# pycarta Administrative Functions

This notebook demonstrates administrative tasks including user management, group management, and secrets management.

## Prerequisites

- Valid Carta authentication (see `01_authentication.ipynb`)
- Administrative privileges for user/group management

## Setup

In [3]:
import pycarta as pc

# Ensure you're authenticated
pc.login(interactive=True)  # Uncomment and authenticate as needed
# print("Setup complete - ensure authentication before running user/group examples")

True

## User Management

Create, retrieve, and manage users:

In [4]:
from pycarta.admin.user import (
    create_user,
    get_current_user,
    get_user,
    list_users,
    reset_user_password,
)
from pycarta.admin.types import User

print("User management functions imported")

User management functions imported


In [6]:
# Get the current user
try:
    current_user = get_current_user()
    print(f"Current user: {current_user.name}")
    print(f"Email: {current_user.email}")
    print(f"Full name: {current_user.firstName} {current_user.lastName}")
except Exception as e:
    print(f"Error getting current user: {e}")
    print("Note: This requires valid authentication")

Current user: branden.kappes
Email: branden.kappes@contextualize.us.com
Full name: Branden Kappes


In [8]:
# List all users
try:
    user_list = list_users()
    print(f"Total users found: {len(user_list)}")
    if user_list:
        print("First few users:")
        for user in user_list[:3]:  # Show first 3 users
            print(f"  - {user.name} ({user.email})")
except Exception as e:
    print(f"Error listing users: {e}")
    print("Note: This requires admin privileges")

Total users found: 120
First few users:
  - Aimpf.admin (user.admin@contextualize.us.com)
  - GeorgiaTechSAML_acaputo7 (acaputo7@gatech.edu)
  - GeorgiaTechSAML_acoksaygili3 (acoksaygili3@gatech.edu)


In [9]:
# Create a new user (example - commented for safety)
try:
    new_user = User(
        name="test_user",
        email="test@example.com",
        lastName="Doe",
        firstName="Jane"
    )
    # create_user(new_user)  # Commented out - uncomment to actually create
    print("User creation example ready (uncomment to actually create)")
    print(f"Would create: {new_user.firstName} {new_user.lastName} ({new_user.email})")
except Exception as e:
    print(f"Error with user creation example: {e}")

User creation example ready (uncomment to actually create)
Would create: Jane Doe (test@example.com)


In [None]:
# Search for users by email, username, etc.
params = {
    "username": current_user.name,
    "email": current_user.email,
    "first_name": current_user.firstName,
    "last_name": current_user.lastName,
}

for key, query in params.items():
    try:
        # Search for users by various properties: username, email, first name, or last name.
        match = get_user(**{key: query})
        if not match:
            print(f"No user found with {key}={query}")
            continue
        else:
            count = len(match) if isinstance(match, list) else 1
            print(f"Found {count} matching user{'s' if count != 1 else ''}:", str(match))
    except Exception as e:
        print(f"Error with user search: {e}")

Found 1 matching user: name='branden.kappes' email='branden.kappes@contextualize.us.com' organization='UTEP' id='f0713161-f0f9-4284-a29d-10c331fb703e' lastName='Kappes' firstName='Branden' groups=None
Found 1 matching user: name='branden.kappes' email='branden.kappes@contextualize.us.com' organization='UTEP' id='f0713161-f0f9-4284-a29d-10c331fb703e' lastName='Kappes' firstName='Branden' groups=None
Found 2 matching users: [User(name='GeorgiaTechSAML_bkappes6', email='bkappes6@gatech.edu', organization=None, id='e9945a7e-2273-4760-a294-90d9848dcf1e', lastName='Kappes', firstName='Branden', groups=None), User(name='branden.kappes', email='branden.kappes@contextualize.us.com', organization='UTEP', id='f0713161-f0f9-4284-a29d-10c331fb703e', lastName='Kappes', firstName='Branden', groups=None)]
Found 2 matching users: [User(name='GeorgiaTechSAML_bkappes6', email='bkappes6@gatech.edu', organization=None, id='e9945a7e-2273-4760-a294-90d9848dcf1e', lastName='Kappes', firstName='Branden', group

In [13]:
# Reset user password (careful!)
try:
    # reset_user_password(current_user.username)  # Commented for safety
    print("Password reset example ready (commented for safety)")
    print("This would reset the current user's password")
except Exception as e:
    print(f"Error with password reset: {e}")

Password reset example ready (commented for safety)
This would reset the current user's password


## Group Management

Create and manage groups for authorization:

In [14]:
from pycarta.admin.types import Group
from pycarta.admin.user import get_current_user
from pycarta.admin.group import (
    add_user_to_group,
    create_group,
    list_members as list_group_members,
)

print("Group management functions imported")

Group management functions imported


In [16]:
# Create a new group (example)
try:
    name = "DevelopersTeam"
    organization = "MyCompany"
    # Best practice: use namespaced group names to avoid conflicts
    group = Group(name=name, organization=organization)
    
    # create_group(group)  # Commented out - uncomment to actually create
    print(f"Group creation for '{name}' in organization '{organization}' example ready")
    print(f"Would create group: {group.organization}:{group.name}")
    print("Note: Group names must be unique across the Carta platform")
except Exception as e:
    print(f"Error with group creation: {e}")

Group creation for 'DevelopersTeam' in organization 'MyCompany' example ready
Would create group: MyCompany:DevelopersTeam
Note: Group names must be unique across the Carta platform


In [17]:
# Add user to group
try:
    # user = get_current_user()
    # add_user_to_group(user, group)  # Commented out
    print("Add user to group example ready")
    print("This would add the current user to the specified group")
except Exception as e:
    print(f"Error with adding user to group: {e}")

Add user to group example ready
This would add the current user to the specified group


In [None]:
# List group members
groups = get_current_user().groups  # Groups in which you are a member.

for group in groups:
    try:
        members = list_group_members(group)  # Commented out
        print(f"Group members in {group}: {[member.name for member in members]}")
        # print("List group members example ready")
        # print("This would show all members of the specified group")
    except Exception as e:
        print(f"Error listing group members: {e}")

Group members in Birdshot:All: ['kkaczmarek', 'jparamore', 'dlewis', 'nthomas', 'admin.contextualize', 'enorris', 'jsaini', 'attari.v', 'heoh', 'stephen.seruya', 'kxiao', 'user1.army', 'thomas.ralph', 'dsmula', 'shafiq', 'bbutler', 'samantha.kotze', 'user1.birdshot', 'wxu', 'gpharr', 'asrivastava', 'rmahat', 'htrevor', 'raymundo.arroyave', 'mrinalini', 'mskokan', 'justin.wilkerson', 'bvela', 'robert.robinson', 'jacob.hempel', 'lindsey.kuettner', 'nperson', 'htian', 'manish.vasoya', 'bpsahu', 'michelle.daya', 'michelle.prd', 'admin.birdshot', 'branden.kappes', 'melverud', 'hwang', 'dkhatamsaz', 'clinton.strosser', 'ahnafalvi', 'ikaramin']
Group members in Contextualize:All: ['admin.contextualize', 'lindsey.kuettner', 'william.silloway', 'michelle.daya', 'branden.kappes', 'chen.chen', 'kyle.pittman']
Group members in UTEP:All: ['avenzorna', 'admin.utep', 'david.espalin', 'dummy.utep.dashboards', 'hunter.taylor', 'lindsey.kuettner', 'blopez', 'dakota.morgan', 'jorge.mireles', 'ryan.wicker

## Secrets Management

Store and retrieve sensitive information securely:

In [37]:
from pycarta.admin.secret import put_secret, get_secret

print("Secrets management functions imported")
print("Note: Secrets are user-specific and cannot be shared between users")
print("Some consequences:")
print("  1. The same secret name will retrieve user-specific information.")
print("  2. You cannot list secrets. This allows developers to store per-user details.")

Secrets management functions imported
Note: Secrets are user-specific and cannot be shared between users
Some consequences:
  1. The same secret name will retrieve user-specific information.
  2. You cannot list secrets. This allows developers to store per-user details.


In [38]:
# Store secrets (example)
try:
    # put_secret(name="db-username", value="joe")  # Commented for safety
    # put_secret(name="db-password", value="abc123def")  # Commented for safety
    
    print("Secret storage example ready")
    print("This would store database credentials securely")
    print("Uncomment and modify with real values when needed")
except Exception as e:
    print(f"Error storing secrets: {e}")

Secret storage example ready
This would store database credentials securely
Uncomment and modify with real values when needed


In [39]:
# Retrieve secrets
try:
    # username = get_secret("db-username")
    # password = get_secret("db-password")
    # print(f"Retrieved username: {username}")
    # print(f"Retrieved password: {'*' * len(password)}")
    
    print("Secret retrieval example ready")
    print("This would retrieve stored credentials")
except Exception as e:
    print(f"Error retrieving secrets: {e}")

Secret retrieval example ready
This would retrieve stored credentials


## Practical Secrets Example

A more realistic example using getpass for secure input:

In [None]:
import getpass

def store_database_credentials():
    """Securely store database credentials."""
    try:
        # Prompt user for credentials
        username = input("Database username: ")
        password = getpass.getpass("Database password: ")
        
        # Store securely
        put_secret(name="db-username", value=username)
        put_secret(name="db-password", value=password)
        
        print("Database credentials stored securely")
        return True
    except Exception as e:
        print(f"Error storing credentials: {e}")
        return False

def get_database_credentials():
    """Retrieve stored database credentials."""
    try:
        username = get_secret("db-username")
        password = get_secret("db-password")
        return username, password
    except Exception as e:
        print(f"Error retrieving credentials: {e}")
        return None, None

print("Practical secrets management functions defined")
print("Call store_database_credentials() to securely store credentials")
print("Call get_database_credentials() to retrieve them")

## Group-based Authorization Example

Combining user/group management with authorization:

In [None]:
import pycarta

# Example: Function that requires group membership
@pycarta.authorize(groups=["MyCompany:DevelopersTeam"])
def developer_only_function():
    """Function only accessible to developers."""
    return {
        "message": "Access granted to developer function",
        "data": "Sensitive development information"
    }

@pycarta.authorize(groups=["MyCompany:Admins"], users=["jqpublic"])
def admin_function():
    """Function for admins or specific users."""
    return {
        "message": "Admin access granted",
        "admin_data": "Administrative information"
    }

print("Authorization functions defined")
print("These will check group membership before allowing access")

## Best Practices for Administration

Key recommendations:

In [41]:
print("""
ADMINISTRATIVE BEST PRACTICES:

1. Group Naming:
   - Use namespaced names: "MyOrg:MyGroup"
   - Avoid conflicts across the platform
   - Be descriptive: "Acme:DataScientists" vs "DataTeam"

2. User Management:
   - Use groups instead of individual user lists when possible
   - Regular audit of user access
   - Implement least privilege principle

3. Secrets Management:
   - Secrets are user-specific (cannot be shared)
   - Use descriptive secret names
   - Regularly rotate sensitive credentials
   - Never hardcode secrets in code

4. Authorization:
   - Prefer group-based over user-based authorization
   - Regularly review and update permissions
   - Test authorization in development environment

5. Security:
   - Always use getpass for password input
   - Log administrative actions
   - Implement proper error handling
   - Regular security audits
""")


ADMINISTRATIVE BEST PRACTICES:

1. Group Naming:
   - Use namespaced names: "MyOrg:MyGroup"
   - Avoid conflicts across the platform
   - Be descriptive: "Acme:DataScientists" vs "DataTeam"

2. User Management:
   - Use groups instead of individual user lists when possible
   - Regular audit of user access
   - Implement least privilege principle

3. Secrets Management:
   - Secrets are user-specific (cannot be shared)
   - Use descriptive secret names
   - Regularly rotate sensitive credentials
   - Never hardcode secrets in code

4. Authorization:
   - Prefer group-based over user-based authorization
   - Regularly review and update permissions
   - Test authorization in development environment

5. Security:
   - Always use getpass for password input
   - Log administrative actions
   - Implement proper error handling
   - Regular security audits



## Next Steps

After setting up users and groups:
1. Create services with authorization (see `03_services.ipynb`)
2. Set up MQTT messaging (see `04_mqtt.ipynb`) 
3. Use data management features (see `05_data_management.ipynb`)
4. Integrate with Seven Bridges (see `06_seven_bridges.ipynb`)