# Securing an Atoti session with Basic authentication


Securing a session comes in two parts:
1. Implementing authentication mechanism to secure access to the session
2. Restricting access of modules or data access by users based on the roles granted

__Security implementation is one of the [locked features](https://docs.atoti.io/latest/how_tos/unlock_all_features.html) that is not available in Atoti Community Edition. To try out this notebook, you can request for an [evaluation license](https://atoti.io/evaluation-license-request/) to unlock all the features.__ 

Atoti supports multiple [authentication mechanisms](https://docs.atoti.io/latest/lib/atoti/atoti.config.authentication.html) to cater to the needs of our end users.  

This notebook demonstrates the actions required to implement such security:
- Users to be created in Atoti. Users will login using their username and password.
- Users to be assigned minimally the role of __ROLE_USER__ to be able to access the Atoti web application.

We will explore the Atoti security features using the [Top 50 Fast Food](https://www.kaggle.com/datasets/stetsondone/top50fastfood) dataset from Kaggle, combined with its parent company information sourced from the internet.


__Note__:  

The notebook is structured in this order:
1. Authentication setup during session instantiation
2. Create BI analytics platform with Atoti
3. Users and roles management with Atoti

Mainly, we look at the roles last because we need to know the names of the tables and columns which we want to impose restrictions on.  
Thereafter, we can create the roles with restrictions. Check out [Atoti documentation](https://docs.atoti.io) to read more on [securing the session](https://docs.atoti.io/latest/how_tos/secure_a_session.html#Configuring-the-authentication-mechanism).  

<div style="text-align: center;" ><a href="https://www.atoti.io/?utm_source=gallery&utm_content=basic-auth" target="_blank" rel="noopener noreferrer"><img src="https://data.atoti.io/notebooks/banners/Discover-Atoti-now.png" alt="Try Atoti"></a></div>

In [1]:
import atoti as tt
import pandas as pd
import requests

## 1. Authentication setup in Atoti

The `realm` below is used to isolate sessions running on the same domain, so if we have only a single session, we can ignore it.  
It will be defaulted to some machine-wide unique ID.

In [2]:
authentication = tt.BasicAuthenticationConfig(realm="atoti Realm")

In [3]:
session = tt.Session(
    port=10011,
    authentication=authentication,
    user_content_storage="./content",
    java_options=["-Dlogging.level.org.springframework.security=DEBUG"],
)

### 1.1 Debug security setup

During the initial setup, it is useful to configure the [Spring Security logging](https://www.baeldung.com/spring-security-enable-logging) to help in debugging any potential issues in the connectivity.  
As shown in the above code snippet, we can turn on logging with `logging.level.org.springframework.security` set to the `DEBUG` level using the `java_options`.

## 2. Create BI analytics platform with Atoti 

Once the session is created, we can proceed with the usual data loading into Atoti table, cube and measures creation.  
Remember to re-execute these cells if you have changed the mode of authentiction.

### 2.1 Table creation

Although we can [`create table`](https://docs.atoti.io/latest/lib/atoti/atoti.session.html#atoti.Session.create_table) before loading data in, we used `read_csv` in our example to create and load data into the Atoti tables.

In [4]:
base_tbl = session.read_csv(
    "s3://data.atoti.io/notebooks/security/data/parent_co.csv",
    table_name="parent_co",
    keys=["company", "parent_company"],
    process_quotes=True,
)
base_tbl.head()

Unnamed: 0_level_0,Unnamed: 1_level_0,name
parent_company,company,Unnamed: 2_level_1
Inspire Brands,arbys,Arby's
"Domino's Pizza, Inc.",dominos,Domino's
"Papa Murphy's Holdings, Inc.",papa_murphys,Papa Murphy's
Focus Brands,auntie_annes,Auntie Anne's
Panda Restaurant Group,panda_express,Panda Express


In [5]:
enrichment_tbl = session.read_csv(
    "s3://data.atoti.io/notebooks/security/data/top_50_fast_food_US.csv",
    table_name="top_50",
    keys=["company"],
)
enrichment_tbl.head()

Unnamed: 0_level_0,category,sales_in_millions_2019,sales_per_unit_thousands_2019,franchised_units_2019,company_owned_units_2019,total_units_2019,unit_change_from_2018
company,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1
popeyes_chicken,chicken,3750,1541,2458,41,2499,131
del_taco,global,850,1554,296,300,596,16
jack_in_the_box,burger,3505,1565,2106,137,2243,6
tim_hortons,sandwich,840,1165,715,0,715,-12
mcdonalds,burger,40413,2912,13154,692,13846,-66


In [6]:
base_tbl.join(enrichment_tbl)

### 2.2. Cube creation

In [7]:
cube = session.create_cube(base_tbl, "Fast food analysis")

### 2.3 Measures creation

In [8]:
h, l, m = cube.hierarchies, cube.levels, cube.measures

In [9]:
m["sales_in_millions"] = tt.agg.sum(enrichment_tbl["sales_in_millions_2019"])
m["sales_per_unit_thousands"] = tt.agg.sum(
    enrichment_tbl["sales_per_unit_thousands_2019"]
)
m["franchised_units"] = tt.agg.sum(enrichment_tbl["franchised_units_2019"])
m["company_owned_units"] = tt.agg.sum(enrichment_tbl["company_owned_units_2019"])
m["total_units"] = tt.agg.sum(enrichment_tbl["total_units_2019"])
m["unit_change_from_2018"] = tt.agg.sum(enrichment_tbl["unit_change_from_2018"])

In [10]:
m["% franchised"] = m["franchised_units"] / m["total_units"]
m["% franchised"].formatter = "DOUBLE[0.00%]"

## 3. Roles management in Atoti

Let's create some constants for the user id of the users we will be creating.  

In [11]:
ADMIN_USER = "atoti_admin"
ATOTI_USER = "atoti_user"

INSPIRE_USER1 = "Inspire_user1"
INSPIRE_USER2 = "Inspire_user2"
INSPIRE_MANAGER = "Inspire_manager"
RESTAURANT_USER1 = "Restaurant_user1"
RESTAURANT_USER2 = "Restaurant_user2"
RESTAURANT_MANAGER = "Restaurant_manager"

### 3.1. Create user

Users' information are retrieved from authentication provider if one is used. However, in the case of basic authentication, users are created in Atoti.
Making use of the [BasicSecurity](https://docs.atoti.io/latest/lib/atoti-query/atoti_query.security.basic_security.html#atoti_query.security.basic_security.BasicSecurity) module, we create an Atoti administrator and a generic Atoti user as shown below:

In [12]:
session.security.basic.credentials[ADMIN_USER] = "password"
session.security.basic.credentials[ATOTI_USER] = "password"

We cherry-picked two parent companies - Inspire Brands and Restaurant Brands International LLC to demonstrate the roles and access management.  
We will create the users based on the list available on [basic_user_pwd.csv](https://data.atoti.io/notebooks/security/users/basic_user_pwd.csv).

In [13]:
users_df = pd.read_csv("users/basic_user_pwd.csv")

for row in users_df.to_dict(orient="records"):
    if row["Status"] == "Active":
        session.security.basic.credentials[row["User"]] = row["Password"]
        print(f"Create user: {row['User']}")

Create user: Inspire_user1
Create user: Inspire_user2
Create user: Inspire_manager
Create user: Restaurant_user1
Create user: Restaurant_user2
Create user: Restaurant_manager


The system reserved role `ROLE_USER` is automatically assigned to the created users.  
This meant that these users will all be able to access all the web application and all the available data.  
We can, however, restrict access for the users by assigning them roles with restricted access.

#### 3.1.1 Add/Modify/Delete user with watchdog

We can use third party file watchers such as [watchdog](https://python-watchdog.readthedocs.io/en/stable/) to monitor our flat file containing the list of users and their passwords.  
Along with a status indicator, we can easily add/modify/delete users upon file modification.

In [14]:
from watchdog.events import FileCreatedEvent, FileSystemEventHandler
from watchdog.observers.polling import PollingObserver


class AtotiWatcher(FileSystemEventHandler):
    def on_modified(self, event: FileCreatedEvent):
        try:
            users_df = pd.read_csv(event.src_path)

            for row in users_df.to_dict(orient="records"):
                if (row["User"] not in session.security.basic.credentials.keys()) & (
                    row["Status"] == "Active"
                ):
                    session.security.basic.credentials[row["User"]] = row["Password"]
                    print(f"Create user: {row['User']}")
                else:
                    if row["Status"] == "Inactive":
                        session.security.basic.credentials.pop(row["User"])
                        print(f"Deleted inactive user: {row['User']}")
                    else:
                        session.security.basic.credentials[row["User"]] = row[
                            "Password"
                        ]
                        print(f"Update user password: {row['User']}")

        except Exception as error:
            print(error)


observer = PollingObserver()
observer.schedule(AtotiWatcher(), "users")
observer.start()

### 3.2. Atoti reserved roles  

The below roles are reserved in Atoti and should not be altered by users:
- ROLE_ADMIN: able to access all objects in the web application
- ROLE_USER: able to access all data by default. Access to objects such as dashboards, folders, widgets etc is only upon sharing access granted to role.

__All users, including the administrator, require the role *ROLE\_USER* to be able to access the Atoti UI.__

Let's assume both users, *atoti\_admin* and *atoti\_user*, have been granted the role __ROLE_USER__ and *atoti\_admin* is also granted the role __ROLE_ADMIN__.  
While both *atoti\_admin* and *atoti\_user* are able to access all data, *atoti\_admin* is able to access all objects such as folders and dashboards.  
*atoti\_user* is able to access only the objects created by the user him/herself. Objects created by other users can only be access upon shared access granted.  


In [15]:
session.security.individual_roles[ADMIN_USER] = {"ROLE_USER", "ROLE_ADMIN"}
session.security.individual_roles[ATOTI_USER] = {"ROLE_USER"}

Try logging in to the Atoti UI from the below link using either of the users `atoti_admin` or `atoti_user`.

In [16]:
session.link()

Open the notebook in JupyterLab with the Atoti extension enabled to see this link.

#### 3.2.1 Sharing role configuration 

In Atoti version before v0.8.0, we assign the role `ROLE_SHARE` to users in order to be able to let them share objects such as dashboards, folders, widgets and filters.  
Both *atoti\_admin* and *atoti\_user* will not be able to share objects (via the "Share" icon as shown below) unless granted the role __ROLE_SHARE__.  

<img src="img/share_function.png" width="50%"/>  

From version v0.8.0 onwards, the role `ROLE_SHARE` is removed. Instead, users with the role `ROLE_USER` will the ability to perform sharing by default.  

<img src="img/admin_share.png" width="50%"/>


We can configure the sharing permission from the Atoti Admin UI which is accessible from the link below. Login with a user that has the role `ROLE_ADMIN` assigned.

In [17]:
session.link(path="/admin")

Open the notebook in JupyterLab with the Atoti extension enabled to see this link.

##### 3.2.1.2 Creating technical users

In case we want to limit the users who has the ability to perform sharing, we can either update the `canShare` permission for `ROLE_USER` to `false` from the Admin UI; or we can use the rest service to do so.  

Let's create a [technical user](https://docs.atoti.io/latest/how_tos/secure_a_session.html#Technical-users) (also called service accounts) for updating the backend. Atoti automatically enables Basic Authentication on the session even though we are using OIDC authentication mechanism.

In [18]:
technical_user_name = "ATOTI_TECH_ADMIN"
technical_user_password = "password"

technical_user = session.security.basic.credentials[
    technical_user_name
] = technical_user_password
session.security.individual_roles[technical_user_name] = {"ROLE_USER", "ROLE_ADMIN"}

In [19]:
from requests.auth import HTTPBasicAuth

response = requests.put(
    f"http://localhost:{session.port}/activeviam/content/rest/v7/files?path=ui/user_roles/ROLE_USER/permissions",
    auth=(technical_user_name, technical_user_password),
    json={
        "content": '{"canShare": false}',
        "owners": ["atoti_admin"],
        "readers": ["ROLE_USER"],
        "overwrite": True,
        "recursive": True,
    },
)

In the event we want to control the sharing rights using roles from Authentication providers, we can create the intended role in the Admin UI.  
For instance, suppose the role that is supposed to have sharing permission is call `ROLE_SHARE`, we can run the below request to create the role with `canShare` set to `true`.  

In [20]:
response = requests.put(
    f"http://localhost:{session.port}/activeviam/content/rest/v7/files?path=ui/user_roles/ROLE_SHARE/permissions",
    auth=(technical_user_name, technical_user_password),
    json={
        "content": '{"canShare": true}',
        "owners": ["atoti_admin"],
        "readers": ["ROLE_USER"],
        "overwrite": True,
        "recursive": True,
    },
)

Below is what we see in the Admin server:  

<img src="img/role_share_permission.png" />  

Now, any users who are assigned the role `ROLE_SHARE` will have the ability to perform sharing.  
In the below snippet, we grant `atoti_admin` the additional role `ROLE_SHARE` using `|` to append its existing list of roles. Now, only the admin user is able to perform sharing.

In [21]:
session.security.individual_roles[ADMIN_USER] |= {"ROLE_SHARE"}

### 3.3. Role creation with restrictions  

Data restriction is based on users' requirement. In our use case, we assumed two groups of users with data access limited to those of their parent company:
- users belonging to parent company _Inspire Brands_
- users belonging to parent company _Restaurant Brands International Inc._

Therefore, we will create two roles to apply the restrictions based on the `parent_company` column from the `parent_co` table.  
We will define key that is a tuple, consisting of the name of the table and its column, along with the restricted values imposed on it. 

__NOTE:__  
- We can skip role creation if there are no restrictions imposed on the role. 
- The value provided under the restrictions is cap-sensitive.

In [22]:
ROLE_INSPIRE = "ATOTI_ROLE_INSPIRE"
ROLE_RESTAURANT = "ATOTI_ROLE_RESTAURANT"

session.security.restrictions.update(
    {
        ROLE_INSPIRE: (base_tbl["parent_company"] == "Inspire Brands"),
        ROLE_RESTAURANT: (
            base_tbl["parent_company"] == "Restaurant Brands International Inc."
        ),
    }
)

#### 3.3.1 Restricted access from combination of roles

Multiple roles can be assigned to the same user. To demonstrate how the access will change when this happens, we create some other roles that restrict data access by the restaurant category, i.e. column `category` from the table `top_50`.

In [23]:
ROLE_BURGER = "ATOTI_ROLE_BURGER"
ROLE_SANDWICH = "ATOTI_ROLE_SANDWICH"
ROLE_SNACK = "ATOTI_ROLE_SNACK"

session.security.restrictions.update(
    {
        ROLE_BURGER: enrichment_tbl["category"] == "burger",
        ROLE_SANDWICH: enrichment_tbl["category"] == "sandwich",
        ROLE_SNACK: enrichment_tbl["category"] == "snack",
    }
)

When combined with the restricted role on the `parent_company`, user's access will be further restricted to based on the restriction of the added role.  

For instance, users who are assigned the role __ATOTI_ROLE_BURGER__ will be able to access all the data under _burger_ category restaurants, regardless of the parent companies.  

However, when the same user is also granted the role __ATOTI_ROLE_INSPIRE__, then the user can only access data of restaurants under parent company _Inspire Brands_ that is of category _burger_. 

### 3.4. Role assignments (Good reference for roles setup in authentication providers)  

We can grant Atoti roles directly to users created in Atoti without having to perform role mappings like in OIDC.

#### 3.4.1 Multiple roles assignment  

We grant the managers only access to the data available under their parent companies.  
These restrictions will be applied under the role __ATOTI_ROLE_INSPIRE__ and __ATOTI_ROLE_RESTAURANT__ respectively.  

Also, the managers will be granted __ROLE_SHARE__ for them to share the objects such as dashboards and widgets for which they are the owners of.

In [24]:
session.security.individual_roles[INSPIRE_MANAGER] = {
    "ROLE_USER",
    "ROLE_SHARE",
    ROLE_INSPIRE,
}
session.security.individual_roles[RESTAURANT_MANAGER] = {
    "ROLE_USER",
    "ROLE_SHARE",
    ROLE_RESTAURANT,
}

Each company has two users that have even more restricted access than the managers.  
User 1 of each company can only access data for restaurants of category _burgers_ with role __ATOTI_ROLE_BURGER__.  
User 2 of each company can only access data for restaurants of category _sandwich_ and _snack_ with roles __ATOTI_ROLE_SANDWICH__ and __ATOTI_ROLE_SNACK__.  

Combined with either the role __ATOTI_ROLE_INSPIRE__ or __ATOTI_ROLE_RESTAURANT__, they will only see the specific category of restaurants under their parent companies.

In [25]:
session.security.individual_roles.update(
    {
        INSPIRE_USER1: {"ROLE_USER", ROLE_INSPIRE, ROLE_BURGER},
        INSPIRE_USER2: {"ROLE_USER", ROLE_INSPIRE, ROLE_SANDWICH, ROLE_SNACK},
        RESTAURANT_USER1: {"ROLE_USER", ROLE_RESTAURANT, ROLE_BURGER},
        RESTAURANT_USER2: {"ROLE_USER", ROLE_RESTAURANT, ROLE_SANDWICH, ROLE_SNACK},
    }
)

## 4. Test login and access management in web application

Try out any of these users. Password is simply "password".

___Administrator___
- atoti_admin

___Generic user___
- atoti_user

___Inspire Brands users___
- Inspire_user1
- Inspire_user2
- Inspire_manager

___Restaurant Brands International LLC users___
- Restaurant_user1
- Restaurant_user2
- Restaurant_manager

In [26]:
session.link()

Open the notebook in JupyterLab with the Atoti extension enabled to see this link.

<div style="text-align: center;" ><a href="https://www.atoti.io/?utm_source=gallery&utm_content=basic-auth" target="_blank" rel="noopener noreferrer"><img src="https://data.atoti.io/notebooks/banners/Your-turn-to-try-Atoti.jpg" alt="Try Atoti"></a></div>