Creating capture agent user and roles
28 views
Skip to first unread message
Pedrotti, Maxime
Jun 23, 2022, 7:56:54 AM6/23/22
to us...@opencast.org
Hi,
We are faced with a question about tenant-specific user accounts for capture agents in Opencast. Specifically, I am wondering which roles such a user would need, since I cannot seem to find a hint in the docs. We have a multi-installation & multi-tenant environment and would like to keep CA credentials separated by tenants, so using the installation-wide `opencast_system_account` is not really an option for us.
According to the developer docs (https://docs.opencast.org/r/11.x/developer/#modules/capture-agent/capture-agent/#authentication), a CA user can be created using the web interface or configuration files. In our case we would prefer giving our tenant admins the option to create CA users themselves as needed, instead of having to come to us asking for a configuration change on the server. From my understanding, such a user could then be used for authentication from an Opencast compatible CA (e.g. Extron SMP, pyCA, Galicaster, etc.)
Creating a user via the admin UI is fairly straightforward, but for the authorization part one would need to add appropriate roles (or we would create a group role with all required permissions). Understandably, a plain user without any roles (besides the basic default set) does not get access to the relevant endpoints.
Could anyone point me in the right direction as to which roles are necessary for a fully working CA user?
Thanks
Maxime
We are faced with a question about tenant-specific user accounts for capture agents in Opencast. Specifically, I am wondering which roles such a user would need, since I cannot seem to find a hint in the docs. We have a multi-installation & multi-tenant environment and would like to keep CA credentials separated by tenants, so using the installation-wide `opencast_system_account` is not really an option for us.
According to the developer docs (https://docs.opencast.org/r/11.x/developer/#modules/capture-agent/capture-agent/#authentication), a CA user can be created using the web interface or configuration files. In our case we would prefer giving our tenant admins the option to create CA users themselves as needed, instead of having to come to us asking for a configuration change on the server. From my understanding, such a user could then be used for authentication from an Opencast compatible CA (e.g. Extron SMP, pyCA, Galicaster, etc.)
Creating a user via the admin UI is fairly straightforward, but for the authorization part one would need to add appropriate roles (or we would create a group role with all required permissions). Understandably, a plain user without any roles (besides the basic default set) does not get access to the relevant endpoints.
Could anyone point me in the right direction as to which roles are necessary for a fully working CA user?
Thanks
Maxime
Lars Kiesow
Jun 24, 2022, 11:17:45 AM6/24/22
to us...@opencast.org
Hi Maxime,
if I remember correctly, assigning ROLE_CAPTURE_AGENT should be enough.
PyCA implements all authentication mechanisms and you can set the type
of authentication in its configuration file. That means you can use
regular users with HTTP Basic authentication and system users with HTTP
Digest authentication. The latter are the ones you can create only via
configuration file.
I'm not sure if older hardware capture agents like the Extron SMPs can
do that. I think they only support HTTP Digest authentication. So,
using front-end users might not work if you want to support these
devices as well.
Best regards,
Lars
if I remember correctly, assigning ROLE_CAPTURE_AGENT should be enough.
PyCA implements all authentication mechanisms and you can set the type
of authentication in its configuration file. That means you can use
regular users with HTTP Basic authentication and system users with HTTP
Digest authentication. The latter are the ones you can create only via
configuration file.
I'm not sure if older hardware capture agents like the Extron SMPs can
do that. I think they only support HTTP Digest authentication. So,
using front-end users might not work if you want to support these
devices as well.
Best regards,
Lars
Reply all
Reply to author
Forward
0 new messages