secret`.\n\nSQL commands can then be entered from the command line. e.g.:\n\n```SQL\nselect id, username, email, password from user;\n```\n\n\n### UUIDs within Keyrock\n\nAll IDs and tokens within **Keyrock** are subject to change. The following values will need to be amended when\nquerying for records. Record IDs use Universally Unique Identifiers - UUIDs.\n\n| Key |Description | Sample Value |\n|-----|-----------------------------------|--------------|\n|`keyrock`| URL for the location of the **Keyrock** service|`localhost:3005`|\n|`X-Auth-token`| Token received in the Header when logging in as a user - in other words *\"Who am I?\"* |`51f2e380-c959-4dee-a0af-380f730137c3`|\n|`X-Subject-token`|Token added to requests to define *\"Who do I want to inquire about?\"* - This can also be a repeat the `X-Auth-token` defined above |`51f2e380-c959-4dee-a0af-380f730137c3`|\n|`user-id`| id of an existing user, found with the `user` table |`96154659-cb3b-4d2d-afef-18d6aec0518e`|\n|`organization-id`| id of an existing organization, found with the `organization` table |`e424ed98-c966-46e3-b161-a165fd31bc01`|\n|`organization-role-id`| type of role a user has within an organization either `owner` or `member`|`member`|\n\nTokens are designed to expire after a set period. If the `X-Auth-token` value you are using has expired, log-in again to obtain a new token.\n\n## Video : Creating User Accounts with the Keyrock GUI\n\n[![](http://img.youtube.com/vi/dtKsjGbJ7Xc/0.jpg)](https://www.youtube.com/watch?v=dtKsjGbJ7Xc \" Creating User Accounts\")\n\nClick on the image above to watch a video demonstrating how to create users with the **Keyrock** GUI\n", - "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" - }, - "item": [ - { - "name": "Logging In - Authentication", - "description": "The Log-in Screen allows an existing user to identify themselves and obtain a token for further operations. It is the initial start-up\nscreen of the **Keyrock** GUI - `http://localhost:3005/idm` (or `https://localhost:3443/idm` and accept the warnings)\n\n\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/log-in.png)\n\nEnter a user name and password to enter the application. The default super-user has the values `admin@test.com` and `1234`.\n", - "item": [ - { - "name": "Create token with Password", - "request": { - "method": "POST", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "{\n \"name\": \"admin@test.com\",\n \"password\": \"1234\"\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/auth/tokens", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "auth", - "tokens" - ] - }, - "description": "The following example logs in using the Admin Super-User - it is the equivalent of using the log-in screen of the GUI.\nThe URL `https://localhost:3443/v1/auth/tokens` should also work in a secure system.\n\nThe response header returns an `X-Subject-token` which identifies who has logged on the application.\nThis token is required in all subsequent requests to gain access." - }, - "response": [] - }, - { - "name": "Get User Information via a Token", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - }, - { - "key": "X-Subject-token", - "value": "{{X-Subject-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/auth/tokens", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "auth", - "tokens" - ] - }, - "description": "In order to manage the Identity Manager through the API you must obtain an access token to be included in HTTP headers. There are two methods to obtain an access token." - }, - "response": [] - }, - { - "name": "Refresh token with Token", - "request": { - "method": "POST", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "{\n \"token\": \"70bb37f8-938e-4158-a8ab-7218af3c384d\"\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/auth/tokens", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "auth", - "tokens" - ] - }, - "description": "Tokens are time limited - it is no longer possible to gain access once a token has expired.\nHowever it is possible to refresh a token for a newer one prior to expiry.\n\nMost applications use this end-point to avoid timing out a user whilst they are interacting with the application.\n\n A new token is returned in the `X-Subject-Token` header of the response." - }, - "response": [] - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "04f600b8-5b31-4ed2-ada6-7db583d6b15b", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "1b5166e8-d073-4cef-9649-def95e2eeaef", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Managing User Accounts", - "description": "Users accounts are at the heart of any identity management system. The essential fields of every account hold a unique user name\nand email address to identify the user, along with a password for authentication. The other optional fields\nadd more information about the user such as a user website, description or avatar.\n\n\nAs the default super-admin user `admin@test.com` with a password of `1234`, we will set up a series of user accounts and assign them to\nrelevant organizations within the system.\n\n### Dramatis Personae\n\nThe following people legitimately have accounts within the Application\n\n* Alice, she will be the Administrator of the **Keyrock** Application\n* Bob, the Regional Manager of the supermarket chain - he has several store managers under him:\n * Manager1\n * Manager2\n* Charlie, the Head of Security of the supermarket chain - he has several store detectives under him:\n * Detective1\n * Detective2\n \n\nAll the CRUD actions for Users require an `X-Auth-token` header from a previously logged in administrative user to be able\nto read or modify other user accounts. The standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE)\nunder the `/v1/users` endpoint.", - "item": [ - { - "name": "Create a User", - "request": { - "method": "POST", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": { - "mode": "raw", - "raw": "{\n \"user\": {\n \"username\": \"admin2\",\n \"email\": \"admin2@test.com\",\n \"password\": \"test\",\n \"admin\": true\n }\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/users", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "users" - ] - }, - "description": "## REST API\n\nTo create a new user via the REST API, send a POST request to the `/v1/users` endpoint containing\nthe `username`,`email` and `password` along with the `X-Auth-token` header from a previously logged in administrative user.\n\n## GUI \n\nAlternatively, Users are able to sign-up for themselves using the GUI. The only requirement is an email address and a password.\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/sign-up.png)\n\nOnce an account is created, the user is sent an eMail to confirm their existence and activate their account.\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/email.png)\n\nThe REST API is also able to create and amend users without their own interaction - this could be useful for\nbulk CRUD actions for example.\n\n> **Note** - an eMail server must be configured to send out invites properly, otherwise the invitation\n> may be deleted as spam. For testing purposes, it is easier to update the users table directly:\n>`update user set enabled = 1;`" - }, - "response": [] - }, - { - "name": "Read info about a User", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/users/{{user-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "users", - "{{user-id}}" - ] - }, - "description": "Making a GET request to a resource under the `/v1/users/{{user-id}}` endpoint will return the user listed under that id.\nThe `X-Auth-token` must be supplied in the headers.\n\nThe response contains basic details of the account in question." - }, - "response": [] - }, - { - "name": "List Users", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/users", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "users" - ] - }, - "description": "Obtaining a complete list of all users is a super-admin permission requiring the `X-Auth-token` - most users will \nonly be permitted to return users within their own organization. Listing users can be done by making a GET request to \nthe `/v1/users` endpoint" - }, - "response": [] - }, - { - "name": "Update a User", - "request": { - "method": "PATCH", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": { - "mode": "raw", - "raw": "{\n\t\"user\": {\n\t \"username\": \"alice\",\n\t \"email\": \"alice@test.com\",\n\t \"enabled\": true,\n\t \"gravatar\": false,\n\t \"date_password\": \"2018-07-26T15:25:14.000Z\",\n\t \"description\": \"Alice works for FIWARE\",\n\t \"website\": \"http://www.fiware.org\"\n\t}\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/users/{{user-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "users", - "{{user-id}}" - ] - }, - "description": "Within the GUI, users can be updated from the settings page. This can also be done from the command line\nby making PATCH request to `/v1/users/` endpoint when the user id is known. The `X-Auth-token`\nheader must also be set.\n\nThe response lists the fields which have been updated." - }, - "response": [] - }, - { - "name": "Delete a User", - "request": { - "method": "DELETE", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/users/{{user-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "users", - "{{user-id}}" - ] - }, - "description": "Within the GUI, users can delete their account from the settings page, selecting the **Cancel Account** Option,\nonce again a super-admin user can do this from the command line by sending a DELETE request to the \n`/v1/users/{{user-id}}` endpoint. The `X-Auth-token` header must also be set." - }, - "response": [] - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "f181be01-0817-44ba-a88d-241b9da2cf3b", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "28237ecf-a94a-4783-91e6-634dc845b7f7", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Grouping Accounts under Organizations", - "description": "For any identity management system of a reasonable size, it is useful to be able to assign\nroles to groups of users, rather than setting them up individually. Since user administration\nis a time consuming business, it is also necessary to be able to delegate the responsibility\nof managing these group of users down to other accounts with a lower level of access.\n\nConsider our supermarket chain for example, there could be a group of users (Managers) who\ncan change the prices of products within the store, and another group of users (Store Detectives)\nwho can lock and unlock door after closing time. Rather than give access to each individual account,\nit would be easier to assign the rights to an organization and then add users to the groups.\n\nFurthermore, Alice, the **Keyrock** administrator does not need to explicitly add additional user\naccounts to each organization herself - she could delegate that right to an owner within each organization.\nFor example Bob the Regional Manager would be made the owner of the *management* organization and could\nadd and remove addition manager accounts (such as `manager1` and `manager2`) to that organization\nwhereas Charlie the Head of Security could be handed an ownership role in the *security* organization and add\nadditional store detectives to that organization.\n\nNote that Bob does not have the rights to alter the membership list of the *security* organization and\nCharlie does not have the rights to alter the membership list of the *management* organization.\nFurthermore neither Bob nor Charlie would be able to alter the permissions of the application themselves,\nmerely add and remove existing user accounts to the organization they control.\n\nCreating an application and setting-up the permissions is not covered here as it is the subject of the next tutorial.", - "item": [ - { - "name": "Organization CRUD Actions", - "description": "#### GUI\n\nOnce signed-in, users are able to create and update organizations for themselves.\n\n![](https://fiware.github.io/tutorials.Identity-Management/img/create-org.png)\n\n#### REST API\n\nAlterntively, the standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE) under the `/v1/organizations` endpoint.", - "item": [ - { - "name": "Create an Organization", - "request": { - "method": "POST", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": { - "mode": "raw", - "raw": "{\n \"organization\": {\n \"name\": \"Security\",\n \"description\": \"This group is for the store detectives\"\n }\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/organizations", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations" - ] - }, - "description": "To create a new organization, send a POST request to the `/v1/organizations` endpoint containing the `name` and `description` along with the `X-Auth-token` header from a previously logged in user.\n\nThe Organization is created and the user who created it is automatically assigned as a user. \nThe response returns UUID to identify the new organization." - }, - "response": [] - }, - { - "name": "List Organizations", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations" - ] - } - }, - "response": [] - }, - { - "name": "Read info about an Organization", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}" - ] - }, - "description": "Making a GET request to a resource under the `/v1/organizations/{{organization-id}}` endpoint will return the organization\nlisted under that id. The `X-Auth-token` must be supplied in the headers as only permitted organizations will be shown.\n\nThe response returns the details of the organization." - }, - "response": [] - }, - { - "name": "Update an Organization", - "request": { - "method": "PATCH", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": { - "mode": "raw", - "raw": "{\n \"organization\": {\n \"name\": \"FIWARE Security\",\n \"description\": \"The FIWARE Foundation is the legal independent body promoting, augmenting open-source FIWARE technologies\",\n \"website\": \"http://fiware.org\"\n }\n}" - }, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}" - ] - }, - "description": "To amend the details of an existing organization, a PATCH request is send to the `/v1/organizations/{{organization-id}}` endpoint.\n\nThe response contains a list of the fields which have been amended." - }, - "response": [] - }, - { - "name": "Delete an Organization", - "request": { - "method": "DELETE", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}" - ] - } - }, - "response": [] - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "4eb46ba3-0ae3-4b98-bef0-3b0a19da56aa", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "6173bfcf-4814-4c1e-9b4b-5d77d1de5a6a", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ], - "_postman_isSubFolder": true - }, - { - "name": "Users within an Organization", - "description": "Users within an Organization are assigned to one of types - `owner` or `member`. \nThe members of an organization inherit all of the roles and permissions assigned \nto the organization itself. In addition, owners of an organization are able to \nadd an remove other members and owners.", - "item": [ - { - "name": "Add a User as a Member of an Organization", - "request": { - "method": "PUT", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}", - "users", - "{{user-id}}", - "organization_roles", - "member" - ] - }, - "description": "To add a user as a member of an organization, an owner must make a PUT request as shown, including the `` and `` in the URL path and identifying themselves using an `X-Auth-Token` in the header.\n\nThe response lists the user's current role within the organization (i.e. `member`)" - }, - "response": [] - }, - { - "name": "Add a User as an Owner of an Organization", - "request": { - "method": "PUT", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/owner", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}", - "users", - "{{user-id}}", - "organization_roles", - "owner" - ] - }, - "description": "An owner can also create new owners by making a PUT request as shown, including the `` and `` in the URL path and identifying themselves using an `X-Auth-Token` in the header.\n\nThe response lists the user's current role within the organization (i.e. `owner`)" - }, - "response": [] - }, - { - "name": "List Users within an organization", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}/users", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}", - "users" - ] - }, - "description": "Listing users within an organization is an `owner` or super-admin permission requiring the `X-Auth-token`\nListing users can be done by making a GET request to the `/v1/organizations/{{organization-id}}/users` endpoint.\n\nThe response contains the users list." - }, - "response": [] - }, - { - "name": "Info of user organization relationship", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json" - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}", - "users", - "{{user-id}}", - "organization_roles" - ] - }, - "description": "To find the role of a user within an organization, send a GET request to the `/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles` endpoint.\n\nThe response returns the role of the given ``" - }, - "response": [] - }, - { - "name": "Remove User from an Organization", - "request": { - "method": "DELETE", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - }, - { - "key": "Content-Type", - "value": "application/json" - }, - { - "key": "X-Auth-token", - "value": "{{X-Auth-token}}" - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "v1", - "organizations", - "{{organization-id}}", - "users", - "{{user-id}}", - "organization_roles", - "member" - ] - }, - "description": "Owners and Super-Admins can remove a user from and organization by making a delete request." - }, - "response": [] - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "c64b6abe-444d-438b-99af-ed0fc27c528a", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "a074d0bf-43f5-41f9-8617-43156bd2a774", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ], - "_postman_isSubFolder": true - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "c7f250c1-d118-4228-a631-3100cf4b0749", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "e44c9292-bf65-406b-aef4-0e01c969b714", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "f32d4f4e-6a77-4b0a-9cd1-7fdc58c14247", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "453a7383-bb2a-4e01-8ed4-7355fb12520f", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ], - "variable": [ - { - "id": "cc4ab4fb-70ce-4384-8257-f86dd8584edd", - "key": "keyrock", - "value": "localhost:3005", - "type": "string", - "description": "" - }, - { - "id": "7cb8bbd9-e36c-4eb4-8283-5d7cb461896a", - "key": "X-Auth-token", - "value": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", - "type": "string", - "description": "" - }, - { - "id": "d208439e-90fa-4757-b9a6-8f2aaa651048", - "key": "X-Subject-token", - "value": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", - "type": "string", - "description": "" - }, - { - "id": "77bd03b7-a9f9-4ca4-a62b-283fc97fd699", - "key": "organization-id", - "value": "security-team-0000-0000-000000000000", - "type": "string", - "description": "" - }, - { - "id": "7557d418-9134-4c90-9968-baed78a7cafd", - "key": "user-id", - "value": "aaaaaaaa-good-0000-0000-000000000000", - "type": "string", - "description": "" - } - ] -} \ No newline at end of file diff --git a/README.ja.md b/README.ja.md deleted file mode 100644 index fca3eeb..0000000 --- a/README.ja.md +++ /dev/null @@ -1,1332 +0,0 @@ -[![FIWARE Banner](https://fiware.github.io/tutorials.Identity-Management/img/fiware.png)](https://www.fiware.org/developers) - -[![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md) -[![License: MIT](https://img.shields.io/github/license/fiware/tutorials.Identity-Management.svg)](https://opensource.org/licenses/MIT) -[![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) - - - -このチュートリアルは -、[FIWARE Keyrock](https://fiware-idm.readthedocs.io/en/latest/) の紹介です。こ -れは、FIWARE サービスに **ID 管理** (Identity Management) を導入する Generic -Enabler です。このチュートリアルでは、ユーザと組織の作成方法について、後のチュー -トリアルで、それらにロールと権限の割り当てる方法について説明します。 - -このチュートリアルでは、**Keyrock** GUI を使用したインタラクションの例や -、**Keyrock** REST API へのアクセスに使用される [cUrl](https://ec.haxx.se/) コマ -ンド -、[Postman のドキュメント](https://fiware.github.io/tutorials.Identity-Management/)も -使用できます。 - -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/5f9e1736f979b86ec94a) -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/FIWARE/tutorials.Identity-Management/tree/NGSI-v2) - -## コンテンツ - -
-詳細 (クリックして拡大) - -- [ID 管理](#identity-management) - - [ID 管理の標準概念](#standard-concepts-of-identity-management) - - [:arrow_forward: ビデオ : Keyrock のイントロダクション](#arrow_forward-video--introduction-to-keyrock) -- [前提条件](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [アーキテクチャ](#architecture) - - [Keyrock の設定](#keyrock-configuration) - - [MySQL の設定](#mysql-configuration) -- [起動](#start-up) - - [Keyrock MySQL データベースからの直接読み込み](#reading-directly-from-the-keyrock-mysql-database) - - [Keyrock 内の UUIDs](#uuids-within-keyrock) - - [:arrow_forward: ビデオ: Keyrock GUI でのユーザ・アカウントの作成](#arrow_forward-video--creating-user-accounts-with-the-keyrock-gui) - - [ログイン](#logging-in) - - [パスワードでトークンを作成](#create-token-with-password) - - [トークンを介してユーザ情報を取得](#get-user-information-via-a-token) - - [トークンをリフレッシュ](#refresh-token) -- [ユーザ・アカウントの管理](#administrating-user-accounts) - - [登場人物 (Dramatis Personae)](#dramatis-personae) - - [ユーザ CRUD アクション](#user-crud-actions) - - [ユーザを作成](#creating-users) - - [ユーザ情報を取得](#read-information-about-a-user) - - [すべてのユーザの一覧を取得](#list-all-users) - - [ユーザを更新](#update-a-user) - - [ユーザを削除](#delete-a-user) -- [組織下でのユーザ・アカウントのグルーピング](#grouping-user-accounts-under-organizations) - - [組織 CRUD アクション](#organization-crud-actions) - - [組織の作成](#create-an-organization) - - [組織の詳細を取得](#read-organization-details) - - [すべての組織の一覧を取得](#list-all-organizations) - - [組織を更新](#update-an-organization) - - [組織を削除](#delete-an-organization) - - [組織内のユーザ](#users-within-an-organization) - - [組織のメンバとしてユーザを追加](#add-a-user-as-a-member-of-an-organization) - - [組織のオーナーとしてユーザを追加](#add-a-user-as-an-owner-of-an-organization) - - [組織内のユーザの一覧を取得](#list-users-within-an-organization) - - [組織内のユーザ・ロールを取得](#read-user-roles-within-an-organization) - - [組織からユーザを削除](#remove-a-user-from-an-organization) -- [次のステップ](#next-steps) - -
- - - -# ID 管理 - -> "If one meets a powerful person — ask them five questions: ‘What power have -> you got? Where did you get it from? In whose interests do you exercise it? To -> whom are you accountable? And how can we get rid of you?’" -> -> — Anthony Wedgwood Benn (The Five Essential Questions of Democracy) - -コンピュータ・セキュリティ用語では、ID 管理 (Identity management) は、"適切な人 -が適切なタイミングで適切なリソースに適切な理由でアクセスできるようにするセキュリ -ティおよびビジネス規律"です。さまざまなシステム間のリソースへの適切なアクセスを -確保する必要性に対処します。 - -FIWARE フレームワークは一連の独立したコンポーネントで構成されており、セキュリテ -ィのチャプターでは、システム内のどのリソースに誰がアクセスするのかについて、これ -らのコンポーネントの共通のニーズを実装することを目指しています。リクエストを行う -人またはサービスの身元を知る必要があります。FIWARE **Keyrock** Generic Enabler -は、ID 管理システムの共通特性のすべてをすぐに設定し、他のコンポーネントが標準の -認証メカニズムを使用して、業界標準のプロトコルに基づいてリクエストを受け入れるか -拒否することができるようにします。 - -したがって、ID 管理は、システム内で ID を得る方法、ID を保護する方法、およびパス -ワードやネットワーク・プロトコルなどの周囲の技術を取り上げる問題を扱います。 - - - -## ID 管理の標準概念 - -**Keyrock** ID 管理データベースには、次の共通オブジェクトがあります : - -- **User** - 電子メールとパスワードを使用して自分自身を識別できる、登録済みの - ユーザ。ユーザには、個別にまたはグループとして権利を割り当てることができます -- **Application** - 一連のマイクロ・サービスで構成された任意のセキュアな - FIWARE アプリケーション -- **Organization** - 一連の権利を割り当てることができるユーザのグループ。組織 - の権利を変更すると、その組織のすべてのユーザのアクセスが影響を受けます -- **OrganizationRole** - ユーザは組織のメンバまたは管理者になることができます - 。管理者は組織にユーザを追加または削除できます。メンバは組織のロールと権限を - 取得するだけです。これにより、各組織はメンバに対して責任を持つことができ、ス - ーパー管理者 (super-admin) がすべての権限を管理する必要がなくなります -- **Role** - ロールは、一連のアクセス許可の説明的なバケットです。ロールは、単 - 一のユーザまたは組織に割り当てることができます。サインインしたユーザは、自分 - のすべてのロールとその組織に関連付けられているすべてのロールのすべての権限を - 取得します -- **Permission** - システム内のリソース上で何かを行う能力 - -さらに、FIWARE アプリケーション内で、2 つの人以外のアプリケーション (non-human -application) のオブジェクトを保護することができます。 - -- **IoTAgent** - IoT センサとコンテキスト・ブローカー間のプロキシ -- **PEPProxy** - ユーザの権利を確認する Generic Enabler 間での使用のためのミド - ルウェア - -オブジェクト間の関係は以下のようになります : - -![](https://fiware.github.io/tutorials.Identity-Management/img/entities.png) - - - -## :arrow_forward: ビデオ : Keyrock のイントロダクション - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=dHyVTan6bUY "Introduction") - -イントロダクションのビデオを見るには上記の画像をクリックしてください。 - - - -# 前提条件 - - - -## Docker - -物事を単純にするために、両方のコンポーネントが [Docker](https://www.docker.com) -を使用して実行されます。**Docker** は、さまざまコンポーネントをそれぞれの環境に -分離することを可能にするコンテナ・テクノロジです。 - -- Docker Windows にインストールするには - 、[こちら](https://docs.docker.com/docker-for-windows/)の手順に従ってくださ - い -- Docker Mac にインストールするには - 、[こちら](https://docs.docker.com/docker-for-mac/)の手順に従ってください -- Docker Linux にインストールするには - 、[こちら](https://docs.docker.com/install/)の手順に従ってください - -**Docker Compose** は、マルチコンテナ Docker アプリケーションを定義して実行する -ためのツールです -。[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.tutorials.Identity-Management/master/docker-compose.yml) -ファイルは、アプリケーションのために必要なサービスを構成するために使用します。つ -まり、すべてのコンテナ・サービスは 1 つのコマンドで呼び出すことができます -。Docker Compose は、デフォルトで Docker for Windows と Docker for Mac の一部と -してインストールされますが、Linux ユーザ -は[ここ](https://docs.docker.com/compose/install/)に記載されている手順に従う必要 -があります。 - - - -## Cygwin - -シンプルな bash スクリプトを使用してサービスを開始します。Windows ユーザは -[cygwin](http://www.cygwin.com/) をダウンロードして、Windows 上の Linux ディスト -リビューションと同様のコマンドライン機能を提供する必要があります。 - - - -# アーキテクチャ - -このイントロダクションでは -、[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Identity Management -Generic Enabler という 1 つの FIWARE コンポーネントのみを使用します。**Keyrock** -単独での使用は、アプリケーションが _“Powered by FIWARE”_ と認定するには不十分で -す。さらに、**MySQL** データベースにユーザ・データを保存する予定です。 - -全体的なアーキテクチャは、次の要素で構成されます : - -- 1 つの **FIWARE Generic Enabler** : - - - FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) は補完的 - な ID 管理システムを提供します : - - アプリケーションとユーザのための認証システム - - ID 管理のアドミニストレーションのための Web サイトのグラフィカル・フ - ロントエンド - - HTTP リクエストによる ID 管理用の同等の REST API - -- 1 つの [MySQL](https://www.mysql.com/) データベース : - - ユーザ ID、アプリケーション、ロール、およびパーミッションを保持するため - に使用します - -要素間のすべてのインタラクションは HTTP リクエストによって開始されるため、エンテ -ィティはコンテナ化され、公開されたポートから実行されます。 - -![](https://fiware.github.io/tutorials.Identity-Management/img/architecture.png) - -チュートリアルの各セクションの具体的なアーキテクチャについては、以下で説明します -。 - - - -## Keyrock の設定 - -```yaml -keyrock: - image: quay.io/fiware/idm - container_name: fiware-keyrock - hostname: keyrock - depends_on: - - mysql-db - ports: - - "3005:3005" - - "${KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}" # localhost:3443 - environment: - - IDM_DB_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:3005 - - IDM_PORT=3005 - - IDM_HTTPS_ENABLED=true - - IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT} - - IDM_ADMIN_USER=admin - - IDM_ADMIN_EMAIL=admin@test.com - - IDM_ADMIN_PASS=1234 - secrets: - - my_secret_data -``` - -`keyrock` コンテナは、2 つのポートでリッスンしている、Web アプリケーション・サー -バです : - -- Port `3005` は HTTP トラフィックで公開されているため、Web ページを表示して - REST API とやりとりすることができます -- Port `3443` は Web サイトおよび REST API の HTTPS トラフィックを保護するため - に公開されています - -> :information_source: **注** すべてのセキュアなアプリケーションで HTTPS を使用 -> する必要がありますが、これを正しく行うには ** Keyrock** には信頼できる SSL 証 -> 明書が必要です。デフォルトの証明書は自己認証されており、テスト目的で利用できま -> す。 証明書は、`/opt/fiware-idm/certs` の下にあるファイルを置き換えるためにボ -> リュームを付加することで上書きすることができます。 -> -> 実稼働環境では、プレーンテキストを使用して機密情報を送信しないように、HTTPS 経 -> 由ですべてのアクセスを行う必要があります。 また、設定された HTTPS リバース・プ -> ロキシの背後にあるプライベート・ネットワーク内で HTTP を使用することもできます -> 。 -> -> HTTP プロトコルを提供するポート `3005` は、デモンストレーションの目的でのみ公 -> 開されており、このチュートリアルでのインタラクションを簡素化するために、ポート -> 3443 で HTTPS を使用することもあります。 -> -> Postman を使用しているときに HTTPS を使用して REST API にアクセスする場合は -> 、SSL 証明書の検証がオフであることを確認してください。HTTPS を使用して Web フ -> ロントエンドにアクセスする場合は、発行されたセキュリティ警告を受け入れてくださ -> い。 - -`keyrock` コンテナは、次に示す環境変数によってドライブされます : - -| キー | 値 | 説明 | -| ----------------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| IDM_DB_PASS | `idm` | 接続する MySQL データベースのパスワード。**Docker Secrets** によって保護されています。下記を参照してください | -| IDM_DB_USER | `root` | デフォルトの MySQL ユーザのユーザ名。プレーン・テキストです | -| IDM_HOST | `http://localhost:3005` | **Keyrock** アプリケーション・サーバのホスト名。ユーザ登録時にアクティベーション e-mail で使用されます | -| IDM_PORT | `3005` | **Keyrock** アプリケーション・サーバで使用される HTTP トラフィックのためのポート。これは、衝突を避けるためにデフォルトの `3000` ポートから変更しています | -| IDM_HTTPS_ENABLED | `true` | HTTPS サポートを提供するかどうか。これは、オーバーライドされない限り、自己署名証明書を使用します | -| IDM_HTTPS_PORT | `3443` | HTTP トラフィック用の **Keyrock** アプリケーション・サーバで使用されるポート。デフォルトの 443 から変更されています。 | - -> :information_source: **注** この例では、**Docker Secrets** を使用して MySQL パ -> スワードを保護していることに注意してください。`_FILE` サフィックスを持つ -> `IDM_DB_PASS` を使用し、シークレット・ファイルの場所を参照します。これによりプ -> レーン・テキストの `ENV` 変数として、パスワードを公開することを避けることがで -> きます。`Dockerfile` イメージか `docker inspect` を使って読むことができる注入 -> 変数 (an injected variable ) です。 - -> 次の変数のリストは、プロダクション・システムで `_FILE` サフィックスを持つシー -> クレットを使用して設定する必要があります : -> -> - `IDM_SESSION_SECRET` -> - `IDM_ENCRYPTION_KEY` -> - `IDM_DB_PASS` -> - `IDM_DB_USER` -> - `IDM_ADMIN_ID` -> - `IDM_ADMIN_USER` -> - `IDM_ADMIN_EMAIL` -> - `IDM_ADMIN_PASS` -> - `IDM_EX_AUTH_DB_USER` -> - `IDM_EX_AUTH_DB_PASS` - - - -## MySQL の設定 - -```yaml -mysql-db: - image: mysql:5.7 - hostname: mysql-db - container_name: db-mysql - expose: - - "3306" - ports: - - "3306:3306" - networks: - - default: - environment: - - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data" - - "MYSQL_ROOT_HOST=172.18.1.5" - volumes: - - mysql-db:/var/lib/mysql - secrets: - - my_secret_data -``` - -`mysql-db` コンテナは、単一ポートで待機しています : - -- Port `3306` は MySQL サーバのデフォルト・ポートです。これは公開されているの - で、必要に応じて他のデータベース・ツールを実行してデータを表示することもでき - ます - -`mysql-db` コンテナは、次に示すような環境変数によってドライブされます : - -| キー | 値 | 説明 | -| ------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| MYSQL_ROOT_PASSWORD | `123` | **Docker Secrets** によって保護されている MySQL の `root` アカウントに設定されているパスワードを指定します。下記を参照してください | -| MYSQL_ROOT_HOST | `root` | デフォルトでは、MySQL は `root'@'localhost` アカウントを作成します。このアカウントはコンテナ内からのみ接続できます。この環境変数を設定すると、他のホストからのルート接続が可能になります。 | - - - -# 起動 - -インストールを開始するには、次の手順を実行します : - -```console -git clone https://github.com/FIWARE/tutorials.Identity-Management.git -cd tutorials.Identity-Management -git checkout NGSI-v2 - -./services create -``` - -> **注** Docker イメージの最初の作成には最大 3 分かかります - -その後、リポジトリ内で提供される -[services](https://github.com/FIWARE/tutorials.Identity-Management/blob/NGSI-v2/services) -Bash スクリプトを実行することによって、コマンドラインからすべてのサービスを初期 -化することができます : - -```console -./services -``` - -ここで、`` は、私たちがアクティベートしたいエクササイズに応じてかわりま -す。 - -> :information_source: **注:** クリーンアップをやり直したい場合は、次のコマンド -> を使用して再起動することができます : -> -> ```console -> ./services stop -> ``` - - - -### Keyrock MySQL データベースからの直接読み込み - -すべての ID 管理のレコードと関連性は、MySQL データベース内に保持されます。以下の -ように実行中の Docker コンテナを入力するとアクセスできます : - -```console -docker exec -it db-mysql bash -``` - -```console -mysql -u -p idm -``` - -ここで、`` と `` は、`docker-compose` ファイル内で定義された値の -`MYSQL_ROOT_PASSWORD` と `MYSQL_ROOT_USER` に一致します。チュートリアルのデフォ -ルト値は、通常`root`、および `secret` です。 - -コマンドラインから SQL コマンドを入力することができます。例えば : - -```SQL -select id, username, email, password from user; -``` - -**Keyrock** MySQL データベースは、ユーザ、パスワードなどの格納を含むアプリケーシ -ョン・セキュリティのあらゆる側面を扱います。アクセス権を定義し、OAuth2 認証プロ -トコルを扱います。完全なデータベース関係図 -は[ここ](https://fiware.github.io/tutorials.Identity-Management/img/keyrock-db.png)に -あります。 - - - -### Keyrock 内の UUIDs - -**Keyrock** 内のすべての IDs とトークンは変更される可能性があります。レコードを -クエリするときは、以下の値を修正する必要があります。レコード IDs は Universally -Unique Identifiers - UUIDs を使用します。 - -| キー | 説明 | サンプル値 | -| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | -| `keyrock` | **Keyrock** サービスの場所の URL | HTTP 用 `localhost:3005`, HTTPS 用`localhost:3443` | -| `X-Auth-token` | ユーザとしてログインするときにヘッダで受け取ったトークン。言い換えれば、_"私は誰ですか?"_ | `51f2e380-c959-4dee-a0af-380f730137c3` | -| `X-Subject-token` | *"誰に問い合わせたいですか?"*を定義するリクエストに追加されたトークン。これは上記で定義した `X-Auth-token` を繰り返すこともできます | `51f2e380-c959-4dee-a0af-380f730137c3` | -| `user-id` | `user` テーブルで見つかった既存ユーザの id | `96154659-cb3b-4d2d-afef-18d6aec0518e` | -| `organization-id` | `organization` テーブルで見つかった、既存組織の id | `e424ed98-c966-46e3-b161-a165fd31bc01` | -| `organization-role-id` | `owner` または `member` のいずれかの組織内でユーザが持つロールのタイプ | `member` | - -トークンは、一定期間後に期限切れになるように設計されています。使用している -`X-Auth-token` 値の有効期限が切れている場合は、再度ログインして新しいトークンを -取得してください。 - - - -## :arrow_forward: ビデオ: Keyrock GUI でのユーザ・アカウントの作成 - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=dtKsjGbJ7Xc " Creating User Accounts") - -上の画像をクリックすると、**Keyrock** GUI でユーザ・アカウントを作成する方法を示 -すビデオが表示されます - - - -## ログイン - -ログイン画面では、既存ユーザが自分自身を識別し、その後の操作のためにトークンを取 -得することができます。これは、**Keyrock** GUI の初期起動画面です : -`http://localhost:3005/idm` (または `https://localhost:3443/idm` と警告を受け入 -れます) - -![](https://fiware.github.io/tutorials.Identity-Management/img/log-in.png) - -**Keyrock** アプリケーションに入るには、ユーザ名とパスワードを入力します。デフォ -ルトのスーパー管理ユーザ (super-admin user) は `admin@test.com` と `1234` の値を -持っています。 - - - -### パスワードでトークンを作成 - -次の例では、スーパー管理ユーザ を使用してログインします。GUI のログイン画面を使 -用するのと同じです。URL `https://localhost:3443/v1/auth/tokens` はセキュアなシス -テムでも動作するはずです。 - -#### 1️⃣ リクエスト : - -```console -curl -iX POST \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "admin@test.com", - "password": "1234" -}' -``` - -#### レスポンス : - -レスポンス・ヘッダは、誰がアプリケーションにログオンしているかを識別する -`X-Subject-token` を返します。このトークンは、以降のすべてのリクエストにアクセス -するために必要です。 - -``` -HTTP/1.1 201 Created -X-Subject-Token: d848eb12-889f-433b-9811-6a4fbf0b86ca -Content-Type: application/json; charset=utf-8 -Content-Length: 138 -ETag: W/"8a-TVwlWNKBsa7cskJw55uE/wZl6L8" -Date: Mon, 30 Jul 2018 12:07:54 GMT -Connection: keep-alive -``` - -```json -{ - "token": { - "methods": ["password"], - "expires_at": "2018-07-30T13:02:37.116Z" - }, - "idm_authorization_config": { - "level": "basic", - "authzforce": false - } -} -``` - - - -### トークンを介してユーザ情報を取得 - -ユーザがログインすると、時間制限されたトークンがあれば、ユーザに関する詳細情報を -見つけることができます。 - -`{{X-Auth-token}}` と `{{X-Subject-token}}` は、以前のリクエストから取得しなけれ -ばなりません。上記のレスポンスの場合には、両方の変数を -`d848eb12-889f-433b-9811-6a4fbf0b86ca` に設定する必要があります -。`{{X-Auth-token}}` トークンで許可されたユーザが `{{X-Subject-token}}` トークン -を保持しているユーザについて問い合わせていることを示しています。この場合 -、**Keyrock** アプリケーション内には 1 人のユーザしかいません。 そのユーザは自分 -自身について質問しています。 - -#### 2️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -H 'X-Subject-token: {{X-Subject-token}}' -``` - -#### レスポンス : - -レスポンスは関連するユーザの詳細を返します : - -```json -{ - "access_token": "51f2e380-c959-4dee-a0af-380f730137c3", - "expires": "2018-07-30T13:02:37.000Z", - "valid": true, - "User": { - "id": "admin", - "username": "admin", - "email": "admin@test.com", - "date_password": "2018-07-30T09:55:38.000Z", - "enabled": true, - "admin": true - } -} -``` - - - -### トークンをリフレッシュ - -トークンは時間的に制限されています。トークンの有効期限が切れた後はアクセスできな -くなります。ただし、期限切れになる前に新しいトークンをリフレッシュすることは可能 -です。 - -ほとんどのアプリケーションはこのエンドポイントを使用して、ユーザがアプリケーショ -ンとインタラクションしている間にユーザのタイムアウトを回避します。 - -`token` 値は、ユーザが初めてログオンしたときに -、`d848eb12-889f-433b-9811-6a4fbf0b86ca` を取得しました : - -#### 3️⃣ リクエスト : - -```console -curl -iX POST \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -d '{ - "token": "d848eb12-889f-433b-9811-6a4fbf0b86ca" -}' -``` - -#### レスポンス : - -新しいトークンが `X-Subject-Token` ヘッダに返されます : - -``` -HTTP/1.1 201 Created -X-Subject-Token: a5b83d68-ebad-4514-9d3a-dd892f6e6174 -Content-Type: application/json; charset=utf-8 -Content-Length: 135 -ETag: W/"87-nPb+4XRSsW5Szsf2JJC6UYab4GM" -Date: Mon, 30 Jul 2018 12:41:47 GMT -Connection: keep-alive -``` - -```json -{ - "token": { - "methods": ["token"], - "expires_at": "2018-07-30T13:13:20.567Z" - }, - "idm_authorization_config": { - "level": "basic", - "authzforce": false - } -} -``` - - - -# ユーザ・アカウントの管理 - -ユーザ・アカウントは、ID 管理システムの中心にあります。すべてのアカウントの必須 -フィールドには、ユーザを識別するための一意のユーザ名と電子メールアドレスと、認証 -用のパスワードが含まれています。その他のオプションのフィールドには、ユーザの Web -サイト、説明、アバターなど、ユーザに関する詳細情報が追加されます。 - -デフォルトのスーパー管理ユーザ `admin@test.com` (パスワードは `1234`) として、一 -連のユーザ・アカウントを設定し、システム内の関連組織に割り当てます。 - - - -### 登場人物 (Dramatis Personae) - -次の人々は、アプリケーション内に正当なアカウントを持っています。 - -- Alice, 彼女は **Keyrock** アプリケーションの管理者になります -- Bob, スーパー・マーケット・チェーンの地域マネージャ。彼の下に数人のマネージ - ャがいます : - - Manager1 - - Manager2 -- Charlie, スーパー・マーケットチェーン・のセキュリティ責任者。彼の下に数人の - 警備員がいます。 - - Detective1 - - Detective2 - - - -## ユーザ CRUD アクション - -#### GUI - -ユーザは GUI を使用して自分でサインアップすることができます。唯一の要件は電子メ -ールアドレスとパスワードです。 - -![](https://fiware.github.io/tutorials.Identity-Management/img/sign-up.png) - -アカウントが作成されると、そのアカウントの存在を確認しアカウントを有効にするため -に、ユーザに電子メールが送信されます。 - -![](https://fiware.github.io/tutorials.Identity-Management/img/email.png) - -#### REST API - -REST API は、独自のやり取りをせずにユーザを作成したり修正したりすることもできま -す。これは、たとえば、大量の CRUD アクションに役立ちます。 - -> 注 \*\* 招待状を適切に送信するように eMail サーバを設定する必要があります。そ -> うしないと、招待状が迷惑メールとして削除される可能性があります。テストの目的で -> は、users テーブルを直接更新する方が簡単です : `update user set enabled = 1;` - -ユーザのためのすべての CRUD アクションでは、以前にログインした管理ユーザからの -`X-Auth-token` ヘッダを使用して、他のユーザ・アカウントを読み取りまたは変更でき -るようにする必要があります。標準の CRUD アクションは、`/v1/users` エンドポイント -の下の適切な HTTP 動詞 (POST, GET, PATCH および DELETE) に割り当てられます。 - - - -### ユーザを作成 - -新しいユーザを作成するために、以前にログインした管理者の `X-Auth-token` ヘッダと -ともに、ユーザ名、電子メール、パスワードを含む POST リクエストを `/v1/users` エ -ンドポイントに送信します。 - -#### 4️⃣ リクエスト : - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "alice", - "email": "alice@test.com", - "password": "test" - } -}' -``` - -#### レスポンス : - -レスポンスは、作成されたユーザの詳細を返します : - -``` -{ - "user": { - "id": "3b3a5ad5-afd3-4baa-a538-25c7fe7cbf6a", - "image": "default", - "gravatar": false, - "enabled": true, - "admin": false, - "starters_tour_ended": false, - "username": "alice", - "email": "alice@test.com", - "date_password": "2018-07-30T12:51:26.813Z" - } -} -``` - -新しく作成されたユーザ・アカウントにスーパー管理者権限を与えるには、データベース -を直接変更することができます : - -```sql -update user set admin = 1 where username='alice'; -``` - -追加のユーザは、POST リクエストを繰り返すことで追加できます。 - -たとえば、Bob、地域マネージャ、Charlie、セキュリティ責任者、彼の部下の追加アカウ -ントを作成するには : - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "bob", - "email": "bob-the-manager@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "charlie", - "email": "charlie-security@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "manager1", - "email": "manager1@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "manager2", - "email": "manager2@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "detective1", - "email": "detective1@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "detective2", - "email": "detective2@test.com", - "password": "test" - } -}' -``` - - - -### ユーザ情報を取得 - -`/v1/users/{{user-id}}` エンドポイントの下のリソースに GET リクエストを行うと、 -その id の下にリストされているユーザが返されます。`X-Auth-token` をヘッダに設定 -してください。 - -#### 5️⃣ リクエスト : - -To request - -```console -curl -X GET \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスには、問い合わせたのアカウントの基本的な詳細が含まれています : - -```json -{ - "user": { - "id": "96154659-cb3b-4d2d-afef-18d6aec0518e", - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "admin": false, - "image": "default", - "gravatar": false, - "date_password": "2018-07-30T09:56:37.000Z", - "description": null, - "website": null - } -} -``` - - - -### すべてのユーザの一覧を取得 - -すべてのユーザの完全なリストを取得するには、`X-Auth-token` を必要とする、スーパ -ー管理者 (super-admin) の権限が必要です。ほとんどのユーザは、自分の組織内のユー -ザのみを返すことができます。ユーザのリストの取得は、`/v1/users` エンドポイントへ -の GET リクエストを行うことで実行できます。 - -#### 6️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -```json -{ - "users": [ - { - "id": "06a2140f-ccc3-49e5-82a5-76bae48b38ba", - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-30T11:41:14.000Z", - "description": null, - "website": null - }, - { - "id": "27e6ae58-adc1-4aaf-a6a2-f207946ba57e", - "username": "bob", - "email": "bob-the-manager@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-30T10:01:12.000Z", - "description": null, - "website": null - }, - ...etc - ] -} -``` - - - -### ユーザを更新 - -すべてのユーザの完全なリストを取得するには、`X-Auth-token` を必要とする、スーパ -ー管理者 (super-admin) の権限が必要です。ほとんどのユーザは、自分の組織内のユー -ザのみを返すことができます。ユーザのリストの取得は、`/v1/users` エンドポイントへ -の GET リクエストを行うことで実行できます。 - -#### 7️⃣ リクエスト : - -```console -curl -iX PATCH \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-26T15:25:14.000Z", - "description": "Alice works for FIWARE", - "website": "http://www.fiware.org" - } -}' -``` - -#### レスポンス : - -レスポンスには、更新されたフィールドの一覧が表示されます : - -```json -{ - "values_updated": { - "description": "Alice works for FIWARE", - "website": "http://www.fiware.org" - } -} -``` - - - -### ユーザを削除 - -GUI 内で、ユーザは設定ページから自分のアカウントを削除し、**Cancel Account** オ -プションを選択することができます。スーパー管理者のユーザはコマンドラインから -DELETE リクエストを `/v1/users/{{user-id}}` エンドポイントに送信することでこれを -実行できます。`X-Auth-token` ヘッダは、設定されなければなりません。 - -#### 8️⃣ リクエスト : - -```console -curl -iX DELETE \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - ---- - - - -# 組織下でのユーザ・アカウントのグルーピング - -合理的なサイズの ID 管理システムでは、ユーザのグループに個々に設定するのではなく -、ロールを割り当てることができると便利です。ユーザ管理は時間のかかるビジネスであ -るため、これらのユーザのグループを管理する責任を、より低いレベルのアクセス権を持 -つ他のアカウントに委譲することもできる必要があります。 - -私たちのスーパー・マーケット・チェーンを考えてみると、店内で商品の価格を変えるこ -とができるユーザ (マネージャ) と、閉店後にドアをロック/ロック解除することができ -るユーザ (店舗の警備員) があります。個々のアカウントにアクセスするのではなく、組 -織に権利を割り当てて、ユーザをグループに追加する方が簡単です。 - -さらに、Alice は、**Keyrock** の管理者が各組織にユーザを明示的に追加する必要はな -く、各組織内の管理者にその権限を委任することができます。たとえば、地域マネージャ -ー の Bob は*管理*組織のオーナーになり、manager1 や manager2 などの追加マネージ -ャーのアカウントをその組織に追加したり削除したりすることができましたが、セキュリ -ティ責任者の Charlie は*セキュリティ*組織の所有ロールを引き受け、その組織に追加 -の店舗の警備員を追加することができました。 - -Bob には*セキュリティ*組織のメンバーシップ・リストを変更する権利がなく、Charlie -には*管理*組織のメンバーシップのリストを変更する権利がないことに注意してください -。 さらに、Bob や Charlie のどちらも、アプリケーション自体の権限を変更することは -できず、既存のユーザ・アカウントを管理している組織に追加して削除するだけで済みま -す。 - -アプリケーションの作成と権限の設定は、次のチュートリアルの対象であるため、説明し -ません。 - - - -## 組織 CRUD アクション - -#### GUI - -サインインすると、ユーザは組織を作成して更新することができます。 - -![](https://fiware.github.io/tutorials.Identity-Management/img/create-org.png) - -#### REST API - -または、標準の CRUD アクションは、`/v1/organizations` エンドポイントの下の適切な -HTTP 動詞 (POST, GET, PATCH および DELETE) に割り当てられます。 - - - -### 組織の作成 - -新しい組織を作成するために、以前にログインしたユーザの `X-Auth-token` ヘッダと共 -に、`name` と `description` を含む POST リクエストを `/v1/organizations` エンド -ポイントに送信します。 - -#### 9️⃣ リクエスト : - -```console -curl -iX POST \ - 'http://localhost:3005/v1/organizations' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "organization": { - "name": "Security", - "description": "This group is for the store detectives" - } -}' -``` - -#### レスポンス : - -組織が作成され、それを作成したユーザが自動的にユーザとして割り当てられます。レス -ポンスは新しい組織を識別するために UUID を返します。 - -```json -{ - "organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "image": "default", - "name": "Security", - "description": "This group is for the store detectives" - } -} -``` - - - -### 組織の詳細を取得 - -`/v1/organizations/{{organization-id}}` エンドポイントの下のリソースに GET リク -エストを行うと、その id の下にリストされている組織が返されます。`X-Auth-token` -は、許可された組織のみが表示されるため、ヘッダに指定する必要があります。 - -#### 1️⃣0️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスは組織の詳細を返します。 - -```json -{ - "organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "name": "Security", - "description": "This group is for the store detectives", - "website": null, - "image": "default" - } -} -``` - - - -### すべての組織の一覧を取得 - -すべてのユーザの完全なリストを取得するには、`X-Auth-token` を必要とするスーパー -管理者権限が必要です。ほとんどのユーザは、自分の組織内のユーザのみを返すことが許 -可されます。`/v1/organizations` エンドポイントへの GET リクエストを行うことで、 -ユーザを取得することができます。 - -#### 1️⃣1️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスは、ビジブルな組織の詳細を返します。 - -```json -{ - "organizations": [ - { - "role": "owner", - "Organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "name": "Security", - "description": "This group is for the store detectives", - "image": "default", - "website": null - } - }, - { - "role": "owner", - "Organization": { - "id": "a45f9b5a-dd23-4d0f-a0d4-e97e2d7431a3", - "name": "Management", - "description": "This group is for the store manangers", - "image": "default", - "website": null - } - } - ] -} -``` - - - -### 組織を更新 - -既存の組織の詳細を修正するために、PATCH リクエストを -`/v1/organizations/{{organization-id}}` エンドポイントに送信します。 - -#### 1️⃣2️⃣ リクエスト : - -```console -curl -iX PATCH \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "organization": { - "name": "FIWARE Security", - "description": "The FIWARE Foundation is the ...", - "website": "https://fiware.org" - } -}' -``` - -#### レスポンス : - -レスポンスには、修正されたフィールドのリストが含まれています。 - -```json -{ - "values_updated": { - "name": "FIWARE Security", - "description": "The FIWARE Foundation is the ..", - "website": "https://fiware.org" - } -} -``` - - - -### 組織を削除 - -#### 1️⃣3️⃣ リクエスト : - -```console -curl -iX DELETE \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - - - -## 組織内のユーザ - -組織内のユーザは、`owner` または `member` のいずれかのタイプに割り当てられます。 -組織のメンバは、組織自体に割り当てられているすべてのロールと権限を継承します。さ -らに、組織のオーナーは、他のメンバやオーナーを追加したり削除したりすることができ -ます。 - - - -### 組織のメンバとしてユーザを追加 - -GUI を使用して組織にユーザを追加するには、まず既存の組織をクリックし、次に -**Manage** ボタンをクリックします : - -![](https://fiware.github.io/tutorials.Identity-Management/img/add-user-to-org.png) - -組織のメンバとしてユーザを追加するには、オーナーは URL パスに -`` と `` を含む PUT リクエストを作成し、ヘッダに -`X-Auth-Token` を使用して自分自身を識別する必要があります。 - -#### 1️⃣4️⃣ リクエスト : - -```console -curl -iX PUT \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスは、組織内のユーザの現在のロールを示しています。つまり `member` です。 - -```json -{ - "user_organization_assignments": { - "role": "member", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea" - } -} -``` - - - -### 組織のオーナーとしてユーザを追加 - -オーナーは、URL パスに `` および `` を含め、PUT リクエ -ストを作成してヘッダ内に `X-Auth-Token` を使用して自分自身を識別することによって -、新しいオーナーを作成することもできます。 - -#### 1️⃣5️⃣ リクエスト : - -```console -curl -iX PUT \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/owner' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスは、組織内のユーザの現在のロールを示しています。つまり `member` です。 - -```json -{ - "user_organization_assignments": { - "role": "owner", - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d" - } -} -``` - - - -### 組織内のユーザの一覧を取得 - -組織内のユーザをリストすることは、`X-Auth-Toke` を必要とする `owner` またはスー -パー管理者の権限です。ユーザの表示は -、`/v1/organizations/{{organization-id}}/users` エンドポイントに対して GET リク -エストを行うことで実行できます。 - -#### 1️⃣6️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスにはユーザのリストが含まれます。 - -```json -{ - "organization_users": [ - { - "user_id": "admin", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "owner" - }, - { - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "member" - } - ] -} -``` - - - -### 組織内のユーザ・ロールを取得 - -組織内のユーザのロールを見つけるには -、`/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles` -エンドポイントに GET リクエストを送信します。 - -#### 1️⃣7️⃣ リクエスト : - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### レスポンス : - -レスポンスは、指定された `` のロールを返します。 - -```json -{ - "organization_user": { - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "member" - } -} -``` - - - -### 組織からユーザを削除 - -オーナーとスーパー管理者は、削除リクエストを行うことにより、ユーザを組織から削除 -することができます。 - -#### 1️⃣8️⃣ リクエスト : - -```console -curl -X DELETE \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - - - -# 次のステップ - -高度な機能を追加することで、アプリケーションに複雑さを加える方法を知りたいですか -?このシリーズ -の[他のチュートリアル](https://www.letsfiware.jp/fiware-tutorials)を読むことで見 -つけることができます。 - ---- - -## License - -[MIT](LICENSE) © 2018-2024 FIWARE Foundation e.V. diff --git a/README.md b/README.md index 7816992..d023bd2 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ [![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md) [![License: MIT](https://img.shields.io/github/license/fiware/tutorials.Identity-Management.svg)](https://opensource.org/licenses/MIT) [![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) This tutorial is an introduction to [FIWARE Keyrock](https://fiware-idm.readthedocs.io/en/latest/) - a generic enabler which introduces **Identity Management** into FIWARE services. The tutorial explains how to create users and @@ -11,276 +10,13 @@ organizations in preparation to assign roles and permissions to them in a later The tutorial demonstrates examples of interactions using the **Keyrock** GUI, as well [cUrl](https://ec.haxx.se/) commands used to access the **Keyrock** REST API - -[Postman documentation](https://fiware.github.io/tutorials.Identity-Management/) is also available. +[Postman documentation](https://www.postman.com/downloads/) is also available. -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/5f9e1736f979b86ec94a) -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/FIWARE/tutorials.Identity-Management/tree/NGSI-v2) +# Start-Up -- このチュートリアルは[日本語](README.ja.md)でもご覧いただけます。 +## NGSI-v2 Smart Supermarket -## Contents - -
-Details - -- [Identity Management](#identity-management) - - [Standard Concepts of Identity Management](#standard-concepts-of-identity-management) - - [:arrow_forward: Video : Introduction to Keyrock](#arrow_forward-video--introduction-to-keyrock) -- [Prerequisites](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [Architecture](#architecture) - - [Keyrock Configuration](#keyrock-configuration) - - [MySQL Configuration](#mysql-configuration) -- [Start Up](#start-up) - - [Reading directly from the Keyrock MySQL Database](#reading-directly-from-the-keyrock-mysql-database) - - [UUIDs within Keyrock](#uuids-within-keyrock) - * [:arrow_forward: Video : Creating User Accounts with the Keyrock GUI](#arrow_forward-video--creating-user-accounts-with-the-keyrock-gui) - * [Logging In](#logging-in) - - [Create Token with Password](#create-token-with-password) - - [Get User Information via a Token](#get-user-information-via-a-token) - - [Refresh Token](#refresh-token) -- [Administrating User Accounts](#administrating-user-accounts) - - [Dramatis Personae](#dramatis-personae) - * [User CRUD Actions](#user-crud-actions) - - [Creating Users](#creating-users) - - [Read Information About a User](#read-information-about-a-user) - - [List all Users](#list-all-users) - - [Update a User](#update-a-user) - - [Delete a User](#delete-a-user) -- [Grouping User Accounts under Organizations](#grouping-user-accounts-under-organizations) - - [Organization CRUD Actions](#organization-crud-actions) - - [Create an Organization](#create-an-organization) - - [Read Organization Details](#read-organization-details) - - [List all Organizations](#list-all-organizations) - - [Update an Organization](#update-an-organization) - - [Delete an Organization](#delete-an-organization) - - [Users within an Organization](#users-within-an-organization) - - [Add a User as a Member of an Organization](#add-a-user-as-a-member-of-an-organization) - - [Add a User as an Owner of an Organization](#add-a-user-as-an-owner-of-an-organization) - - [List Users within an Organization](#list-users-within-an-organization) - - [Read User Roles within an Organization](#read-user-roles-within-an-organization) - - [Remove a User from an Organization](#remove-a-user-from-an-organization) -- [Next Steps](#next-steps) - -
- -# Identity Management - -> "If one meets a powerful person — ask them five questions: ‘What power have you got? Where did you get it from? In -> whose interests do you exercise it? To whom are you accountable? And how can we get rid of you?’" -> -> — Anthony Wedgwood Benn (The Five Essential Questions of Democracy) - -In computer security terminology, Identity management is the security and business discipline that "enables the right -individuals to access the right resources at the right times and for the right reasons".[1](#footnote1) It -addresses the need to ensure appropriate access to resources across disparate systems. - -The FIWARE framework consists of a series of separate components, and the security chapter aims to implement the common -needs of these components regarding who (or what) gets to access which resources within the system, but before access to -resources can be locked down, the identity of the person (or service) making the request needs to be known. The FIWARE -**Keyrock** Generic Enabler sets up all of the common characteristics of an Identity Management System out-of-the-box, -so that other components are able to use standard authentication mechanisms to accept or reject requests based on -industry standard protocols. - -Identity Management therefore covers the issues of how to gain an identity within the system, the protection of that -identity and the surrounding technologies such as passwords and network protocols. - -## Standard Concepts of Identity Management - -The following common objects are found with the **Keyrock** Identity Management database: - -- **User** - Any signed up user able to identify themselves with an eMail and password. Users can be assigned rights - individually or as a group -- **Application** - Any securable FIWARE application consisting of a series of microservices -- **Organization** - A group of users who can be assigned a series of rights. Altering the rights of the organization - effects the access of all users of that organization -- **OrganizationRole** - Users can either be members or admins of an organization - Admins are able to add and remove - users from their organization, members merely gain the roles and permissions of an organization. This allows each - organization to be responsible for their members and removes the need for a super-admin to administer all rights -- **Role** - A role is a descriptive bucket for a set of permissions. A role can be assigned to either a single user - or an organization. A signed-in user gains all the permissions from all of their own roles plus all of the roles - associated to their organization -- **Permission** - An ability to do something on a resource within the system - -Additionally two further non-human application objects can be secured within a FIWARE application: - -- **IoTAgent** - a proxy between IoT Sensors and the Context Broker -- **PEPProxy** - a middleware for use between generic enablers challenging the rights of a user. - -The relationship between the objects can be seen below - the entities marked in red are used directly within this -tutorial: - -![](https://fiware.github.io/tutorials.Identity-Management/img/entities.png) - -## :arrow_forward: Video : Introduction to Keyrock - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=dHyVTan6bUY 'Introduction') - -Click on the image above to see an introductory video - -# Prerequisites - -## Docker - -To keep things simple both components will be run using [Docker](https://www.docker.com). **Docker** is a container -technology which allows to different components isolated into their respective environments. - -- To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/) -- To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/) -- To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/) - -**Docker Compose** is a tool for defining and running multi-container Docker applications. A -[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Entity-Relationships/master/docker-compose.yml) is used -configure the required services for the application. This means all container services can be brought up in a single -command. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users -will need to follow the instructions found [here](https://docs.docker.com/compose/install/) - -## Cygwin - -We will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) -to provide a command-line functionality similar to a Linux distribution on Windows. - -# Architecture - -This introduction will only make use of one FIWARE component - the -[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Identity Management Generic Enabler. Usage of **Keyrock** alone -is insufficient for an application to qualify as _“Powered by FIWARE”_. Additionally will be persisting user data in a -**MySQL** database. - -The overall architecture will consist of the following elements: - -- One **FIWARE Generic Enabler**: - - - FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) offer a complement Identity Management System - including: - - An authentication system for Applications and Users - - A site graphical frontend for Identity Management Administration - - An equivalent REST API for Identity Management via HTTP requests - -- One [MySQL](https://www.mysql.com/) database : - - Used to persist user identities, applications, roles and permissions - -Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run -from exposed ports. - -![](https://fiware.github.io/tutorials.Identity-Management/img/architecture.png) - -The specific architecture of each section of the tutorial is discussed below. - -## Keyrock Configuration - -```yaml -keyrock: - image: quay.io/fiware/idm - container_name: fiware-keyrock - hostname: keyrock - depends_on: - - mysql-db - ports: - - '3005:3005' - - '${KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}' # localhost:3443 - environment: - - IDM_DB_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:3005 - - IDM_PORT=3005 - - IDM_HTTPS_ENABLED=true - - IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT} - - IDM_ADMIN_USER=admin - - IDM_ADMIN_EMAIL=admin@test.com - - IDM_ADMIN_PASS=1234 - secrets: - - my_secret_data -``` - -The `idm` container is a web application server listening on two ports: - -- Port `3005` has been exposed for HTTP traffic so we can display the web page and interact with the REST API. -- Port `3443` has been exposed for secure HTTPS traffic for the site and REST API - -> [!NOTE] -> HTTPS should be used throughout for any secured application, but to do this properly, -> **Keyrock** requires a trusted SSL certificate - the default certificate is self-certified and available for testing -> purposes. The certificates can be overridden by attaching a volume to replace the files under `/opt/fiware-idm/certs`. -> -> In a production environment, all access should occur over HTTPS, to avoid sending any sensitive information using -> plain-text. Alternatively HTTP can be used within a private network behind a configured HTTPS Reverse Proxy -> -> The port `3005` offering the HTTP protocol is being exposed for demonstration purposes only and to simplify the -> interactions within this tutorial - you may also use HTTPS on port `3443` with certain caveats. -> -> If you want to use HTTPS to access the REST API when you are using Postman, ensure that SSL certificate verfication is -> OFF. If you want to use HTTPS to access the web front-end, please accept any security warnings issued. - -The `idm` container is driven by environment variables as shown: - -| Key | Value | Description | -| ----------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -| IDM_DB_PASS | `idm` | Password of the attached MySQL Database - secured by **Docker Secrets** (see below) | -| IDM_DB_USER | `root` | Username of the default MySQL user - left in plain-text | -| IDM_HOST | `http://localhost:3005` | Hostname of the **Keyrock** App Server - used in activation eMails when signing up users | -| IDM_PORT | `3005` | Port used by the **Keyrock** App Server for HTTP traffic - this has been altered from the default 3000 port to avoid clashes | -| IDM_HTTPS_ENABLED | `true` | Whether to offer HTTPS Support - this will use the self-signed certs unless overridden | -| IDM_HTTPS_PORT | `3443` | Port used by the **Keyrock** App Server for HTTP traffic this has been altered from the default 443 | - -> [!NOTE] -> that this example has secured the MySQL password using **Docker Secrets** By using -> `IDM_DB_PASS` with the `_FILE` suffix and referring to a secrets file location. This avoids exposing the password as -> an `ENV` variable in plain-text - either in the `Dockerfile` Image or as an injected variable which could be read -> using `docker inspect`. -> -> The following list of variables (where used) should be set via secrets with the `_FILE` suffix in a Production System: -> -> - `IDM_SESSION_SECRET` -> - `IDM_ENCRYPTION_KEY` -> - `IDM_DB_PASS` -> - `IDM_DB_USER` -> - `IDM_ADMIN_ID` -> - `IDM_ADMIN_USER` -> - `IDM_ADMIN_EMAIL` -> - `IDM_ADMIN_PASS` -> - `IDM_EX_AUTH_DB_USER` -> - `IDM_EX_AUTH_DB_PASS` - -## MySQL Configuration - -```yaml -mysql-db: - image: mysql:5.7 - hostname: mysql-db - container_name: db-mysql - expose: - - '3306' - ports: - - '3306:3306' - networks: - - default - environment: - - 'MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data' - - 'MYSQL_ROOT_HOST=172.18.1.5' - volumes: - - mysql-db:/var/lib/mysql - secrets: - - my_secret_data -``` - -The `mysql-db` container is listening on a single port: - -- Port `3306` is the default port for a MySQL server. It has been exposed so you can also run other database tools to - display data if you wish - -The `mysql-db` container is driven by environment variables as shown: - -| Key | Value. | Description | -| ------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| MYSQL_ROOT_PASSWORD | `123` | specifies a password that is set for the MySQL `root` account - secured by **Docker Secrets** (see below) | -| MYSQL_ROOT_HOST | `root` | By default, MySQL creates the `root'@'localhost` account. This account can only be connected to from inside the container. Setting this environment variable allows root connections from other hosts | - -# Start Up - -To start the installation, do the following: +**NGSI-v2** offers JSON based interoperability used in individual Smart Systems. To run this tutorial with **NGSI-v2**, use the `NGSI-v2` branch. ```console git clone https://github.com/FIWARE/tutorials.Identity-Management.git @@ -288,897 +24,32 @@ cd tutorials.Identity-Management git checkout NGSI-v2 ./services create +./services start ``` -> [!NOTE] -> The initial creation of Docker images can take up to three minutes - -Thereafter, all services can be initialized from the command-line by running the -[services](https://github.com/FIWARE/tutorials.Identity-Management/blob/NGSI-v2/services) Bash script provided within -the repository: - -```console -./services -``` - -Where `` will vary depending upon the exercise we wish to activate. - -> [!NOTE] -> If you want to clean up and start over again you can do so with the following command: -> -> ```console -> ./services stop -> ``` - -### Reading directly from the Keyrock MySQL Database - -All Identify Management records and relationships are held within the attached MySQL database. This can be accessed by -entering the running Docker container as shown: - -```console -docker exec -it db-mysql bash -``` - -```console -mysql -u -p idm -``` - -Where `` and `` match the values defined in the `docker-compose` file for `MYSQL_ROOT_PASSWORD` and -`MYSQL_ROOT_USER`. The default values for the tutorial are usually `root` and `secret`. - -SQL commands can then be entered from the command-line. e.g.: - -```SQL -select id, username, email, password from user; -``` - -The **Keyrock** MySQL database deals with all aspects of application security including storing users, password etc; -defining access rights and dealing with OAuth2 authorization protocols. The complete database relationship diagram can -be found [here](https://fiware.github.io/tutorials.Identity-Management/img/keyrock-db.png) - -### UUIDs within Keyrock - -All IDs and tokens within **Keyrock** are subject to change. The following values will need to be amended when querying -for records. Record IDs use Universally Unique Identifiers - UUIDs. - -| Key | Description | Sample Value | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | -| `keyrock` | URL for the location of the **Keyrock** service | `localhost:3005` for HTTP, `localhost:3443` for HTTPS | -| `X-Auth-token` | Token received in the Header when logging in as a user - in other words _"Who am I?"_ | `51f2e380-c959-4dee-a0af-380f730137c3` | -| `X-Subject-token` | Token added to requests to define _"Who do I want to inquire about?"_ - This can also be a repeat the `X-Auth-token` defined above | `51f2e380-c959-4dee-a0af-380f730137c3` | -| `user-id` | ID of an existing user, found with the `user` table | `96154659-cb3b-4d2d-afef-18d6aec0518e` | -| `organization-id` | ID of an existing organization, found with the `organization` table | `e424ed98-c966-46e3-b161-a165fd31bc01` | -| `organization-role-id` | type of role a user has within an organization either `owner` or `member` | `member` | - -Tokens are designed to expire after a set period. If the `X-Auth-token` value you are using has expired, log-in again to -obtain a new token. - -## :arrow_forward: Video : Creating User Accounts with the Keyrock GUI - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=dtKsjGbJ7Xc 'Creating User Accounts') - -Click on the image above to see a video demonstrating how to create users with the **Keyrock** GUI - -## Logging In - -The Log-in Screen allows an existing user to identify themselves and obtain a token for further operations. It is the -initial start-up screen of the **Keyrock** GUI - `http://localhost:3005/idm` (or `https://localhost:3443/idm` and accept -the warnings) - -![](https://fiware.github.io/tutorials.Identity-Management/img/log-in.png) - -Enter a username and password to enter the **Keyrock** application. The default super-admin user has the values -`admin@test.com` and `1234`. - -### Create Token with Password - -The following example logs in using the super-admin user - it is the equivalent of using the log-in screen of the GUI. -The URL `https://localhost:3443/v1/auth/tokens` should also work in a secure system. - -#### 1️⃣ Request: - -```console -curl -iX POST \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "admin@test.com", - "password": "1234" -}' -``` - -#### Response: - -The response header returns an `X-Subject-token` which identifies who has logged on the application. This token is -required in all subsequent requests to gain access - -``` -HTTP/1.1 201 Created -X-Subject-Token: d848eb12-889f-433b-9811-6a4fbf0b86ca -Content-Type: application/json; charset=utf-8 -Content-Length: 138 -ETag: W/"8a-TVwlWNKBsa7cskJw55uE/wZl6L8" -Date: Mon, 30 Jul 2018 12:07:54 GMT -Connection: keep-alive -``` - -```json -{ - "token": { - "methods": ["password"], - "expires_at": "2018-07-30T13:02:37.116Z" - }, - "idm_authorization_config": { - "level": "basic", - "authzforce": false - } -} -``` - -### Get User Information via a Token - -Once a user has logged in, the presence of a (time-limited) token is sufficient to find out more information about the -user. - -`{{X-Auth-token}}` and `{{X-Subject-token}}` should be taken from the previous request, in the case of the response -above, both variables should be set to `d848eb12-889f-433b-9811-6a4fbf0b86ca` - this indicates that _the user authorized -with the token `{{X-Auth-token}}` is enquiring about the user holding the token `{{X-Subject-token}}`_ - in this case we -only have one user within the **Keyrock** application, and that user is enquiring about himself. - -#### 2️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -H 'X-Subject-token: {{X-Subject-token}}' -``` - -#### Response: - -The response will return the details of the associated user - -```json -{ - "access_token": "51f2e380-c959-4dee-a0af-380f730137c3", - "expires": "2018-07-30T13:02:37.000Z", - "valid": true, - "User": { - "id": "admin", - "username": "admin", - "email": "admin@test.com", - "date_password": "2018-07-30T09:55:38.000Z", - "enabled": true, - "admin": true - } -} -``` - -### Refresh Token - -Tokens are time limited - it is no longer possible to gain access once a token has expired. However it is possible to -refresh a token for a newer one prior to expiry. - -Most applications use this endpoint to avoid timing out a user whilst they are interacting with the application. - -The `token` value, `d848eb12-889f-433b-9811-6a4fbf0b86ca` was acquired when the user logged on for the first time - -#### 3️⃣ Request: - -```console -curl -iX POST \ - 'http://localhost:3005/v1/auth/tokens' \ - -H 'Content-Type: application/json' \ - -d '{ - "token": "d848eb12-889f-433b-9811-6a4fbf0b86ca" -}' -``` - -#### Response: - -A new token is returned in the `X-Subject-Token` header - -``` -HTTP/1.1 201 Created -X-Subject-Token: a5b83d68-ebad-4514-9d3a-dd892f6e6174 -Content-Type: application/json; charset=utf-8 -Content-Length: 135 -ETag: W/"87-nPb+4XRSsW5Szsf2JJC6UYab4GM" -Date: Mon, 30 Jul 2018 12:41:47 GMT -Connection: keep-alive -``` - -```json -{ - "token": { - "methods": ["token"], - "expires_at": "2018-07-30T13:13:20.567Z" - }, - "idm_authorization_config": { - "level": "basic", - "authzforce": false - } -} -``` - -# Administrating User Accounts - -User accounts are at the heart of any identity management system. The essential fields of every account hold a unique -username and email address to identify the user, along with a password for authentication. The other optional fields add -more information about the user such as a user website, description or avatar. - -As the default super-admin user `admin@test.com` with a password of `1234`, we will set up a series of user accounts and -assign them to relevant organizations within the system. - -### Dramatis Personae - -The following people legitimately have accounts within the Application - -- Alice, she will be the Administrator of the **Keyrock** Application -- Bob, the Regional Manager of the supermarket chain - he has several store managers under him: - - Manager1 - - Manager2 -- Charlie, the Head of Security of the supermarket chain - he has several store detectives under him: - - Detective1 - - Detective2 - -## User CRUD Actions - -#### GUI - -Users are able to sign-up for themselves using the GUI. The only requirement is an email address and a password. - -![](https://fiware.github.io/tutorials.Identity-Management/img/sign-up.png) - -Once an account is created, the user is sent an eMail to confirm their existence and activate their account. - -![](https://fiware.github.io/tutorials.Identity-Management/img/email.png) - -#### REST API - -The REST API is also able to create and amend users without their own interaction - this could be useful for bulk CRUD -actions for example. - -> [!NOTE] -> An eMail server must be configured to send out invites properly, otherwise the invitation may be deleted as -> spam. For testing purposes, it is easier to update the users table directly: `update user set enabled = 1;` - -All the CRUD actions for Users require an `X-Auth-token` header from a previously logged in administrative user to be -able to read or modify other user accounts. The standard CRUD actions are assigned to the appropriate HTTP verbs (POST, -GET, PATCH and DELETE) under the `/v1/users` endpoint. - -### Creating Users - -To create a new user, send a POST request to the `/v1/users` endpoint containing the `username`,`email` and `password` -along with the `X-Auth-token` header from a previously logged in administrative user. - -#### 4️⃣ Request: - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "alice", - "email": "alice@test.com", - "password": "test" - } -}' -``` - -#### Response: - -The response returns the details of the created user - -``` -{ - "user": { - "id": "3b3a5ad5-afd3-4baa-a538-25c7fe7cbf6a", - "image": "default", - "gravatar": false, - "enabled": true, - "admin": false, - "starters_tour_ended": false, - "username": "alice", - "email": "alice@test.com", - "date_password": "2018-07-30T12:51:26.813Z" - } -} -``` - -To grant super-admin power to a newly created user account, the database can be altered directly: - -```sql -update user set admin = 1 where username='alice'; -``` - -Additional users can be added by making repeated POST requests. - -For example to create additional accounts for Bob, the Regional Manager, Charlie, the Head of Security and their direct -reports - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "bob", - "email": "bob-the-manager@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "charlie", - "email": "charlie-security@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "manager1", - "email": "manager1@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "manager2", - "email": "manager2@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "detective1", - "email": "detective1@test.com", - "password": "test" - } -}' -``` - -```console -curl -iX POST \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "detective2", - "email": "detective2@test.com", - "password": "test" - } -}' -``` - -### Read Information About a User - -Making a GET request to a resource under the `/v1/users/{{user-id}}` endpoint will return the user listed under that ID. -The `X-Auth-token` must be supplied in the headers. - -#### 5️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response contains basic details of the account in question: - -```json -{ - "user": { - "id": "96154659-cb3b-4d2d-afef-18d6aec0518e", - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "admin": false, - "image": "default", - "gravatar": false, - "date_password": "2018-07-30T09:56:37.000Z", - "description": null, - "website": null - } -} -``` - -### List all Users - -Obtaining a complete list of all users is a super-admin permission requiring the `X-Auth-token` - most users will only -be permitted to return users within their own organization. Listing users can be done by making a GET request to the -`/v1/users` endpoint - -#### 6️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -```json -{ - "users": [ - { - "id": "06a2140f-ccc3-49e5-82a5-76bae48b38ba", - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-30T11:41:14.000Z", - "description": null, - "website": null - }, - { - "id": "27e6ae58-adc1-4aaf-a6a2-f207946ba57e", - "username": "bob", - "email": "bob-the-manager@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-30T10:01:12.000Z", - "description": null, - "website": null - }, - ...etc - ] -} -``` - -### Update a User - -Within the GUI, users can be updated from the settings page. This can also be done from the command-line by making PATCH -request to `/v1/users/` endpoint when the user ID is known. The `X-Auth-token` header must also be set. - -#### 7️⃣ Request: - -```console -curl -iX PATCH \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "user": { - "username": "alice", - "email": "alice-the-admin@test.com", - "enabled": true, - "gravatar": false, - "date_password": "2018-07-26T15:25:14.000Z", - "description": "Alice works for FIWARE", - "website": "http://www.fiware.org" - } -}' -``` - -#### Response: - -The response lists the fields which have been updated: - -```json -{ - "values_updated": { - "description": "Alice works for FIWARE", - "website": "http://www.fiware.org" - } -} -``` - -### Delete a User - -Within the GUI, users can delete their account from the settings page, selecting the **Cancel Account** Option, once -again a super-admin user can do this from the command-line by sending a DELETE request to the `/v1/users/{{user-id}}` -endpoint. The `X-Auth-token` header must also be set. - -#### 8️⃣ Request: - -```console -curl -iX DELETE \ - 'http://localhost:3005/v1/users/{{user-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - ---- - -# Grouping User Accounts under Organizations - -For any identity management system of a reasonable size, it is useful to be able to assign roles to groups of users, -rather than setting them up individually. Since user administration is a time consuming business, it is also necessary -to be able to delegate the responsibility of managing these group of users down to other accounts with a lower level of -access. - -Consider our supermarket chain for example, there could be a group of users (Managers) who can change the prices of -products within the store, and another group of users (Store Detectives) who can lock and unlock door after closing -time. Rather than give access to each individual account, it would be easier to assign the rights to an organization and -then add users to the groups. - -Furthermore, Alice, the **Keyrock** administrator does not need to explicitly add additional user accounts to each -organization herself - she could delegate that right to an owner within each organization. For example Bob the Regional -Manager would be made the owner of the _management_ organization and could add and remove addition manager accounts -(such as `manager1` and `manager2`) to that organization whereas Charlie the Head of Security could be handed an -ownership role in the _security_ organization and add additional store detectives to that organization. - -Note that Bob does not have the rights to alter the membership list of the _security_ organization and Charlie does not -have the rights to alter the membership list of the _management_ organization. Furthermore neither Bob nor Charlie would -be able to alter the permissions of the application themselves, merely add and remove existing user accounts to the -organization they control. - -Creating an application and setting-up the permissions is not covered here as it is the subject of the next tutorial. - -## Organization CRUD Actions - -#### GUI - -Once signed-in, users are able to create and update organizations for themselves. - -![](https://fiware.github.io/tutorials.Identity-Management/img/create-org.png) - -#### REST API - -Alternatively, the standard CRUD actions are assigned to the appropriate HTTP verbs (POST, GET, PATCH and DELETE) under -the `/v1/organizations` endpoint. - -### Create an Organization - -To create a new organization, send a POST request to the `/v1/organizations` endpoint containing the `name` and -`description` along with the `X-Auth-token` header from a previously logged in user. - -#### 9️⃣ Request: - -```console -curl -iX POST \ - 'http://localhost:3005/v1/organizations' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "organization": { - "name": "Security", - "description": "This group is for the store detectives" - } -}' -``` - -#### Response: - -The Organization is created and the user who created it is automatically assigned as a user. The response returns UUID -to identify the new organization. - -```json -{ - "organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "image": "default", - "name": "Security", - "description": "This group is for the store detectives" - } -} -``` +| [![NGSI v2](https://img.shields.io/badge/NGSI-v2-5dc0cf.svg)](https://fiware-ges.github.io/orion/api/v2/stable/) | :books: [Documentation](https://github.com/FIWARE/tutorials.Identity-Management/tree/NGSI-LD) | [Postman Collection](https://fiware.github.io/tutorials.Identity-Management/) | +| --- | --- | --- | -### Read Organization Details -Making a GET request to a resource under the `/v1/organizations/{{organization-id}}` endpoint will return the -organization listed under that ID. The `X-Auth-token` must be supplied in the headers as only permitted organizations -will be shown. +## NGSI-LD Smart Farm -#### 1️⃣0️⃣ Request: +**NGSI-LD** offers JSON-LD based interoperability used for Federations and Data Spaces. To run this tutorial with **NGSI-LD**, use the `NGSI-LD` branch. ```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response returns the details of the organization. - -```json -{ - "organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "name": "Security", - "description": "This group is for the store detectives", - "website": null, - "image": "default" - } -} -``` - -### List all Organizations - -Obtaining a complete list of all users is a super-admin permission requiring the `X-Auth-token` - most users will only -be permitted to return users within their own organization. Listing users can be done by making a GET request to the -`/v1/organizations` endpoint - -#### 1️⃣1️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response returns the details of the visible organizations. - -```json -{ - "organizations": [ - { - "role": "owner", - "Organization": { - "id": "18deea43-e12a-4018-a45a-664c3158780d", - "name": "Security", - "description": "This group is for the store detectives", - "image": "default", - "website": null - } - }, - { - "role": "owner", - "Organization": { - "id": "a45f9b5a-dd23-4d0f-a0d4-e97e2d7431a3", - "name": "Management", - "description": "This group is for the store manangers", - "image": "default", - "website": null - } - } - ] -} -``` - -### Update an Organization - -To amend the details of an existing organization, a PATCH request is send to the `/v1/organizations/{{organization-id}}` -endpoint. - -#### 1️⃣2️⃣ Request: - -```console -curl -iX PATCH \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' \ - -d '{ - "organization": { - "name": "FIWARE Security", - "description": "The FIWARE Foundation is the ...", - "website": "https://fiware.org" - } -}' -``` - -#### Response: - -The response contains a list of the fields which have been amended. - -```json -{ - "values_updated": { - "name": "FIWARE Security", - "description": "The FIWARE Foundation is the ...", - "website": "https://fiware.org" - } -} -``` - -### Delete an Organization - -#### 1️⃣3️⃣ Request: - -```console -curl -iX DELETE \ - 'http://localhost:3005/v1/organizations/{{organization-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -## Users within an Organization - -Users within an Organization are assigned to one of types - `owner` or `member`. The members of an organization inherit -all of the roles and permissions assigned to the organization itself. In addition, owners of an organization are able to -add and remove other members and owners. - -### Add a User as a Member of an Organization - -To add a user to an organization using the GUI, first click on the existing organization, then click on the **Manage** -button: - -![](https://fiware.github.io/tutorials.Identity-Management/img/add-user-to-org.png) - -To add a user as a member of an organization, an owner must make a PUT request as shown, including the -`` and `` in the URL path and identifying themselves using an `X-Auth-Token` in the header. - -#### 1️⃣4️⃣ Request: - -```console -curl -iX PUT \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response lists the user's current role within the organization (i.e. `member`) - -```json -{ - "user_organization_assignments": { - "role": "member", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea" - } -} -``` - -### Add a User as an Owner of an Organization - -An owner can also create new owners by making a PUT request as shown, including the `` and `` -in the URL path and identifying themselves using an `X-Auth-Token` in the header. - -#### 1️⃣5️⃣ Request: - -```console -curl -iX PUT \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/owner' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response lists the user's current role within the organization (i.e. `owner`) - -```json -{ - "user_organization_assignments": { - "role": "owner", - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d" - } -} -``` - -### List Users within an Organization - -To list the users of an organization using the GUI, just click on the existing organization: - -![](https://fiware.github.io/tutorials.Identity-Management/img/org-with-users.png) - -Listing users within an organization is an `owner` or super-admin permission requiring the `X-Auth-token`. Listing users -can be done by making a GET request to the `/v1/organizations/{{organization-id}}/users` endpoint. - -#### 1️⃣6️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response contains the users list. - -```json -{ - "organization_users": [ - { - "user_id": "admin", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "owner" - }, - { - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "member" - } - ] -} -``` - -### Read User Roles within an Organization - -To find the role of a user within an organization, send a GET request to the -`/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles` endpoint. - -#### 1️⃣7️⃣ Request: - -```console -curl -X GET \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' -``` - -#### Response: - -The response returns the role of the given `` - -```json -{ - "organization_user": { - "user_id": "5e482345-2c48-410e-ae03-203d67a43cea", - "organization_id": "18deea43-e12a-4018-a45a-664c3158780d", - "role": "member" - } -} -``` - -### Remove a User from an Organization - -Owners and Super-Admins can remove a user from and organization by making a delete request. - -#### 1️⃣8️⃣ Request: +git clone https://github.com/FIWARE/tutorials.Identity-Management.git +cd tutorials.Identity-Management +git checkout NGSI-LD -```console -curl -X DELETE \ - 'http://localhost:3005/v1/organizations/{{organization-id}}/users/{{user-id}}/organization_roles/member' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: {{X-Auth-token}}' +./services create +./services start ``` -# Next Steps +| [![NGSI LD](https://img.shields.io/badge/NGSI-LD-d6604d.svg)](https://www.etsi.org/deliver/etsi_gs/CIM/001_099/009/01.08.01_60/gs_cim009v010801p.pdf) | :books: [Documentation](https://github.com/FIWARE/tutorials.Identity-Management/tree/NGSI-LD) | [Postman Collection](https://fiware.github.io/tutorials.Identity-Management/ngsi-ld.html) | +| --- | --- | --- | -Want to learn how to add more complexity to your application by adding advanced features? You can find out by reading -the other [tutorials in this series](https://fiware-tutorials.rtfd.io) --- ## License [MIT](LICENSE) © 2018-2024 FIWARE Foundation e.V. - ---- - -### Footnotes - - - -- [Garnter: Identity Management](http://www.gartner.com/it-glossary/identity-and-access-management-iam/) - definition - of Identity Management diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 407fbde..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,89 +0,0 @@ -# WARNING: Do not deploy this tutorial configuration directly to a production environment -# -# The tutorial docker-compose files have not been written for production deployment and will not -# scale. A proper architecture has been sacrificed to keep the narrative focused on the learning -# goals, they are just used to deploy everything onto a single Docker machine. All FIWARE components -# are running at full debug and extra ports have been exposed to allow for direct calls to services. -# They also contain various obvious security flaws - passwords in plain text, no load balancing, -# no use of HTTPS and so on. -# -# This is all to avoid the need of multiple machines, generating certificates, encrypting secrets -# and so on, purely so that a single docker-compose file can be read as an example to build on, -# not use directly. -# -# When deploying to a production environment, please refer to the Helm Repository -# for FIWARE Components in order to scale up to a proper architecture: -# -# see: https://github.com/FIWARE/helm-charts/ -# -version: "3.8" -services: - # Keyrock is an Identity Management Front-End - keyrock: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/idm:${KEYROCK_VERSION} - container_name: fiware-keyrock - hostname: keyrock - networks: - default: - ipv4_address: 172.18.1.5 - depends_on: - - mysql-db - ports: - - "${KEYROCK_PORT}:${KEYROCK_PORT}" # localhost:3005 - - "${KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}" # localhost:3443 - environment: - - "DEBUG=idm:*" - - "IDM_DB_HOST=mysql-db" - - "IDM_DB_PASS_FILE=/run/secrets/my_secret_data" - - "IDM_DB_USER=root" - - "IDM_PORT=${KEYROCK_PORT}" - - "IDM_HOST=http://localhost:${KEYROCK_PORT}" - - "IDM_HTTPS_ENABLED=${IDM_HTTPS_ENABLED}" - - "IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT}" - - "IDM_ADMIN_USER=admin" - - "IDM_ADMIN_EMAIL=admin@test.com" - - "IDM_ADMIN_PASS=1234" - - IDM_CSP_FORM_ACTION=* - secrets: - - my_secret_data - healthcheck: - interval: 5s - - # Database - mysql-db: - restart: always - labels: - org.fiware: 'tutorial' - image: mysql:${MYSQL_DB_VERSION} - hostname: mysql-db - container_name: db-mysql - expose: - - "${MYSQL_DB_PORT}" - ports: - - "${MYSQL_DB_PORT}:${MYSQL_DB_PORT}" - networks: - default: - ipv4_address: 172.18.1.6 - environment: - - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data" - - "MYSQL_ROOT_HOST=172.18.1.5" # Allow Keyrock to access this database - volumes: - - mysql-db:/var/lib/mysql - secrets: - - my_secret_data - -networks: - default: - labels: - org.fiware: 'tutorial' - ipam: - config: - - subnet: 172.18.1.0/24 -volumes: - mysql-db: ~ - -secrets: - my_secret_data: - file: ./secrets.txt diff --git a/mysql-data/backup.sql b/mysql-data/backup.sql deleted file mode 100644 index 9ac6391..0000000 --- a/mysql-data/backup.sql +++ /dev/null @@ -1,814 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.38, for Linux (x86_64) --- --- Host: localhost Database: idm --- ------------------------------------------------------ --- Server version 5.7.38 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `SequelizeMeta` --- - -DROP TABLE IF EXISTS `SequelizeMeta`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `SequelizeMeta` ( - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`name`), - UNIQUE KEY `name` (`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `SequelizeMeta` --- - -LOCK TABLES `SequelizeMeta` WRITE; -/*!40000 ALTER TABLE `SequelizeMeta` DISABLE KEYS */; -INSERT INTO `SequelizeMeta` VALUES ('201802190000-CreateUserTable.js'),('201802190003-CreateUserRegistrationProfileTable.js'),('201802190005-CreateOrganizationTable.js'),('201802190008-CreateOAuthClientTable.js'),('201802190009-CreateUserAuthorizedApplicationTable.js'),('201802190010-CreateRoleTable.js'),('201802190015-CreatePermissionTable.js'),('201802190020-CreateRoleAssignmentTable.js'),('201802190025-CreateRolePermissionTable.js'),('201802190030-CreateUserOrganizationTable.js'),('201802190035-CreateIotTable.js'),('201802190040-CreatePepProxyTable.js'),('201802190045-CreateAuthZForceTable.js'),('201802190050-CreateAuthTokenTable.js'),('201802190060-CreateOAuthAuthorizationCodeTable.js'),('201802190065-CreateOAuthAccessTokenTable.js'),('201802190070-CreateOAuthRefreshTokenTable.js'),('201802190075-CreateOAuthScopeTable.js'),('20180405125424-CreateUserTourAttribute.js'),('20180612134640-CreateEidasTable.js'),('20180727101745-CreateUserEidasIdAttribute.js'),('20180730094347-CreateTrustedApplicationsTable.js'),('20180828133454-CreatePasswordSalt.js'),('20180921104653-CreateEidasNifColumn.js'),('20180922140934-CreateOauthTokenType.js'),('20181022103002-CreateEidasTypeAndAttributes.js'),('20181108144720-RevokeToken.js'),('20181113121450-FixExtraAndScopeAttribute.js'),('20181203120316-FixTokenTypesLength.js'),('20190116101526-CreateSignOutUrl.js'),('20190316203230-CreatePermissionIsRegex.js'),('20190429164755-CreateUsagePolicyTable.js'),('20190507112246-CreateRoleUsagePolicyTable.js'),('20190507112259-CreatePtpTable.js'),('20191019153205-UpdateUserAuthorizedApplicationTable.js'),('20200107102154-CreatePermissionFiwareService.js'),('20200107102154-CreatePermissionUseFiwareService.js'),('20200928134556-AddDisable2faKey.js'),('20210422214057-init-visible_attributes.js'),('20210423161823-AddOidcNonce.js.js'),('20210603073911-hashed-access-tokens.js'),('20210607162019-CreateDelegationEvidenceTable.js'),('20210707102154-CreatePermissionFiwarePayload.js'); -/*!40000 ALTER TABLE `SequelizeMeta` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_token` --- - -DROP TABLE IF EXISTS `auth_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_token` ( - `access_token` varchar(255) NOT NULL, - `expires` datetime DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - `pep_proxy_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`access_token`), - UNIQUE KEY `access_token` (`access_token`), - KEY `user_id` (`user_id`), - KEY `pep_proxy_id` (`pep_proxy_id`), - CONSTRAINT `auth_token_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `auth_token_ibfk_2` FOREIGN KEY (`pep_proxy_id`) REFERENCES `pep_proxy` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `auth_token` --- - -LOCK TABLES `auth_token` WRITE; -/*!40000 ALTER TABLE `auth_token` DISABLE KEYS */; -/*!40000 ALTER TABLE `auth_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `authzforce` --- - -DROP TABLE IF EXISTS `authzforce`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `authzforce` ( - `az_domain` varchar(255) NOT NULL, - `policy` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `version` int(11) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`az_domain`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `authzforce_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `authzforce` --- - -LOCK TABLES `authzforce` WRITE; -/*!40000 ALTER TABLE `authzforce` DISABLE KEYS */; -/*!40000 ALTER TABLE `authzforce` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `delegation_evidence` --- - -DROP TABLE IF EXISTS `delegation_evidence`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `delegation_evidence` ( - `policy_issuer` varchar(255) NOT NULL, - `access_subject` varchar(255) NOT NULL, - `policy` json NOT NULL, - PRIMARY KEY (`policy_issuer`,`access_subject`), - UNIQUE KEY `policy_issuer_access_subject_unique` (`policy_issuer`,`access_subject`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `delegation_evidence` --- - -LOCK TABLES `delegation_evidence` WRITE; -/*!40000 ALTER TABLE `delegation_evidence` DISABLE KEYS */; -/*!40000 ALTER TABLE `delegation_evidence` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `eidas_credentials` --- - -DROP TABLE IF EXISTS `eidas_credentials`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `eidas_credentials` ( - `id` varchar(36) NOT NULL, - `support_contact_person_name` varchar(255) DEFAULT NULL, - `support_contact_person_surname` varchar(255) DEFAULT NULL, - `support_contact_person_email` varchar(255) DEFAULT NULL, - `support_contact_person_telephone_number` varchar(255) DEFAULT NULL, - `support_contact_person_company` varchar(255) DEFAULT NULL, - `technical_contact_person_name` varchar(255) DEFAULT NULL, - `technical_contact_person_surname` varchar(255) DEFAULT NULL, - `technical_contact_person_email` varchar(255) DEFAULT NULL, - `technical_contact_person_telephone_number` varchar(255) DEFAULT NULL, - `technical_contact_person_company` varchar(255) DEFAULT NULL, - `organization_name` varchar(255) DEFAULT NULL, - `organization_url` varchar(255) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `organization_nif` varchar(255) DEFAULT NULL, - `sp_type` varchar(255) DEFAULT 'private', - `attributes_list` json DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`), - UNIQUE KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `eidas_credentials_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `eidas_credentials` --- - -LOCK TABLES `eidas_credentials` WRITE; -/*!40000 ALTER TABLE `eidas_credentials` DISABLE KEYS */; -/*!40000 ALTER TABLE `eidas_credentials` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `iot` --- - -DROP TABLE IF EXISTS `iot`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `iot` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `salt` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `iot_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `iot` --- - -LOCK TABLES `iot` WRITE; -/*!40000 ALTER TABLE `iot` DISABLE KEYS */; -/*!40000 ALTER TABLE `iot` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_access_token` --- - -DROP TABLE IF EXISTS `oauth_access_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_access_token` ( - `access_token` text NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(2000) DEFAULT NULL, - `refresh_token` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - `hash` char(64) NOT NULL, - PRIMARY KEY (`hash`), - UNIQUE KEY `oauth_access_token_hash_uk` (`hash`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - KEY `refresh_token` (`refresh_token`), - KEY `authorization_code_at` (`authorization_code`), - CONSTRAINT `authorization_code_at` FOREIGN KEY (`authorization_code`) REFERENCES `oauth_authorization_code` (`authorization_code`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE, - CONSTRAINT `refresh_token` FOREIGN KEY (`refresh_token`) REFERENCES `oauth_refresh_token` (`refresh_token`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_access_token` --- - -LOCK TABLES `oauth_access_token` WRITE; -/*!40000 ALTER TABLE `oauth_access_token` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_access_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_authorization_code` --- - -DROP TABLE IF EXISTS `oauth_authorization_code`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_authorization_code` ( - `authorization_code` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `redirect_uri` varchar(2000) DEFAULT NULL, - `scope` varchar(2000) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - `nonce` varchar(255) DEFAULT NULL, - PRIMARY KEY (`authorization_code`), - UNIQUE KEY `authorization_code` (`authorization_code`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `oauth_authorization_code_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_authorization_code_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_authorization_code` --- - -LOCK TABLES `oauth_authorization_code` WRITE; -/*!40000 ALTER TABLE `oauth_authorization_code` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_authorization_code` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_client` --- - -DROP TABLE IF EXISTS `oauth_client`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_client` ( - `id` varchar(36) NOT NULL, - `name` varchar(255) DEFAULT NULL, - `description` text, - `secret` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `url` varchar(2000) DEFAULT NULL, - `redirect_uri` varchar(2000) DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `grant_type` varchar(255) DEFAULT NULL, - `response_type` varchar(255) DEFAULT NULL, - `client_type` varchar(15) DEFAULT NULL, - `scope` varchar(2000) DEFAULT NULL, - `extra` json DEFAULT NULL, - `token_types` varchar(2000) DEFAULT NULL, - `jwt_secret` varchar(255) DEFAULT NULL, - `redirect_sign_out_uri` varchar(2000) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_client` --- - -LOCK TABLES `oauth_client` WRITE; -/*!40000 ALTER TABLE `oauth_client` DISABLE KEYS */; -INSERT INTO `oauth_client` VALUES ('idm_admin_app','idm','idm',NULL,'','','default','','',NULL,NULL,NULL,NULL,NULL,NULL); -/*!40000 ALTER TABLE `oauth_client` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_refresh_token` --- - -DROP TABLE IF EXISTS `oauth_refresh_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_refresh_token` ( - `refresh_token` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(2000) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - PRIMARY KEY (`refresh_token`), - UNIQUE KEY `refresh_token` (`refresh_token`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - KEY `authorization_code_rt` (`authorization_code`), - CONSTRAINT `authorization_code_rt` FOREIGN KEY (`authorization_code`) REFERENCES `oauth_authorization_code` (`authorization_code`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_refresh_token` --- - -LOCK TABLES `oauth_refresh_token` WRITE; -/*!40000 ALTER TABLE `oauth_refresh_token` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_refresh_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_scope` --- - -DROP TABLE IF EXISTS `oauth_scope`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_scope` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `scope` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_scope` --- - -LOCK TABLES `oauth_scope` WRITE; -/*!40000 ALTER TABLE `oauth_scope` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_scope` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `organization` --- - -DROP TABLE IF EXISTS `organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `organization` ( - `id` varchar(36) NOT NULL, - `name` varchar(64) DEFAULT NULL, - `description` text, - `website` varchar(2000) DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `organization` --- - -LOCK TABLES `organization` WRITE; -/*!40000 ALTER TABLE `organization` DISABLE KEYS */; -/*!40000 ALTER TABLE `organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `pep_proxy` --- - -DROP TABLE IF EXISTS `pep_proxy`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `pep_proxy` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `salt` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `pep_proxy_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `pep_proxy` --- - -LOCK TABLES `pep_proxy` WRITE; -/*!40000 ALTER TABLE `pep_proxy` DISABLE KEYS */; -/*!40000 ALTER TABLE `pep_proxy` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `permission` --- - -DROP TABLE IF EXISTS `permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `permission` ( - `id` varchar(36) NOT NULL, - `name` varchar(255) DEFAULT NULL, - `description` text, - `is_internal` tinyint(1) DEFAULT '0', - `action` varchar(255) DEFAULT NULL, - `resource` varchar(255) DEFAULT NULL, - `xml` text, - `oauth_client_id` varchar(36) DEFAULT NULL, - `is_regex` tinyint(1) NOT NULL DEFAULT '0', - `authorization_service_header` varchar(255) DEFAULT NULL, - `use_authorization_service_header` tinyint(1) NOT NULL DEFAULT '0', - `regex_entity_ids` varchar(255) DEFAULT NULL, - `regex_attributes` varchar(255) DEFAULT NULL, - `regex_types` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `permission_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `permission` --- - -LOCK TABLES `permission` WRITE; -/*!40000 ALTER TABLE `permission` DISABLE KEYS */; -INSERT INTO `permission` VALUES ('1','Get and assign all internal application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL),('2','Manage the application',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL),('3','Manage roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL),('4','Manage authorizations',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL),('5','Get and assign all public application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL),('6','Get and assign only public owned roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL); -/*!40000 ALTER TABLE `permission` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `ptp` --- - -DROP TABLE IF EXISTS `ptp`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ptp` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `previous_job_id` varchar(255) NOT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`,`previous_job_id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `ptp_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `ptp` --- - -LOCK TABLES `ptp` WRITE; -/*!40000 ALTER TABLE `ptp` DISABLE KEYS */; -/*!40000 ALTER TABLE `ptp` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role` --- - -DROP TABLE IF EXISTS `role`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role` ( - `id` varchar(36) NOT NULL, - `name` varchar(64) DEFAULT NULL, - `is_internal` tinyint(1) DEFAULT '0', - `oauth_client_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `role_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role` --- - -LOCK TABLES `role` WRITE; -/*!40000 ALTER TABLE `role` DISABLE KEYS */; -INSERT INTO `role` VALUES ('provider','Provider',1,'idm_admin_app'),('purchaser','Purchaser',1,'idm_admin_app'); -/*!40000 ALTER TABLE `role` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_assignment` --- - -DROP TABLE IF EXISTS `role_assignment`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_assignment` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_organization` varchar(255) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `role_id` varchar(36) DEFAULT NULL, - `organization_id` varchar(36) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `role_id` (`role_id`), - KEY `organization_id` (`organization_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `role_assignment_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_2` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_3` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_4` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_assignment` --- - -LOCK TABLES `role_assignment` WRITE; -/*!40000 ALTER TABLE `role_assignment` DISABLE KEYS */; -/*!40000 ALTER TABLE `role_assignment` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_permission` --- - -DROP TABLE IF EXISTS `role_permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_permission` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_id` varchar(36) DEFAULT NULL, - `permission_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `role_id` (`role_id`), - KEY `permission_id` (`permission_id`), - CONSTRAINT `role_permission_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_permission_ibfk_2` FOREIGN KEY (`permission_id`) REFERENCES `permission` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_permission` --- - -LOCK TABLES `role_permission` WRITE; -/*!40000 ALTER TABLE `role_permission` DISABLE KEYS */; -INSERT INTO `role_permission` VALUES (1,'provider','1'),(2,'provider','2'),(3,'provider','3'),(4,'provider','4'),(5,'provider','5'),(6,'provider','6'),(7,'purchaser','5'); -/*!40000 ALTER TABLE `role_permission` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_usage_policy` --- - -DROP TABLE IF EXISTS `role_usage_policy`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_usage_policy` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_id` varchar(36) DEFAULT NULL, - `usage_policy_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `role_id` (`role_id`), - KEY `usage_policy_id` (`usage_policy_id`), - CONSTRAINT `role_usage_policy_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_usage_policy_ibfk_2` FOREIGN KEY (`usage_policy_id`) REFERENCES `usage_policy` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_usage_policy` --- - -LOCK TABLES `role_usage_policy` WRITE; -/*!40000 ALTER TABLE `role_usage_policy` DISABLE KEYS */; -/*!40000 ALTER TABLE `role_usage_policy` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `trusted_application` --- - -DROP TABLE IF EXISTS `trusted_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trusted_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `oauth_client_id` varchar(36) DEFAULT NULL, - `trusted_oauth_client_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `trusted_oauth_client_id` (`trusted_oauth_client_id`), - CONSTRAINT `trusted_application_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `trusted_application_ibfk_2` FOREIGN KEY (`trusted_oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trusted_application` --- - -LOCK TABLES `trusted_application` WRITE; -/*!40000 ALTER TABLE `trusted_application` DISABLE KEYS */; -/*!40000 ALTER TABLE `trusted_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `usage_policy` --- - -DROP TABLE IF EXISTS `usage_policy`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `usage_policy` ( - `id` varchar(36) NOT NULL, - `name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `type` enum('COUNT_POLICY','AGGREGATION_POLICY','CUSTOM_POLICY') DEFAULT NULL, - `parameters` json DEFAULT NULL, - `punishment` enum('KILL_JOB','UNSUBSCRIBE','MONETIZE') DEFAULT NULL, - `from` time DEFAULT NULL, - `to` time DEFAULT NULL, - `odrl` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `oauth_client_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `usage_policy_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `usage_policy` --- - -LOCK TABLES `usage_policy` WRITE; -/*!40000 ALTER TABLE `usage_policy` DISABLE KEYS */; -/*!40000 ALTER TABLE `usage_policy` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user` --- - -DROP TABLE IF EXISTS `user`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user` ( - `id` varchar(36) NOT NULL, - `username` varchar(64) DEFAULT NULL, - `description` text, - `website` varchar(2000) DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `gravatar` tinyint(1) DEFAULT '0', - `email` varchar(255) DEFAULT NULL, - `password` varchar(40) DEFAULT NULL, - `date_password` datetime DEFAULT NULL, - `enabled` tinyint(1) DEFAULT '0', - `admin` tinyint(1) DEFAULT '0', - `extra` json DEFAULT NULL, - `scope` varchar(2000) DEFAULT NULL, - `starters_tour_ended` tinyint(1) DEFAULT '0', - `eidas_id` varchar(255) DEFAULT NULL, - `salt` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`), - UNIQUE KEY `email` (`email`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user` --- - -LOCK TABLES `user` WRITE; -/*!40000 ALTER TABLE `user` DISABLE KEYS */; -INSERT INTO `user` VALUES ('admin','admin',NULL,NULL,'default',0,'admin@test.com','d245d83b4aef87f52043aa6ffc90b5e80c1a0245','2022-08-17 10:54:08',1,1,'{\"visible_attributes\": [\"username\", \"description\"]}',NULL,0,NULL,'b55d5ca8edcff919'); -/*!40000 ALTER TABLE `user` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_authorized_application` --- - -DROP TABLE IF EXISTS `user_authorized_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_authorized_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` varchar(36) DEFAULT NULL, - `oauth_client_id` varchar(36) DEFAULT NULL, - `shared_attributes` varchar(255) DEFAULT NULL, - `login_date` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `user_authorized_application_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_authorized_application_ibfk_2` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_authorized_application` --- - -LOCK TABLES `user_authorized_application` WRITE; -/*!40000 ALTER TABLE `user_authorized_application` DISABLE KEYS */; -/*!40000 ALTER TABLE `user_authorized_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_organization` --- - -DROP TABLE IF EXISTS `user_organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_organization` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role` varchar(10) DEFAULT NULL, - `user_id` varchar(36) DEFAULT NULL, - `organization_id` varchar(36) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `organization_id` (`organization_id`), - CONSTRAINT `user_organization_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_organization_ibfk_2` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_organization` --- - -LOCK TABLES `user_organization` WRITE; -/*!40000 ALTER TABLE `user_organization` DISABLE KEYS */; -/*!40000 ALTER TABLE `user_organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_registration_profile` --- - -DROP TABLE IF EXISTS `user_registration_profile`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_registration_profile` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `activation_key` varchar(255) DEFAULT NULL, - `activation_expires` datetime DEFAULT NULL, - `reset_key` varchar(255) DEFAULT NULL, - `reset_expires` datetime DEFAULT NULL, - `verification_key` varchar(255) DEFAULT NULL, - `verification_expires` datetime DEFAULT NULL, - `user_email` varchar(255) DEFAULT NULL, - `disable_2fa_key` varchar(255) DEFAULT NULL, - `disable_2fa_expires` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_email` (`user_email`), - CONSTRAINT `user_registration_profile_ibfk_1` FOREIGN KEY (`user_email`) REFERENCES `user` (`email`) ON DELETE CASCADE ON UPDATE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_registration_profile` --- - -LOCK TABLES `user_registration_profile` WRITE; -/*!40000 ALTER TABLE `user_registration_profile` DISABLE KEYS */; -/*!40000 ALTER TABLE `user_registration_profile` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2022-08-17 10:54:33 diff --git a/secrets.txt b/secrets.txt deleted file mode 100644 index 536aca3..0000000 --- a/secrets.txt +++ /dev/null @@ -1 +0,0 @@ -secret \ No newline at end of file diff --git a/services b/services index 027104e..c744bc4 100755 --- a/services +++ b/services @@ -2,126 +2,8 @@ # # Command Line Interface to start all services associated with the Tutorial # -# For this tutorial the commands are merely a convenience script to run docker or docker-compose -# -# Each services script can be run using either docker-compose (the external tool with the hyphen -) -# or docker compose (the newer version directly bundled with Docker with a space ) -# -# if you start up with the following command: -# -# ./services start legacy -# -# This will force the script to use docker-compose which may be more reliable in -# some cases (or if an older version of Docker is being used) set -e -dockerCmd="docker compose" -if (( $# == 2 )); then - dockerCmd="docker-compose" -fi - -if (( $# < 1 )); then - echo "Illegal number of parameters" - echo "usage: services [create|https|start|stop]" - exit 1 -fi - - -startContainers () { - echo "" - export IDM_HTTPS_ENABLED="$1" - ${dockerCmd} up -d --remove-orphans - echo "" -} - -displayServices () { - echo "" - docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" --filter name=fiware-* - (gp ports list 2> /dev/null) || true - echo "" -} - -stoppingContainers () { - CONTAINERS=$(docker ps --filter "label=org.fiware=tutorial" -aq) - if [[ -n $CONTAINERS ]]; then - echo "Stopping containers" - docker rm -f $CONTAINERS || true - fi - VOLUMES=$(docker volume ls -qf dangling=true) - if [[ -n $VOLUMES ]]; then - echo "Removing old volumes" - docker volume rm $VOLUMES || true - fi - NETWORKS=$(docker network ls --filter "label=org.fiware=tutorial" -q) - if [[ -n $NETWORKS ]]; then - echo "Removing tutorial networks" - docker network rm $NETWORKS || true - fi -} - -waitForKeyrock () { - echo -e "⏳ Waiting for \033[1;31mKeyrock\033[0m to be available\n" - - while [ `curl -s -o /dev/null -w %{http_code} 'http://localhost:3005/version'` -eq 000 ] - do - echo -e "Keyrock HTTP state: " `curl -s -o /dev/null -w %{http_code} 'http://localhost:3005/version'` " (waiting for 200)" - sleep 5 - done - echo -e " \033[1;32mdone\033[0m" -} - -waitForSecureKeyrock () { - echo -e "⏳ Waiting for \033[1;31mKeyrock\033[0m to be available\n" - - while [ `curl -k -s -o /dev/null -w %{http_code} 'https://localhost:3443/version'` -eq 000 ] - do - echo -e "Keyrock HTTP state: " `curl -k -s -o /dev/null -w %{http_code} 'https://localhost:3443/version'` " (waiting for 200)" - sleep 5 - done - echo -e " \033[1;32mdone\033[0m" -} - -command="$1" -case "${command}" in - "help") - echo "usage: services [create|https|start|stop]" - ;; - "start") - export $(cat .env | grep "#" -v) - stoppingContainers - echo -e "Starting containers: \033[1;31mKeyrock\033[0m and a \033[1mMySQL\033[0m database." - echo -e "- \033[1;31mKeyrock\033[0m is an Identity Management Front-End under HTTP" - startContainers false - waitForKeyrock - displayServices - echo -e "Now open \033[4mhttp://localhost:3005/idm\033[0m" - ;; - "https") - stoppingContainers - echo -e "Starting containers: \033[1;31mKeyrock\033[0m and a \033[1mMySQL\033[0m database." - echo -e "- \033[1;31mKeyrock\033[0m is an Identity Management Front-End under HTTPS" - startContainers true - waitForSecureKeyrock - displayServices - echo -e "Now open \033[4mhttps://localhost:3443/idm\033[0m" - ;; - "stop") - export $(cat .env | grep "#" -v) - stoppingContainers - ;; - "create") - export $(cat .env | grep "#" -v) - echo "Pulling Docker images" - docker pull -q quay.io/curl/curl - ${dockerCmd} pull --ignore-pull-failures - ;; - *) - echo "Command not Found." - echo "usage: services [create|start|stop]" - exit 127; - ;; -esac - - - +echo -e "Checkout the \033[1;36mNGSI-v2\033[0m branch of this repository to run the Smart Supermarket tutorial.\n" +echo -e "Checkout the \033[1;31mNGSI-LD\033[0m branch of this repository to run the Smart Farm tutorial.\n"