Initial commit for multi-tenant-configuration

lib/rest_requests/request.py

@@ -4,14 +4,14 @@
 import os
 
 import requests
-from requests.auth import HTTPDigestAuth
+from requests.auth import HTTPDigestAuth, HTTPBasicAuth
 from requests_toolbelt import MultipartEncoder
 
 from rest_requests.request_error import RequestError
 
 
-def get_request(url, digest_login, element_description, asset_type_description=None, asset_description=None,
-                stream=False):
+def get_request(url, login, element_description, asset_type_description=None, asset_description=None,
+                stream=False, headers=None, use_digest=True):
     """
     Make a get request to the given url with the given digest login. If the request fails with an error or a status
     code != 200, a Request Error with the error message /status code and the given descriptions is thrown.
@@ -28,13 +28,21 @@ def get_request(url, digest_login, element_description, asset_type_description=N
     :type asset_description: str
     :param stream: Whether to stream response
     :type stream: bool
+    :param headers: The headers to include in the request
+    :type headers: dict
     :return: response
     :raise RequestError:
     """
 
+    headers = headers if headers else {}
+    if use_digest:
+        auth = HTTPDigestAuth(login.user, login.password)
+        headers["X-Requested-Auth"] = "Digest"
+    else:
+        auth = HTTPBasicAuth(login['user'], login['password'])
+
     try:
-        response = requests.get(url, auth=HTTPDigestAuth(digest_login.user, digest_login.password),
-                                headers={"X-Requested-Auth": "Digest"}, stream=stream)
+        response = requests.get(url, auth=auth, headers=headers, stream=stream)
     except Exception as e:
         raise RequestError.with_error(url, str(e), element_description, asset_type_description, asset_description)
 
@@ -129,3 +137,41 @@ def big_post_request(url, digest_login, element_description, asset_type_descript
         raise RequestError.with_status_code(url, str(response.status_code), element_description, asset_type_description,
                                             asset_description)
     return response
+
+
+def put_request(url, digest_login, element_description, asset_type_description=None, asset_description=None,
+                data=None, files=None):
+    """
+    Make a put request to the given url with the given digest login. If the request fails with an error or a status
+    code != 200, a Request Error with the error message /status code and the given descriptions is thrown.
+
+    :param url: URL to make put request to
+    :type url: str
+    :param digest_login: The login credentials for digest authentication
+    :type digest_login: DigestLogin
+    :param element_description: Element description in case of errors, e.g. 'event', 'series', 'tenants'
+    :type element_description: str
+    :param asset_type_description: Asset type type description in case of errors, e.g. 'series', 'episode'
+    :type asset_type_description: str
+    :param asset_description: Asset description in case of errors, e.g. 'Dublin Core catalogs', 'ACL'
+    :type asset_description: str
+    :param data: Any data to attach to the request
+    :type data: dict
+    :param files: Any files to attach to the request
+    :type files: dict
+    :return: response
+    :raise RequestError:
+    """
+
+    auth = HTTPDigestAuth(digest_login.user, digest_login.password)
+    headers = {"X-Requested-Auth": "Digest"}
+
+    try:
+        response = requests.put(url, auth=auth, headers=headers, data=data, files=files)
+    except Exception as e:
+        raise RequestError.with_error(url, str(e), element_description, asset_type_description, asset_description)
+
+    if response.status_code < 200 or response.status_code > 299:
+        raise RequestError.with_status_code(url, str(response.status_code), element_description, asset_type_description,
+                                            asset_description)
+    return response

multi-tenant-configuration/README.md

@@ -0,0 +1,62 @@
+# Multi-tenants User configuration scripts for Opencast
+**ToDo**
+
+This script ... 
+
+Currently this script does not ... 
+
+## How to Use
+
+### Configuration
+
+The script is configured by editing the values in `config.py`:
+
+| Configuration Key | Description                               | Default/Example              |
+| :---------------- | :---------------------------------------- | :--------------------------- |
+| `url`             | The URL of the global admin node ?        | https://tenant1.opencast.com |
+| `tenant_url_pattern` | The URL pattern of the target tenants  | https://tenant2.opencast.com |
+| `tenant_urls`     | A dictioanry of server URLs of the target tenants       | https://tenant2.opencast.com |
+| `digest_user`     | The user name of the digest user          | `opencast_system_account`      |
+| `digest_pw`       | The password of the digest user           | `CHANGE_ME`                    |
+| `env_path`        | The id of the workflow to start on ingest | reimport-workflow            |
+
+**TODo**: check the below ...
+
+_The configured digest user needs to exist on both tenants and have the same password for both of them. This is because
+the script ingests the assets via URL, which is faster, but the user needs to be able to access the source tenant from
+the target tenant for this to work. Additionally the user currently needs to have ROLE_ADMIN to be able to use
+`/assets/{episodeid}`._
+
+_For the future, Basic Authentication and the use of an endpoint that doesn't require the Admin role (e.g.
+`api/events/{id}`) would be preferable, so you can simply add a frontend user with the necessary rights (ingest,
+access to the events/series) and the same password to both tenants._
+
+#### group config:
+The names in the group config file must be unique per Tenant!
+
+### Usage
+
+The script can be called with the following command (all parameters in brackets are optional):
+
+`python main.py -e ENVIRONMENT [-t TENANT_ID] [-c CHECK] [-v True]`
+
+| Param | Description |
+| :---: | :---------- |
+| `-e` / `--environment` | The environment where to find the configuration file (either `staging` or `production`) |
+| `-t` / `--tenantid` | The id of the target tenant to be configured |
+| `-c` / `--check` | checks to be performed (`users`, `groups`, `cast` or `capture`) (default: `all`) | 
+| `-v` / `--verbose` | enables logging to be prompted if set to `True` | 
+
+#### example:
+
+`python main.py -e staging -t tenant1 -c groups -v True`
+
+## Requirements
+
+This script was written for Python 3.8. You can install the necessary packages with
+
+**ToDo check the requirements file**
+
+`pip install -r requirements.txt`
+
+Additionally, this script uses modules contained in the _lib_ directory.

multi-tenant-configuration/config.py

@@ -0,0 +1,26 @@
+# Configuration
+
+# Set this to your global admin node
+base_url = "http://localhost:8080"
+
+# If you have multiple tenants, use an URL pattern.
+# example:
+# tenant_url_pattern = "https://{}.example.org"
+tenant_url_pattern = "http://{}:8080"
+
+# You can also define a dictionary of tenant URLs, which will be prioritized over the URL pattern:
+# # examples:
+# tenant_urls = {
+#     'tenant1': 'http://tenant1:8080',
+#     'tenant2': 'http://tenant2:8080'
+# }
+# tenant_urls = {'tenant1': 'https://develop.opencast.org'}
+
+# Digest User login
+digest_user = "opencast_system_account"
+digest_pw = "CHANGE_ME"
+
+# path to environment configuration file
+env_path = "environment/{}/opencast-organizations.yml"
+# path to group configuration file
+group_path = "configurations/group_configuration.yaml"

multi-tenant-configuration/configurations/group_configuration.json

@@ -0,0 +1,113 @@
+{
+  "groups" : [
+    {
+      "name": "System Administrators",
+      "description": "System Administrators",
+      "tenants": "all",
+      "type": "closed",
+      "members": [
+        {
+          "name": "Guy 1",
+          "email": "[email protected]",
+          "reason": "Operations partner",
+          "uid": "guy-1",
+          "tenants": "all"
+         },
+         {
+           "name": "Guy 2",
+           "email": "[email protected]",
+           "reason": "Operations partner",
+           "uid": "guy-2",
+           "tenants": "tenant1"
+         }
+      ],
+      "inactive_members": [ ],
+      "permissions": [
+        {
+          "tenants": "all",
+          "roles": ["ROLE_ADMIN", "ROLE_SUDO"]
+        }
+      ]
+    },
+    {
+      "name": "Organization Administrators",
+      "description": "Organization administrators have full access to all content of ${name}",
+      "tenants": "all",
+      "type": "open",
+      "members": [],
+      "inactive_members": [],
+      "permissions": [
+        {
+          "tenants": "all",
+          "roles": [
+            "ROLE_ADMIN_UI",
+            "ROLE_ORG_ADMIN"
+          ]
+        },
+        {
+          "tenants" : "tenant2",
+          "roles": {
+            "add": [
+              "ROLE_UI_EVENTS_DETAILS_ACL_VIEW",
+              "ROLE_UI_EVENTS_DETAILS_ACL_EDIT"
+            ],
+            "remove": []
+          }
+        }
+      ]
+    },
+    {
+      "name": "Producers",
+      "description": "Producers have limited access to content and functionality",
+      "tenants": "all",
+      "type": "open",
+      "members": [],
+      "inactive_members": [],
+      "permissions": [
+        {
+          "tenants": "all",
+          "roles": [
+            "ROLE_ADMIN_UI",
+	    "ROLE_UI_EVENTS_CREATE"
+          ]
+        },
+        {
+          "tenants" : "tenant1",
+          "roles": {
+            "add": [
+              "ROLE_UI_EVENTS_COUNTERS_VIEW"
+            ],
+            "remove": [
+              "ROLE_UI_EVENTS_CREATE"
+            ]
+          }
+	},
+        {
+          "tenants" : "tenant2",
+          "roles": {
+            "add": [
+              "ROLE_ORG_ADMIN"
+            ],
+            "remove": []
+          }
+        }
+      ]
+    },
+    {
+      "name": "Tenant2 Producers",
+      "description": "Tenant2 Producers have limited access to content and functionality",
+      "tenants": "tenant2",
+      "type": "open",
+      "members": [],
+      "inactive_members": [],
+      "permissions": [
+        {
+          "tenants": "all",
+          "roles": [
+            "ROLE_ADMIN_UI"
+          ]
+        }
+      ]
+    }
+  ]
+}

multi-tenant-configuration/configurations/group_configuration.yaml

@@ -0,0 +1,83 @@
+---
+
+groups:
+  - name: System Administrators
+    description: System Administrators
+    tenants: all
+    type: closed
+    members:
+      - name: Guy 1
+        email: [email protected]
+        reason: Operations partner
+        uid: guy1
+        tenants: all
+      - name: Guy 2
+        email: [email protected]
+        reason: Operations partner
+        uid: guy2
+        tenants: tenant1
+    inactive_members: []
+    permissions:
+      - tenants: all
+        roles:
+          - ROLE_ADMIN
+          - ROLE_SUDO
+  - name: Organization Administrators
+    description: Organization administrators have full access to all content of {tenant_id}
+    tenants: all
+    type: open
+    members: []
+    inactive_members: []
+    permissions:
+      - tenants: all
+        roles:
+          - ROLE_ADMIN_UI
+          - ROLE_ORG_ADMIN
+      - tenants: tenant2
+        roles:
+          add:
+            - ROLE_UI_EVENTS_DETAILS_ACL_VIEW
+            - ROLE_UI_EVENTS_DETAILS_ACL_EDIT
+          remove: []
+  - name: Producers
+    description: Producers have limited access to content and functionality
+    tenants: all
+    type: open
+    members: []
+    inactive_members: []
+    permissions:
+      - tenants: all
+        roles:
+          - ROLE_ADMIN_UI
+          - ROLE_UI_EVENTS_CREATE
+      - tenants: tenant1
+        roles:
+          add:
+            - ROLE_UI_EVENTS_COUNTERS_VIEW
+          remove:
+            - ROLE_UI_EVENTS_CREATE
+      - tenants: tenant2
+        roles:
+          add:
+            - ROLE_ORG_ADMIN
+          remove: []
+  - name: Tenant1 Producers
+    description: Tenant1 Producers have limited access to content and functionality
+    tenants: tenant1
+    type: open
+    members:
+      - name: Guy X
+        email: [email protected]
+        reason: Operations partner
+        uid: guyx
+        tenants: all
+      - name: Guy 2
+        email: [email protected]
+        reason: Operations partner
+        uid: guy2
+        tenants: tenant1
+    inactive_members: []
+    permissions:
+      - tenants: all
+        roles:
+          - ROLE_ADMIN_UI