tiled icon indicating copy to clipboard operation
tiled copied to clipboard

Published 20 hours ago verified publisher icon bluesky

Add example for distributing data to students

Open danielballan opened this issue 1 year ago • 2 comments

  • Instructors can read and write data
  • Students can read data

(One can easily imagine a use case for students being able to write in certain areas, but let's start simple.)

We'll use ORCID auth for this example.

Go to https://orcid.org/developer-tools and register an application. Note client ID and client secret, which we will pass in later via environment variables.

mkdir config/ mkdir storage/ In config/, place config.yml. (The filename is arbitrary.)

(Expand to show contents.)

authentication:
  providers:
  - provider: orcid
    authenticator: tiled.authenticators:OIDCAuthenticator
    args:
      # These values come from https://orcid.org/developer-tools
      client_id: ${ORCID_CLIENT_ID}
      client_secret: ${ORCID_CLIENT_SECRET}
      # These values come from https://orcid.org/.well-known/openid-configuration
      # Obtain them directly from ORCID. They may change over time.
      token_uri: "https://orcid.org/oauth/token"
      authorization_endpoint: "https://orcid.org/oauth/authorize"
      public_keys:
        - kty: "RSA"
          e: "AQAB"
          use: "sig"
          kid: "production-orcid-org-7hdmdswarosg3gjujo8agwtazgkp1ojs"
          n: "jxTIntA7YvdfnYkLSN4wk__E2zf_wbb0SV_HLHFvh6a9ENVRD1_rHK0EijlBzikb-1rgDQihJETcgBLsMoZVQqGj8fDUUuxnVHsuGav_bf41PA7E_58HXKPrB2C0cON41f7K3o9TStKpVJOSXBrRWURmNQ64qnSSryn1nCxMzXpaw7VUo409ohybbvN6ngxVy4QR2NCC7Fr0QVdtapxD7zdlwx6lEwGemuqs_oG5oDtrRuRgeOHmRps2R6gG5oc-JqVMrVRv6F9h4ja3UgxCDBQjOVT1BFPWmMHnHCsVYLqbbXkZUfvP2sO1dJiYd_zrQhi-FtNth9qrLLv3gkgtwQ"
          alg: RS256
      confirmation_message: "You have logged in with ORCID as {id}."
trees:
  - path: /
    tree: catalog
    args:
      uri: "sqlite+aiosqlite:////storage/catalog.db"
      writable_storage: "/storage/data"
      init_if_not_exists: true
    access_control:
      access_policy: tiled.access_policies:SimpleAccessPolicy
      args:
        provider: orcid
        access_lists:
          0000-0002-5947-6017: tiled.access_policies:ALL_ACCESS  # Dan
       # TODO Enrich SimpleAccessPolicy to enable distinct scopes per principal and resource.

Run:

docker run \
  -p 8000:8000 \
  -e ORCID_CLIENT_ID=... \
  -e ORCID_CLIENT_SECRET=... \
  -v ./config:/deploy/config:ro \
  -v ./storage:/storage \
  ghcr.io/bluesky/tiled:latest

We currently shipSimpleAccessPolicy where all users have the same level of access (same scopes), but on different resources. For this use case, we need an access policy that supports users having different levels of access to a given resource. There are examples of this in custom integrations we have written with third-party authorization systems, but nothing built in and ready to use for this self-contained use case.

danielballan avatar Oct 31 '23 19:10 danielballan

I like this idea. I'm also surprised to learn that I can add a collapsible section in markdown with standard HTML. :)

padraic-shafer avatar Nov 01 '23 12:11 padraic-shafer

I put together a stand-alone repo with a docker-compose file: https://github.com/danielballan/tiled-for-teaching

danielballan avatar Nov 02 '23 16:11 danielballan