User Management
Our user model consists of 4 objects: - Organization - User - Token - Project
Organization and User are top level objects. A User can be a member of zero or more Organizations, though there isn't anything interesting to do until you are a member of at least one. Tokens are tied to a particular User. All other resources conceptually belong to an Organization, there is no cross Organization sharing.
When a User is added to an Organization, a default Project is created. This project is always used unless a specific Project is supplied as part of the request. In order to share resources, a new Project should be created and the Users should be added to it.
Additionally, if this is the users only organization, it is set as the default
organization for the user. If an organization is the default organization it
doesn't need to set the Organization in the request. Otherwise it must
specify the desired organization with the X-Organization-ID header.
Our RBAC system is partially implemented, the only role we support is Admin
and it is not fully roled out. Until this changes, most user management
requires using the admin API.
Initialization
If the database is empty on poc2 startup, it will be initialized with some
base objects required to use it. This involves:
- Creating a internal Organization.
- Creating a info@rockfish.ai user.
- Creating a token for this user in this organization.
- Writing this token to /tmp/.rockfish_init_auth.txt
This is nice for development, but isn't meant for production. Instead you should initialize the first organization using poc2_admin.
Cluster Admin Tasks
A Cluster Admin is someone with access to the poc2_admin API. When a user is added to an Organization they can also be given roles within the org. Currently we have only an Admin role, a user with this role can add other users to the organization and manage workers.
Currently, the Cluster Admin needs to create new Organizations and add at least the initial user to them.
Users can register themselves and generate their initial Token. Not all user operations are self service though; a Cluster Admin will still need to handle tasks like dealing with duplicate emails and lost tokens.
Once a user has been created, they can be added to an Organization either by a Cluster Admin or someone in the Organization with the Admin role.
Future
In the future, using RBAC support we will move more functionality to the public API and allow users to manage their own Organizations.
Example
Create an Organization:
POST /organization HTTP/1.1
Content-Type: application/json
Host: localhost:8085
{
"name": "internal"
}
HTTP/1.1 201 Created
Content-Type: application/json
Location: http://localhost:8085/organization/3p0LSgObZv9pU9t6wu14hf
{
"id": "3p0LSgObZv9pU9t6wu14hf",
"name": "internal",
"self": "http://localhost:8085/organization/3p0LSgObZv9pU9t6wu14hf"
}
Create a User. When a new user is created an initial Token is also created and returned. This can be done by in the admin API with:
POST /user HTTP/1.1
Content-Type: application/json
Host: localhost:8085
{
"email": "info@rockfish.ai"
}
HTTP/1.1 201 Created
Content-Type: application/json
Location: http://localhost:8085/user/7gKMTR8C71L7QIdCOK5vev
{
"email": "info@rockfish.ai",
"id": "7gKMTR8C71L7QIdCOK5vev",
"self": "http://localhost:8085/user/7gKMTR8C71L7QIdCOK5vev"
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MTIwMDc3MjQsImlzcyI6ImFwaSIsIm5iZiI6MTcxMjAwNzcyNCwidG9rZW5faWQiOiIzalBuOG1oNFp4dnM1TU9ZYzFLOHh2IiwidXNlcl9pZCI6IjlXS0R1U0tFaUdIbnRLTnZTZUQ4aiJ9.u2VhE4mLyNrr0g2cYd9CzWrfgdC1M6JloiomPP8inDM"
}
Alternatively, anyone can create a User in the public API if they know the invite code which is set in the configuration. This allows users to get their initial token without needing to to be passed along by an Admin:
POST /user?invite=aefah2Ef HTTP/1.1
Content-Type: application/json
Host: localhost:8080
{
"email": "howdy@rockfish.ai"
}
HTTP/1.1 201 Created
Content-Type: application/json
Location: http://localhost:8080/user/YAjOuJZLv52CjlY9D136b
{
"email": "howdy@rockfish.ai",
"id": "YAjOuJZLv52CjlY9D136b",
"self": "http://localhost:8080/user/YAjOuJZLv52CjlY9D136b",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MTIwMDcxODMsImlzcyI6ImFwaSIsIm5iZiI6MTcxMjAwNzE4MywidG9rZW5faWQiOiIzMUo4elE2cnNDYklJdTd3akFaVGllIiwidXNlcl9pZCI6IllBak91SlpMdjUyQ2psWTlEMTM2YiJ9.6GSWk5AtXK-Kzcv74ihio1mUs1SWQGJeEQGPZXVVINY"
}
Add the User to the Organization:
PUT /organization/12EKySxEscyI3fk0zswGkN/user/7gKMTR8C71L7QIdCOK5vev HTTP/1.1
Content-Type: application/json
Host: localhost:8085
{
"roles": []
}
You can also add a User with an Admin role, these users can add additional users to the Organization and create Worker resources.
PUT /organization/12EKySxEscyI3fk0zswGkN/user/7gKMTR8C71L7QIdCOK5vev HTTP/1.1
Content-Type: application/json
Host: localhost:8085
{
"roles": ["Admin"]
}
HTTP/1.1 204 No Content
This has created a default project:
GET /project HTTP/1.1
Host: localhost:8085
HTTP/1.1 200 OK
Content-Length: 245
Content-Type: application/json
[
{
"default": true,
"id": "1sBR2VHrMLTe8s2VlPwJVm",
"name": "Default Project",
"owner": "http://localhost:8085/user/7gKMTR8C71L7QIdCOK5vev",
"owner_id": "7gKMTR8C71L7QIdCOK5vev",
"self": "http://localhost:8085/project/1sBR2VHrMLTe8s2VlPwJVm"
}
]
You can create additional Tokens for the User:
POST /token HTTP/1.1
Host: localhost:8085
Content-Type: application/json
{
"user": "http://localhost:8085/user/7gKMTR8C71L7QIdCOK5vev"
}
HTTP/1.1 201 Created
Content-Type: application/json
Location: http://localhost:8085/token/nPR6eEmv7NfRGCOwQYTtc
{
"id": "nPR6eEmv7NfRGCOwQYTtc",
"organization": "http://localhost:8085/organization/12EKySxEscyI3fk0zswGkN",
"self": "http://localhost:8085/token/nPR6eEmv7NfRGCOwQYTtc",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MDg3MTQxOTgsImlzcyI6ImFwaSIsIm5iZiI6MTcwODcxNDE5OCwib3JnX2lkIjoiMTJFS3lTeEVzY3lJM2ZrMHpzd0drTiIsInRva2VuX2lkIjoiblBSNmVFbXY3TmZSR0NPd1FZVHRjIiwidXNlcl9pZCI6IjdnS01UUjhDNzFMN1FJZENPSzV2ZXYifQ.opWZu9BfEEksuAPgYHPkA5UU7oW0WMUvnIToYqofeB8",
"user": "http://localhost:8085/user/7gKMTR8C71L7QIdCOK5vev"
}