Core ApiUsers

From Ocean Framework Documentation Wiki
Jump to: navigation, search

These are the ApiUsers which are part of the Core functionality. They are set up and maintained by the Ocean system itself. You will be creating additional ApiUsers as part of your system development cycle.

The Core ApiUsers include an ApiUser for each Service (which Services use to authenticate and authorise themselves with other Ocean Services), plus a number of ApiUsers defined to perform specific tasks, such as running AsyncJobs that invoke other Ocean Services.

Each ApiUser can be assigned to any number of Groups (such as Superusers or Developers), thereby inheriting all the effective Roles and Rights of those Groups. In addition, Roles can be directly assigned to an ApiUser. We recommend that you structure your Roles and Groups in such a way that ApiUsers, in particular end-users, belong only to Groups. This will make user management much easier.

All ApiUsers below should be assigned long, randomised passwords, such as those generated by the following code:

> require "SecureRandom"
> SecureRandom.uuid
=> "327848cb-58e0-4c87-835b-1080afdac7ea"

or

> require "SecureRandom"
> SecureRandom.urlsafe_base64(32)
=> "z9LTO0Otor2byLJKdkCAH1Ubapn8UHK2y1DCLibQfBM"
Shark.jpeg WARNING: Do not commit your passwords to version control. Update them only on the Chef server or by means of the knife command-line tool.

admin_client

The ApiUser used by the admin_client web server instances when performing requests to other services in the Ocean system.

admin_client_testuser

The ApiUser used for continuous integration tests of the admin_client in TeamCity.

async_job_purger

The ApiUser performing the CronJob to remove expired AsyncJobs. It has only the minimal set of Rights required.

auth

The ApiUser used by the auth service when performing requests to other services in the Ocean system.

authentication_purger

The ApiUser performing the CronJob to remove expired Authentications. It has only the minimal set of Rights required.

cms

The ApiUser used by the cms service when performing requests to other services in the Ocean system.

dynamo_purger

The ApiUser performing the CronJob to remove expired DynamoDB tables used by the continuous integration pipeline. It has only the minimal set of Rights required.

god

The god user is the root user for the whole Ocean system. It contains all the wildcard Rights for each Resource. There is no wildcard Right for all Resources and/or Services, so the god user is automatically assigned all wildcard Rights.

The god user is only used for setup. Nobody should routinely use the god user as a personal logon. All system tasks have dedicated ApiUsers with only the smallest set of Rights needed to perform their tasks.

instance_refresher

The ApiUser performing the CronJob to update the local database of AWS instances. It has only the minimal set of Rights required.

jobs

The ApiUser used by the jobs service when performing requests to other services in the Ocean system.

log

The ApiUser used by the log service when performing requests to other services in the Ocean system.

mail

The ApiUser used by the mail service when performing requests to other services in the Ocean system.

media

The ApiUser used by the media service when performing requests to other services in the Ocean system.

metrics

The ApiUser used by the metrics service when performing requests to other services in the Ocean system.