-
Notifications
You must be signed in to change notification settings - Fork 12
/
usage.html
575 lines (457 loc) · 47.6 KB
/
usage.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" />
<meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Starting and Using the Server — Bluesky HTTP Server 0.0.8.post20+g265c27f documentation</title>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/plot_directive.css" type="text/css" />
<!--[if lt IE 9]>
<script src="_static/js/html5shiv.min.js"></script>
<![endif]-->
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/sphinx_highlight.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Controlling Run Engine Manager" href="control_re_manager.html" />
<link rel="prev" title="Introduction" href="introduction.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home"> Bluesky HTTP Server
</a>
<div class="version">
0.0.8.post20+g265c27f
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul>
<li class="toctree-l1"><a class="reference internal" href="installation.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="release-history.html">Release History</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">User's Guide</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="introduction.html">Introduction</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Starting and Using the Server</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#starting-the-server">Starting the Server</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#single-user-mode">Single-User Mode</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#passing-single-user-api-key-by-setting-an-environment-variable">Passing single-user API key by setting an environment variable</a></li>
<li class="toctree-l4"><a class="reference internal" href="#specifying-single-user-api-key-in-configuration-file">Specifying single-user API key in configuration file</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#passing-configuration-to-the-server">Passing Configuration to the Server</a></li>
<li class="toctree-l3"><a class="reference internal" href="#enabling-anonymous-public-access">Enabling Anonymous Public Access</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#authentication-api-for-users">Authentication API for Users</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#logging-into-the-server-requesting-token">Logging into the Server (Requesting Token)</a></li>
<li class="toctree-l3"><a class="reference internal" href="#generating-api-keys">Generating API Keys</a></li>
<li class="toctree-l3"><a class="reference internal" href="#verifying-scopes-of-access-tokens-and-api-keys">Verifying Scopes of Access Tokens and API Keys</a></li>
<li class="toctree-l3"><a class="reference internal" href="#getting-information-on-api-key">Getting Information on API Key</a></li>
<li class="toctree-l3"><a class="reference internal" href="#deleting-api-key">Deleting API Key</a></li>
<li class="toctree-l3"><a class="reference internal" href="#refreshing-sessions">Refreshing Sessions</a></li>
<li class="toctree-l3"><a class="reference internal" href="#whoami">whoami</a></li>
<li class="toctree-l3"><a class="reference internal" href="#revoking-sessions">Revoking Sessions</a></li>
<li class="toctree-l3"><a class="reference internal" href="#passing-tokens-and-api-keys-in-api-requests">Passing Tokens and API Keys in API Requests</a></li>
<li class="toctree-l3"><a class="reference internal" href="#logging-out-of-the-server">Logging Out of the Server</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#administrative-api">Administrative API</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#getting-information-on-all-principals">Getting Information on All Principals</a></li>
<li class="toctree-l3"><a class="reference internal" href="#getting-information-on-a-selected-principal">Getting Information on a Selected Principal</a></li>
<li class="toctree-l3"><a class="reference internal" href="#generating-an-api-key-for-a-principal">Generating an API Key for a Principal</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="control_re_manager.html">Controlling Run Engine Manager</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Server Configuration</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Related Projects</span></p>
<ul>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/bluesky-queueserver">Bluesky Queue Server</a></li>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/bluesky-queueserver-api">Bluesky Queue Server API</a></li>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/bluesky-widgets">Bluesky Widgets</a></li>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/bluesky">Bluesky</a></li>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/ophyd">Ophyd</a></li>
<li class="toctree-l1"><a class="reference external" href="https://blueskyproject.io/databroker">Data Broker</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Bluesky HTTP Server</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home"></a> »</li>
<li>Starting and Using the Server</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/usage.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="starting-and-using-the-server">
<h1>Starting and Using the Server<a class="headerlink" href="#starting-and-using-the-server" title="Permalink to this heading">¶</a></h1>
<p>The examples illustrate how to access API of the Bluesky HTTP Server using
<code class="docutils literal notranslate"><span class="pre">httpie</span></code> command-line tool. Though it is unlikely that <code class="docutils literal notranslate"><span class="pre">httpie</span></code> is ever used
to control the server in practical deployments, the instructions could be useful for application developers
for testing the server and understanding how the API work.</p>
<p>Installation instructions for <code class="docutils literal notranslate"><span class="pre">httpie</span></code>: <a class="reference external" href="https://httpie.io/docs/cli/installation">https://httpie.io/docs/cli/installation</a>.</p>
<p>In the examples it is assumed that the server address is <code class="docutils literal notranslate"><span class="pre">localhost</span></code> and the server
port is <code class="docutils literal notranslate"><span class="pre">60610</span></code>. The address and the port are used by default by Bluesky Queue Server
components and should be substituted by custom address and/or port if necessary.</p>
<section id="starting-the-server">
<span id="starting-http-server"></span><h2>Starting the Server<a class="headerlink" href="#starting-the-server" title="Permalink to this heading">¶</a></h2>
<section id="single-user-mode">
<h3>Single-User Mode<a class="headerlink" href="#single-user-mode" title="Permalink to this heading">¶</a></h3>
<p>The server can configured to operate in single-user mode. The mode is useful
for demos and testing, but it could be used in small local deployments where no
true authorization is required. The single-user API key is be passed to
the server by setting an environment variable <code class="docutils literal notranslate"><span class="pre">QSERVER_HTTP_SERVER_SINGLE_USER_API_KEY</span></code>
or listed in server config files (<code class="docutils literal notranslate"><span class="pre">authentication/single_user_api_key</span></code>).
API key listed in config files overrides the key in environment variable.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Single-user mode is disabled if any providers are specified in the server
config files even if single-user API key is passed to the server. Make supported
that <code class="docutils literal notranslate"><span class="pre">authentication/providers</span></code> section is not included in the config files
if single-user access is the desired mode of authorization.</p>
</div>
<section id="passing-single-user-api-key-by-setting-an-environment-variable">
<span id="passing-single-user-api-key-as-ev"></span><h4>Passing single-user API key by setting an environment variable<a class="headerlink" href="#passing-single-user-api-key-by-setting-an-environment-variable" title="Permalink to this heading">¶</a></h4>
<p>An API key is an arbitrary non-empty string that consists of alphanumeric characters.
Substitute <cite><generated-api-key></cite> for the generated API key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">QSERVER_HTTP_SERVER_SINGLE_USER_API_KEY</span><span class="o">=<</span><span class="n">generated</span><span class="o">-</span><span class="n">api</span><span class="o">-</span><span class="n">key</span><span class="o">></span> <span class="n">uvicorn</span> <span class="o">--</span><span class="n">host</span> <span class="n">localhost</span> <span class="o">--</span><span class="n">port</span> <span class="mi">60610</span> <span class="n">bluesky_httpserver</span><span class="o">.</span><span class="n">server</span><span class="p">:</span><span class="n">app</span>
</pre></div>
</div>
</section>
<section id="specifying-single-user-api-key-in-configuration-file">
<span id="passing-single-user-api-key-in-config"></span><h4>Specifying single-user API key in configuration file<a class="headerlink" href="#specifying-single-user-api-key-in-configuration-file" title="Permalink to this heading">¶</a></h4>
<p>Alternatively, the single-user API key may be specified in the server config file.
It is considered unsafe practice to explicitly list API keys in config files, so
the purpose of this feature is mainly to customize the name of environment variable
used to pass the API key if the default name is inconvenient.</p>
<p>For example, the following config file (e.g. <code class="docutils literal notranslate"><span class="pre">config.yml</span></code>) causes the server
to load single-user API key from the environment variable <code class="docutils literal notranslate"><span class="pre">SU_API_KEY</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>authentication:
single_user_api_key: ${SU_API_KEY}
</pre></div>
</div>
<p>The environment variable must be set to the generated API key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">SU_API_KEY</span><span class="o">=<</span><span class="n">generated</span><span class="o">-</span><span class="n">api</span><span class="o">-</span><span class="n">key</span><span class="o">></span>
</pre></div>
</div>
<p>and the path to the config file passed to the server:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">QSERVER_HTTP_SERVER_CONFIG</span><span class="o">=</span><span class="n">config</span><span class="o">.</span><span class="n">yml</span> <span class="n">uvicorn</span> <span class="o">--</span><span class="n">host</span> <span class="n">localhost</span> <span class="o">--</span><span class="n">port</span> <span class="mi">60610</span> <span class="n">bluesky_httpserver</span><span class="o">.</span><span class="n">server</span><span class="p">:</span><span class="n">app</span>
</pre></div>
</div>
</section>
</section>
<section id="passing-configuration-to-the-server">
<span id="passing-config-to-server"></span><h3>Passing Configuration to the Server<a class="headerlink" href="#passing-configuration-to-the-server" title="Permalink to this heading">¶</a></h3>
<p>In practical deployments, server configuration is represented as one or more YML files.
Path to the location of startup files is passed to the server using the environment variable
<code class="docutils literal notranslate"><span class="pre">QSERVER_HTTP_SERVER_CONFIG</span></code>. The path may point to a single file or a directory with multiple
files. If the variable is not set, then no configuration is loaded. The settings from in config files
override settings passed as environment variables.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># 'config.yml' in the current working directory</span>
<span class="n">QSERVER_HTTP_SERVER_CONFIG</span><span class="o">=</span><span class="n">config</span><span class="o">.</span><span class="n">yml</span> <span class="n">uvicorn</span> <span class="o">--</span><span class="n">host</span> <span class="n">localhost</span> <span class="o">--</span><span class="n">port</span> <span class="mi">60610</span> <span class="n">bluesky_httpserver</span><span class="o">.</span><span class="n">server</span><span class="p">:</span><span class="n">app</span>
<span class="c1"># 'config.yml' in the directory '~/.config/qserver/http'</span>
<span class="n">QSERVER_HTTP_SERVER_CONFIG</span><span class="o">=~/.</span><span class="n">qserver</span><span class="o">/</span><span class="n">http</span><span class="o">/</span><span class="n">config</span><span class="o">.</span><span class="n">yml</span> <span class="n">uvicorn</span> <span class="o">--</span><span class="n">host</span> <span class="n">localhost</span> <span class="o">--</span><span class="n">port</span> <span class="mi">60610</span> <span class="n">bluesky_httpserver</span><span class="o">.</span><span class="n">server</span><span class="p">:</span><span class="n">app</span>
<span class="c1"># Multiple config files in the directory '~/.config/qserver/http'</span>
<span class="n">QSERVER_HTTP_SERVER_CONFIG</span><span class="o">=~/.</span><span class="n">config</span><span class="o">/</span><span class="n">qserver</span><span class="o">/</span><span class="n">http</span> <span class="n">uvicorn</span> <span class="o">--</span><span class="n">host</span> <span class="n">localhost</span> <span class="o">--</span><span class="n">port</span> <span class="mi">60610</span> <span class="n">bluesky_httpserver</span><span class="o">.</span><span class="n">server</span><span class="p">:</span><span class="n">app</span>
</pre></div>
</div>
</section>
<section id="enabling-anonymous-public-access">
<span id="id1"></span><h3>Enabling Anonymous Public Access<a class="headerlink" href="#enabling-anonymous-public-access" title="Permalink to this heading">¶</a></h3>
<p>Anonymous public access is disabled by default. It can be enabled by setting <code class="docutils literal notranslate"><span class="pre">authentication/allow_anonymous_access</span></code>
in the server config file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">authentication</span><span class="p">:</span>
<span class="n">allow_anonymous_access</span><span class="p">:</span> <span class="kc">True</span>
</pre></div>
</div>
<p>Anonymous public access rules are applied when no API key or token is passed with API requests.
API calls with invalid token or API key are rejected even if public access is enabled.</p>
</section>
</section>
<section id="authentication-api-for-users">
<h2>Authentication API for Users<a class="headerlink" href="#authentication-api-for-users" title="Permalink to this heading">¶</a></h2>
<section id="logging-into-the-server-requesting-token">
<h3>Logging into the Server (Requesting Token)<a class="headerlink" href="#logging-into-the-server-requesting-token" title="Permalink to this heading">¶</a></h3>
<p>Users log into the server by calling <code class="docutils literal notranslate"><span class="pre">/auth/provider/<provider-name>/token</span></code>, where <code class="docutils literal notranslate"><span class="pre"><provider-name></span></code>
should be substituted by the name of authentication provider. A user submits <em>username</em> and <em>password</em>
with the API request and gets access token and refresh token. The access token is used for authorization
of other API requests and the refresh token is used to request new access token when current token expires.</p>
<p>The server must be configured to have at least one active authentication provider. The server is shipped
with simple <code class="docutils literal notranslate"><span class="pre">DictionaryAPIAccessControl</span></code> authentication policy, which performs authentication based
on dictionary that maps usernames and passwords and intended for use in demos and testing. The following
is an example of a config file sets up <code class="docutils literal notranslate"><span class="pre">DictionaryAPIAccessControl</span></code> as a provider named <code class="docutils literal notranslate"><span class="pre">toy</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>authentication:
providers:
- provider: toy
authenticator: bluesky_httpserver.authenticators:DictionaryAuthenticator
args:
users_to_passwords:
bob: ${BOB_PASSWORD}
alice: ${ALICE_PASSWORD}
tom: ${TOM_PASSWORD}
api_access:
policy: bluesky_httpserver.authorization:DictionaryAPIAccessControl
args:
users:
bob:
roles:
- admin
- expert
alice:
roles: user
tom:
roles: observer
</pre></div>
</div>
<p>Generally it is not a good idea to explicitly list passwords in configuration files. Using environment
variables is more secure. The environment variable should be set before starting the server:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">BOB_PASSWORD</span><span class="o">=</span><span class="n">bob_password</span>
<span class="n">export</span> <span class="n">ALICE_PASSWORD</span><span class="o">=</span><span class="n">alice_password</span>
<span class="n">export</span> <span class="n">TOM_PASSWORD</span><span class="o">=</span><span class="n">tom_password</span>
</pre></div>
</div>
<p>Then users <code class="docutils literal notranslate"><span class="pre">bob</span></code>, <code class="docutils literal notranslate"><span class="pre">alice</span></code> and <code class="docutils literal notranslate"><span class="pre">tom</span></code> can log into the server as</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="o">--</span><span class="n">form</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">provider</span><span class="o">/</span><span class="n">toy</span><span class="o">/</span><span class="n">token</span> <span class="n">username</span><span class="o">=</span><span class="n">bob</span> <span class="n">password</span><span class="o">=</span><span class="n">bob_password</span>
</pre></div>
</div>
<p>If authentication is successful, then the server returns access and refresh tokens.</p>
</section>
<section id="generating-api-keys">
<h3>Generating API Keys<a class="headerlink" href="#generating-api-keys" title="Permalink to this heading">¶</a></h3>
<p>Users that are assigned the scope <code class="docutils literal notranslate"><span class="pre">user:apikeys</span></code> can generate API keys used for authorization
without logging into the server. API keys are often used for long-running applications or
autonomous agents. API keys carry information that allows the server to identify the user
who generated the key and the scopes that define access permissions. The scopes of an API key
may be a full set or a subset of user’s scopes.</p>
<p>The API <code class="docutils literal notranslate"><span class="pre">/auth/apikey</span></code> accepts three parameters:</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">expires_in</span></code> (int) - time until expiration of the API key in seconds;</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">scopes</span></code> (option, list of strings) - list of scopes;</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">note</span></code> (optional, string) - text message;</p></li>
</ul>
</div></blockquote>
<p>API keys may be generated using a valid token or an API key with the scope <code class="docutils literal notranslate"><span class="pre">user:apikeys</span></code>.
If no <code class="docutils literal notranslate"><span class="pre">scopes</span></code> are specified in the request, then API <em>inherits</em> scopes of the user
(if authorized by token) or created using a copy of scopes of the original API key
(if authorized by API key). The <em>inherited</em> scopes change as user privileges change and
may be expanded if the user is given additional permissions. If the parameter <code class="docutils literal notranslate"><span class="pre">scopes</span></code>
is used to pass a list of scopes, then the API key has a <em>fixed</em> set of scopes. API request
may never access API outside the listed scopes even if user privileges are extended.
If user privileges are reduced, some scopes may not be accessed even if they are listed.</p>
<p>The user generating API key must be permitted to use each scope listed in the request.
If the new key is generated based on the existing API key, each scope must also be
allowed for the existing API key. The request fails if any of the listed scopes is
not permitted.</p>
<p>Request API key that inherits the scopes of the user (principal) using an access token
(replace <code class="docutils literal notranslate"><span class="pre"><token></span></code> with the token):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="s1">'Authorization: Bearer <token>'</span>
</pre></div>
</div>
<p>Request API key with fixed set of scopes (scopes are a subset of the scopes of the principal)
using an access token:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="n">scopes</span><span class="o">:=</span><span class="s1">'["read:status", "user:apikeys"]'</span> <span class="s1">'Authorization: Bearer <token>'</span>
</pre></div>
</div>
<p>Request API key using an existing API key. The scopes for the new key are a copy of the scopes of
the existing key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="s1">'Authorization: ApiKey <apikey>'</span>
</pre></div>
</div>
<p>Request API key with fixed set of scopes using an existing API key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="n">scopes</span><span class="o">:=</span><span class="s1">'["read:status"]'</span> <span class="s1">'Authorization: ApiKey <apikey>'</span>
</pre></div>
</div>
</section>
<section id="verifying-scopes-of-access-tokens-and-api-keys">
<h3>Verifying Scopes of Access Tokens and API Keys<a class="headerlink" href="#verifying-scopes-of-access-tokens-and-api-keys" title="Permalink to this heading">¶</a></h3>
<p>User can verify currently permissions for a token or API key at any time by sending <code class="docutils literal notranslate"><span class="pre">/auth/scopes</span></code> request.
The API returns the list of assigned roles and the list of scopes applied to the token or the API key:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Get scopes for the access token</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">scopes</span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Get scopes for the API key</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">scopes</span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="getting-information-on-api-key">
<h3>Getting Information on API Key<a class="headerlink" href="#getting-information-on-api-key" title="Permalink to this heading">¶</a></h3>
<p>Information on an existing API key may be obtained calling <code class="docutils literal notranslate"><span class="pre">/auth/apikey</span></code> (GET) API and using
the API key for authentication:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="s1">'Authorization: ApiKey <apikey>'</span>
</pre></div>
</div>
</section>
<section id="deleting-api-key">
<h3>Deleting API Key<a class="headerlink" href="#deleting-api-key" title="Permalink to this heading">¶</a></h3>
<p>API key may be deleted by an authenticated user by calling <code class="docutils literal notranslate"><span class="pre">/auth/apikey</span></code> (DELETE). The API key
used for authorization of the API request can also be deleted:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Authorization using token</span>
<span class="n">http</span> <span class="n">DELETE</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">first_eight</span><span class="o">==<</span><span class="n">first</span><span class="o">-</span><span class="n">eight</span><span class="o">-</span><span class="n">chars</span><span class="o">-</span><span class="n">of</span><span class="o">-</span><span class="n">key</span><span class="o">></span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Authorization using API key</span>
<span class="n">http</span> <span class="n">DELETE</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">apikey</span> <span class="n">first_eight</span><span class="o">==<</span><span class="n">first</span><span class="o">-</span><span class="n">eight</span><span class="o">-</span><span class="n">chars</span><span class="o">-</span><span class="n">of</span><span class="o">-</span><span class="n">key</span><span class="o">></span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="refreshing-sessions">
<h3>Refreshing Sessions<a class="headerlink" href="#refreshing-sessions" title="Permalink to this heading">¶</a></h3>
<p>Refresh token returned by <code class="docutils literal notranslate"><span class="pre">/auth/apikey</span></code> can be used to obtain replacement access tokens by calling
<code class="docutils literal notranslate"><span class="pre">/auth/session/refresh</span></code> API:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">session</span><span class="o">/</span><span class="n">refresh</span> <span class="n">refresh_token</span><span class="o">=<</span><span class="n">refresh</span><span class="o">-</span><span class="n">token</span><span class="o">></span>
</pre></div>
</div>
</section>
<section id="whoami">
<h3>whoami<a class="headerlink" href="#whoami" title="Permalink to this heading">¶</a></h3>
<p>An access token or an API key may be used to obtain full information about the user, including
principal identities and open sessions by calling <code class="docutils literal notranslate"><span class="pre">/auth/whoami</span></code> API:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># 'whoami' using the access token</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">scopes</span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># 'whoami' using the API key</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">scopes</span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="revoking-sessions">
<h3>Revoking Sessions<a class="headerlink" href="#revoking-sessions" title="Permalink to this heading">¶</a></h3>
<p>Authenticated user may revoke any of the open sessions using session UUID. The list of sessions
is returned by <code class="docutils literal notranslate"><span class="pre">/auth/whoami</span></code> API. Revoking the session invalidates the respective refresh token.
Access tokens and API keys will continue working until expiration.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Revoke session using access token</span>
<span class="n">http</span> <span class="n">DELETE</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">session</span><span class="o">/</span><span class="n">revoke</span><span class="o">/<</span><span class="n">full</span><span class="o">-</span><span class="n">session</span><span class="o">-</span><span class="n">uid</span><span class="o">></span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Revoke session using API key</span>
<span class="n">http</span> <span class="n">DELETE</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">session</span><span class="o">/</span><span class="n">revoke</span><span class="o">/<</span><span class="n">full</span><span class="o">-</span><span class="n">session</span><span class="o">-</span><span class="n">uid</span><span class="o">></span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="passing-tokens-and-api-keys-in-api-requests">
<span id="passing-tokens-and-api-keys-with-api-requests"></span><h3>Passing Tokens and API Keys in API Requests<a class="headerlink" href="#passing-tokens-and-api-keys-in-api-requests" title="Permalink to this heading">¶</a></h3>
<p>Generated access tokens or API keys can be used for authorization in API requests.
<code class="docutils literal notranslate"><span class="pre">/status</span></code> API returns the status of RE Manager:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Get scopes for the access token</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">status</span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Get scopes for the API key</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">status</span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="logging-out-of-the-server">
<h3>Logging Out of the Server<a class="headerlink" href="#logging-out-of-the-server" title="Permalink to this heading">¶</a></h3>
<p>The API <code class="docutils literal notranslate"><span class="pre">/auth/logout</span></code> is not changing the state of the server and returns <code class="docutils literal notranslate"><span class="pre">{}</span></code> (empty
dictionary). The purpose of the API is to delete any tokens or API keys stored locally by
the browser. The API request does not require authentication:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">logout</span>
</pre></div>
</div>
</section>
</section>
<section id="administrative-api">
<h2>Administrative API<a class="headerlink" href="#administrative-api" title="Permalink to this heading">¶</a></h2>
<p>Some API are available only to clients with administrative permissons
(scope <code class="docutils literal notranslate"><span class="pre">admin:read:principals</span></code> and/or <code class="docutils literal notranslate"><span class="pre">admin:apikeys</span></code>).</p>
<section id="getting-information-on-all-principals">
<h3>Getting Information on All Principals<a class="headerlink" href="#getting-information-on-all-principals" title="Permalink to this heading">¶</a></h3>
<p>Clients with <code class="docutils literal notranslate"><span class="pre">admin:read:principals</span></code> may get information on all active principals using
<code class="docutils literal notranslate"><span class="pre">/auth/principal</span></code> API. The API is similar to <code class="docutils literal notranslate"><span class="pre">/auth/whoami</span></code>, but instead of returning
a single item with information on authorized principal it returns the list of items
for all principal:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Get information on all principals using token with admin privileges</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Get information on all principals using API key with admin privileges</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="getting-information-on-a-selected-principal">
<h3>Getting Information on a Selected Principal<a class="headerlink" href="#getting-information-on-a-selected-principal" title="Permalink to this heading">¶</a></h3>
<p>Clients with <code class="docutils literal notranslate"><span class="pre">admin:read:principals</span></code> may get information on any principals
using <code class="docutils literal notranslate"><span class="pre">/auth/principal/<principal-UUID></span></code> API.
The principals are identified by UUID. The returned data is structured
identically as the data returned by <code class="docutils literal notranslate"><span class="pre">/auth/whoami</span></code>, but may represent any
user of the server, not only the authorized user:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Get information on a selected principal using token with admin privileges</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span><span class="o">/<</span><span class="n">principal</span><span class="o">-</span><span class="n">UUID</span><span class="o">></span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Get information on all principals using API key with admin privileges</span>
<span class="n">http</span> <span class="n">GET</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span><span class="o">/<</span><span class="n">principal</span><span class="o">-</span><span class="n">UUID</span><span class="o">></span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
<section id="generating-an-api-key-for-a-principal">
<h3>Generating an API Key for a Principal<a class="headerlink" href="#generating-an-api-key-for-a-principal" title="Permalink to this heading">¶</a></h3>
<p>Clients with <code class="docutils literal notranslate"><span class="pre">admin:apikeys</span></code> scope may generate API keys for any principal in the system
using <code class="docutils literal notranslate"><span class="pre">/auth/principal/<principal-UUID>/apikey</span></code> API.
The scopes for the generated API key are limited by permissions assigned to the principal
(not the client sending the request). The API works similarly to <code class="docutils literal notranslate"><span class="pre">/auth/apikey</span></code>
and accepts identical set of parameters: <code class="docutils literal notranslate"><span class="pre">expires_in</span></code> is a required parameter
representing API key expiration time in seconds, <code class="docutils literal notranslate"><span class="pre">scopes</span></code> and <code class="docutils literal notranslate"><span class="pre">note</span></code> are optional parameters.
The API call must be authorized using a token or an API key of the client with administrative
privileges.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># Generate API key for a given selected principal using token with admin privileges</span>
<span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span><span class="o">/<</span><span class="n">principal</span><span class="o">-</span><span class="n">UUID</span><span class="o">>/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="s1">'Authorization: Bearer <token>'</span>
<span class="c1"># Generate API key for a given selected principal using API key with admin privileges</span>
<span class="n">http</span> <span class="n">POST</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">localhost</span><span class="p">:</span><span class="mi">60610</span><span class="o">/</span><span class="n">api</span><span class="o">/</span><span class="n">auth</span><span class="o">/</span><span class="n">principal</span><span class="o">/<</span><span class="n">principal</span><span class="o">-</span><span class="n">UUID</span><span class="o">>/</span><span class="n">apikey</span> <span class="n">expires_in</span><span class="o">:=</span><span class="mi">900</span> <span class="s1">'Authorization: ApiKey <api-key>'</span>
</pre></div>
</div>
</section>
</section>
</section>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="control_re_manager.html" class="btn btn-neutral float-right" title="Controlling Run Engine Manager" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
<a href="introduction.html" class="btn btn-neutral float-left" title="Introduction" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
© Copyright 2021, Brookhaven National Laboratory.
</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>