How to add new apps to OZP?
91 views
Skip to first unread message
Gang Yang
Dec 1, 2016, 4:36:25 PM12/1/16
to ozoneplatform-users
Hi,
I've created an OZP VM with some help from this group. Now I'm trying to add one of our existing Java-based webapp to OZP. After logging in, I don't seem to be able to find any mechanism to allow me to add a new app. My questions are:
- Is there an admin user, like OWF, where I can add and configure a new app and assign accesses to users and groups?
- If not, how can I add a new app, to the Center I guess, so that I can bookmark it to the HUD and eventually running it in WebTop?
Thanks,
Gang
Ross Pokorny
Dec 2, 2016, 7:41:40 AM12/2/16
to ozoneplat...@googlegroups.com
Gang
To add a new listing (app) to OZP, go to the drop down menu in the top right
corner (the one with the three horizontal lines as an icon). In that drop
down, click Submit a Listing. After you fill out the form and save the
listing, it must be approved. The approval is a two step process where the
listing must first be approved by a Content Steward and then by an admin.
Once the listing is saved, begin the approval workflow by clicking the Submit
button at the top of the listing form. Then as an admin, go into the Listing
Manaqement page accessible from the upper-right corner drop down menu. On
that page go to Recent Activity and you should see the listing that was just
submitted at the top of the list. Click on it to open its modal view. On
that view, go to the Administration tab and click through both remaining steps
of the approval process. The listing is now approved and should be visible to
all users in the New Arrivals on the Center home page.
Ross Pokorny
To add a new listing (app) to OZP, go to the drop down menu in the top right
corner (the one with the three horizontal lines as an icon). In that drop
down, click Submit a Listing. After you fill out the form and save the
listing, it must be approved. The approval is a two step process where the
listing must first be approved by a Content Steward and then by an admin.
Once the listing is saved, begin the approval workflow by clicking the Submit
button at the top of the listing form. Then as an admin, go into the Listing
Manaqement page accessible from the upper-right corner drop down menu. On
that page go to Recent Activity and you should see the listing that was just
submitted at the top of the list. Click on it to open its modal view. On
that view, go to the Administration tab and click through both remaining steps
of the approval process. The listing is now approved and should be visible to
all users in the New Arrivals on the Center home page.
Ross Pokorny
Gang Yang
Dec 2, 2016, 1:22:16 PM12/2/16
to ozoneplatform-users
Hi, Ross,
Thanks again. The instruction was precise and worked. I also found the user's guide. The only thing that was missing is a logout mechanism that would allow a user to log out and log in as a different user. I had to close the browser and log in as an admin user to complete the approval process. I remember OWF used to have a logout.
Gang
Ross Pokorny
Dec 2, 2016, 1:32:37 PM12/2/16
to ozoneplat...@googlegroups.com
Gang
The reason that OZP doesn't have a concept of logging out is because the
server is stateless - it doesn't store sessions and therefore there is no
effect for a logout to have. Every http request is authenticated separately,
which means that it is up to the browser to decide when to send or stop
sending your credentials. The default setup uses HTTP Basic authentication.
Most browsers will continue to re-send your username and password in the HTTP
WWW-Authenticate header until you close the browser or (on some browsers)
clear your browsing data.
When I need to login quickly as someone else I find it convenient to use an
incognito tab.
Ross Pokorny
The reason that OZP doesn't have a concept of logging out is because the
server is stateless - it doesn't store sessions and therefore there is no
effect for a logout to have. Every http request is authenticated separately,
which means that it is up to the browser to decide when to send or stop
sending your credentials. The default setup uses HTTP Basic authentication.
Most browsers will continue to re-send your username and password in the HTTP
WWW-Authenticate header until you close the browser or (on some browsers)
clear your browsing data.
When I need to login quickly as someone else I find it convenient to use an
incognito tab.
Ross Pokorny
Gang Yang
Dec 2, 2016, 4:37:37 PM12/2/16
to ozoneplatform-users
OK. This is a major change from OWF. With OWF, the user logs in and a session is created and maintained. Apps are launched and presented inside the dashboard space and managed by OWF. We have security plugins to do the authentication (SSO) and logout (Single Logout). So after user logs in to OWF, user will not be prompted for credentials again when he/she launches any app that uses the same identity server and when the user logs out from OWF, all such launched apps are automatically logged out. It looks like we are going to lose all that by migrating from OWF to OZP?
Gang
Ross Pokorny
Dec 5, 2016, 8:49:58 AM12/5/16
to ozoneplat...@googlegroups.com
Gang
So far, OZP has only been used with sessionless login mechanisms such as HTTP
Basic and client PKI certificates. However, Django (the framework in which
the OZP backend is written) has a pluggable authentication system vaguely akin
to the Spring Security system that you are used to with OWF. Like Spring
Security, the Django auth system has a variety of examples and reusable
components available for it online which you should be able to use to help you
integrate with your authentication environment.
Although OZP does not currently need or use sessions, the technologies that it
is built on can certainly support them, and there are examples of integrating
various SSO systems into Django. It is true that OZP lacks a "logout" button
which would clear the session due to the fact that is has never used sessions
so far. If your project is going to use sessions and requires such a button,
then you can submit a ticket, or even a PR, on github.
Ross Pokorny
So far, OZP has only been used with sessionless login mechanisms such as HTTP
Basic and client PKI certificates. However, Django (the framework in which
the OZP backend is written) has a pluggable authentication system vaguely akin
to the Spring Security system that you are used to with OWF. Like Spring
Security, the Django auth system has a variety of examples and reusable
components available for it online which you should be able to use to help you
integrate with your authentication environment.
Although OZP does not currently need or use sessions, the technologies that it
is built on can certainly support them, and there are examples of integrating
various SSO systems into Django. It is true that OZP lacks a "logout" button
which would clear the session due to the fact that is has never used sessions
so far. If your project is going to use sessions and requires such a button,
then you can submit a ticket, or even a PR, on github.
Ross Pokorny
Gang Yang
Dec 5, 2016, 11:29:50 AM12/5/16
to ozoneplatform-users
Ross,
Thanks for the outline. I'll look into Django's auth framework. Just one more question: Does OZP impose any requirement or API/SPI on authentication and authorization? By this I mean if there's any OZP-specific variables, such as username or/and user's group/role/attributes or function calls, that need to be set and provided by the authentication module for OZP to function correctly? Does OZP simply use Django's auth module for authentication and authorization (permission in Django's terminoloty)?
Thanks,
Gang
Ross Pokorny
Dec 6, 2016, 8:24:45 AM12/6/16
to ozoneplat...@googlegroups.com
Gang
Attempting to use OZP with a security plugin other than the one that it comes
with is, so far, an untested exercise. While OZP was built on a framework
that includes a generic authentication system, OZP itself was built with only
its current authentication mechanisms in mind. As a result, OZP likely makes
multiple undocumented assumptions about the authentication system that it is
connected to. Adding support for a new mechanism, as you would like to do,
will require some experimentation on your part and possibly some code changes
to OZP itself.
To get a better understanding of the existing authentication code within OZP,
I recommend that you look into the following files in the ozp-backend
codebase:
plugins/default_authorization/main.py
ozpcenter/auth/pkiauth.py
ozpcenter/permissions.py
ozpcenter/models.py (specifically the create_user method)
Ross Pokorny
Attempting to use OZP with a security plugin other than the one that it comes
with is, so far, an untested exercise. While OZP was built on a framework
that includes a generic authentication system, OZP itself was built with only
its current authentication mechanisms in mind. As a result, OZP likely makes
multiple undocumented assumptions about the authentication system that it is
connected to. Adding support for a new mechanism, as you would like to do,
will require some experimentation on your part and possibly some code changes
to OZP itself.
To get a better understanding of the existing authentication code within OZP,
I recommend that you look into the following files in the ozp-backend
codebase:
plugins/default_authorization/main.py
ozpcenter/auth/pkiauth.py
ozpcenter/permissions.py
ozpcenter/models.py (specifically the create_user method)
Ross Pokorny
Gang Yang
Dec 6, 2016, 11:07:20 AM12/6/16
to ozoneplatform-users
Ross,
Thanks for the pointers. That's good enough for us to look into it.
Gang
Reply all
Reply to author
Forward
0 new messages