diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | python-mongogrant.spec | 547 | ||||
| -rw-r--r-- | sources | 1 |
3 files changed, 549 insertions, 0 deletions
@@ -0,0 +1 @@ +/mongogrant-0.3.3.tar.gz diff --git a/python-mongogrant.spec b/python-mongogrant.spec new file mode 100644 index 0000000..f8d0137 --- /dev/null +++ b/python-mongogrant.spec @@ -0,0 +1,547 @@ +%global _empty_manifest_terminate_build 0 +Name: python-mongogrant +Version: 0.3.3 +Release: 1 +Summary: Generate and grant credentials for MongoDB databases +License: modified BSD +URL: https://github.com/materialsproject/mongogrant/ +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/86/ea/236c569243a19bfb7097fd6b2fd09aa68af57e3d76e3ff65ea69333c0760/mongogrant-0.3.3.tar.gz +BuildArch: noarch + +Requires: python3-Click +Requires: python3-pymongo +Requires: python3-Flask +Requires: python3-requests + +%description +## Quickstart for users + +So, your friendly neighborhood mongogranter says you know have access to a +database through your email address. What now? First, install mongogrant: +```bash +pip install mongogrant +``` +Next, request a token link to be sent to your email: +``` +mgrant init mcurie@espci.fr \ + --endpoint https://grantmedb.materialsproject.org +``` +Click the link in your email to prove you're you, copy the fetch token from the +loaded page, and then run: +``` +mgrant settoken wh054900d70k3ny35y0u423 +``` +Finally, get credentials for your database. Here, Marie is asking mongogrant to +print out db.json and my_launchpad.yaml starter files for +[FireWorks](https://materialsproject.github.io/fireworks/) and +[atomate](https://atomate.org/): +``` +mgrant db mongodb03.nersc.gov fw_mc_polonium \ + --role readWrite \ + --atomate-starters +``` +## About mongogrant + +Mongogrant is a utility to grant username and password +credentials for read and readWrite roles on various databases +on various hosts to owners of email addresses. + +A server administrator has fine-grained control via +allow/deny rules for granting tokens and credentials. +People request an email that contains a one-time link. That +link gives a user a fetch token. All tokens expire and +expiration time is customizable. People then use the +mongogrant client to make requests like + +```python +from mongogrant.client import Client + +# config file on disk has tokens and host/db aliases +# `Client()` with no args looks to +# ~/.mongogrant.json for config +client = Client() + +# No config yet? Set one up with at least one remote for fetching credentials +# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>. +client.set_remote("https://grantmedb.materialsproject.org", "<FETCH_TOKEN>") + +# Set some aliases if you'd like: +client.set_alias("dev", "mongodb03.nersc.gov", "host") +client.set_alias("prod", "mongodb04.nersc.gov", "host") +client.set_alias("fireworks", "fw_dw_phonons", "db") + +# pymongo.database.Database with read role +source_db = client.db("ro:dev/fireworks") +# readWrite role: config stores "prod" host alias and "fireworks" db alias +target_db = client.db("rw:prod/fireworks") + +# ...Do database stuff! +``` + +One can also go entirely through a running app's API: + +```bash +> # Using the HTTPie command line HTTP client (https://httpie.org/) +> # Install via `{brew,apt-get,pip,...} install httpie` +> http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 59 +Content-Type: application/json +Date: Thu, 17 May 2018 18:05:30 GMT +Server: nginx/1.10.3 + +{ + "msg": "Sent link to <YOUR_EMAIL> to retrieve token." +} + +> http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Encoding: gzip +Content-Type: text/html; charset=utf-8 +Date: Thu, 17 May 2018 18:06:17 GMT +Server: nginx/1.10.3 +Transfer-Encoding: chunked + +Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC) + +> # end-of-line "\" below only necessary if command spans two lines. +> http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \ +> role=readWrite host=mongodb03.nersc.gov db=dw_phonons +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 108 +Content-Type: application/json +Date: Thu, 17 May 2018 18:11:22 GMT +Server: nginx/1.10.3 + +{ + "password": "<PASSWORD>", + "username": "dwinston_lbl.gov_readWrite" +} + +> +``` + +You can run a "server" on your laptop in a Jupyer notebook +and manage allow/deny rules, grant / revoke grants of +credentials, etc. A small Flask app +is included as an example for deploying a server to which +clients can connect to obtain tokens and credentials. + +## Set up a server + +```python +from mongogrant.config import Config +from mongogrant.server import Server, check, path, seed, Mailgun + +server = Server(Config(check=check, path=path, seed=seed())) +server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant") +server.set_mailer(Mailgun, dict( + api_key="YOUR_KEY", + base_url="https://api.mailgun.net/v3/YOUR_DOMAIN", + from_addr="mongogrant@YOUR_DOMAIN")) +server.set_admin_client( + host="other1.host.com", + username="mongoadmin", + password="mongoadminpass") +server.set_admin_client( + host="other2.host.com", + username="mongoadmin", + password="mongoadminpass") +``` + +### Appointing others to set allow/deny rules + +A mongogrant server admin can add "ruler" users who can set allow/deny rules for users via the `mgrant` CLI. An admin sets a ruler document in the `server.mgdb` collection, e.g. +```python +server.mgdb.rulers.replace_one( + {"email": "starlord@lbl.gov"}, + { + "email": "starlord@lbl.gov", + "hosts": ["mongodb03.nersc.gov"], + "dbs": ["mp_", "fw_"], + "emails": ["@lbl.gov"], + "which": ["allow"] + }, + upsert=True) +``` +Allows user `starlord@lbl.gov` to set `allow` rules for any user with an "@lbl.gov" email address on the Mongo host "mongodb03.nersc.gov" for any database name prefixed with "mp_" or "fw_". Any field in a ruler document can be set to "all" rather than an array. + + + + + +%package -n python3-mongogrant +Summary: Generate and grant credentials for MongoDB databases +Provides: python-mongogrant +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pip +%description -n python3-mongogrant +## Quickstart for users + +So, your friendly neighborhood mongogranter says you know have access to a +database through your email address. What now? First, install mongogrant: +```bash +pip install mongogrant +``` +Next, request a token link to be sent to your email: +``` +mgrant init mcurie@espci.fr \ + --endpoint https://grantmedb.materialsproject.org +``` +Click the link in your email to prove you're you, copy the fetch token from the +loaded page, and then run: +``` +mgrant settoken wh054900d70k3ny35y0u423 +``` +Finally, get credentials for your database. Here, Marie is asking mongogrant to +print out db.json and my_launchpad.yaml starter files for +[FireWorks](https://materialsproject.github.io/fireworks/) and +[atomate](https://atomate.org/): +``` +mgrant db mongodb03.nersc.gov fw_mc_polonium \ + --role readWrite \ + --atomate-starters +``` +## About mongogrant + +Mongogrant is a utility to grant username and password +credentials for read and readWrite roles on various databases +on various hosts to owners of email addresses. + +A server administrator has fine-grained control via +allow/deny rules for granting tokens and credentials. +People request an email that contains a one-time link. That +link gives a user a fetch token. All tokens expire and +expiration time is customizable. People then use the +mongogrant client to make requests like + +```python +from mongogrant.client import Client + +# config file on disk has tokens and host/db aliases +# `Client()` with no args looks to +# ~/.mongogrant.json for config +client = Client() + +# No config yet? Set one up with at least one remote for fetching credentials +# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>. +client.set_remote("https://grantmedb.materialsproject.org", "<FETCH_TOKEN>") + +# Set some aliases if you'd like: +client.set_alias("dev", "mongodb03.nersc.gov", "host") +client.set_alias("prod", "mongodb04.nersc.gov", "host") +client.set_alias("fireworks", "fw_dw_phonons", "db") + +# pymongo.database.Database with read role +source_db = client.db("ro:dev/fireworks") +# readWrite role: config stores "prod" host alias and "fireworks" db alias +target_db = client.db("rw:prod/fireworks") + +# ...Do database stuff! +``` + +One can also go entirely through a running app's API: + +```bash +> # Using the HTTPie command line HTTP client (https://httpie.org/) +> # Install via `{brew,apt-get,pip,...} install httpie` +> http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 59 +Content-Type: application/json +Date: Thu, 17 May 2018 18:05:30 GMT +Server: nginx/1.10.3 + +{ + "msg": "Sent link to <YOUR_EMAIL> to retrieve token." +} + +> http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Encoding: gzip +Content-Type: text/html; charset=utf-8 +Date: Thu, 17 May 2018 18:06:17 GMT +Server: nginx/1.10.3 +Transfer-Encoding: chunked + +Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC) + +> # end-of-line "\" below only necessary if command spans two lines. +> http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \ +> role=readWrite host=mongodb03.nersc.gov db=dw_phonons +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 108 +Content-Type: application/json +Date: Thu, 17 May 2018 18:11:22 GMT +Server: nginx/1.10.3 + +{ + "password": "<PASSWORD>", + "username": "dwinston_lbl.gov_readWrite" +} + +> +``` + +You can run a "server" on your laptop in a Jupyer notebook +and manage allow/deny rules, grant / revoke grants of +credentials, etc. A small Flask app +is included as an example for deploying a server to which +clients can connect to obtain tokens and credentials. + +## Set up a server + +```python +from mongogrant.config import Config +from mongogrant.server import Server, check, path, seed, Mailgun + +server = Server(Config(check=check, path=path, seed=seed())) +server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant") +server.set_mailer(Mailgun, dict( + api_key="YOUR_KEY", + base_url="https://api.mailgun.net/v3/YOUR_DOMAIN", + from_addr="mongogrant@YOUR_DOMAIN")) +server.set_admin_client( + host="other1.host.com", + username="mongoadmin", + password="mongoadminpass") +server.set_admin_client( + host="other2.host.com", + username="mongoadmin", + password="mongoadminpass") +``` + +### Appointing others to set allow/deny rules + +A mongogrant server admin can add "ruler" users who can set allow/deny rules for users via the `mgrant` CLI. An admin sets a ruler document in the `server.mgdb` collection, e.g. +```python +server.mgdb.rulers.replace_one( + {"email": "starlord@lbl.gov"}, + { + "email": "starlord@lbl.gov", + "hosts": ["mongodb03.nersc.gov"], + "dbs": ["mp_", "fw_"], + "emails": ["@lbl.gov"], + "which": ["allow"] + }, + upsert=True) +``` +Allows user `starlord@lbl.gov` to set `allow` rules for any user with an "@lbl.gov" email address on the Mongo host "mongodb03.nersc.gov" for any database name prefixed with "mp_" or "fw_". Any field in a ruler document can be set to "all" rather than an array. + + + + + +%package help +Summary: Development documents and examples for mongogrant +Provides: python3-mongogrant-doc +%description help +## Quickstart for users + +So, your friendly neighborhood mongogranter says you know have access to a +database through your email address. What now? First, install mongogrant: +```bash +pip install mongogrant +``` +Next, request a token link to be sent to your email: +``` +mgrant init mcurie@espci.fr \ + --endpoint https://grantmedb.materialsproject.org +``` +Click the link in your email to prove you're you, copy the fetch token from the +loaded page, and then run: +``` +mgrant settoken wh054900d70k3ny35y0u423 +``` +Finally, get credentials for your database. Here, Marie is asking mongogrant to +print out db.json and my_launchpad.yaml starter files for +[FireWorks](https://materialsproject.github.io/fireworks/) and +[atomate](https://atomate.org/): +``` +mgrant db mongodb03.nersc.gov fw_mc_polonium \ + --role readWrite \ + --atomate-starters +``` +## About mongogrant + +Mongogrant is a utility to grant username and password +credentials for read and readWrite roles on various databases +on various hosts to owners of email addresses. + +A server administrator has fine-grained control via +allow/deny rules for granting tokens and credentials. +People request an email that contains a one-time link. That +link gives a user a fetch token. All tokens expire and +expiration time is customizable. People then use the +mongogrant client to make requests like + +```python +from mongogrant.client import Client + +# config file on disk has tokens and host/db aliases +# `Client()` with no args looks to +# ~/.mongogrant.json for config +client = Client() + +# No config yet? Set one up with at least one remote for fetching credentials +# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>. +client.set_remote("https://grantmedb.materialsproject.org", "<FETCH_TOKEN>") + +# Set some aliases if you'd like: +client.set_alias("dev", "mongodb03.nersc.gov", "host") +client.set_alias("prod", "mongodb04.nersc.gov", "host") +client.set_alias("fireworks", "fw_dw_phonons", "db") + +# pymongo.database.Database with read role +source_db = client.db("ro:dev/fireworks") +# readWrite role: config stores "prod" host alias and "fireworks" db alias +target_db = client.db("rw:prod/fireworks") + +# ...Do database stuff! +``` + +One can also go entirely through a running app's API: + +```bash +> # Using the HTTPie command line HTTP client (https://httpie.org/) +> # Install via `{brew,apt-get,pip,...} install httpie` +> http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 59 +Content-Type: application/json +Date: Thu, 17 May 2018 18:05:30 GMT +Server: nginx/1.10.3 + +{ + "msg": "Sent link to <YOUR_EMAIL> to retrieve token." +} + +> http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN> +HTTP/1.1 200 OK +Connection: keep-alive +Content-Encoding: gzip +Content-Type: text/html; charset=utf-8 +Date: Thu, 17 May 2018 18:06:17 GMT +Server: nginx/1.10.3 +Transfer-Encoding: chunked + +Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC) + +> # end-of-line "\" below only necessary if command spans two lines. +> http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \ +> role=readWrite host=mongodb03.nersc.gov db=dw_phonons +HTTP/1.1 200 OK +Connection: keep-alive +Content-Length: 108 +Content-Type: application/json +Date: Thu, 17 May 2018 18:11:22 GMT +Server: nginx/1.10.3 + +{ + "password": "<PASSWORD>", + "username": "dwinston_lbl.gov_readWrite" +} + +> +``` + +You can run a "server" on your laptop in a Jupyer notebook +and manage allow/deny rules, grant / revoke grants of +credentials, etc. A small Flask app +is included as an example for deploying a server to which +clients can connect to obtain tokens and credentials. + +## Set up a server + +```python +from mongogrant.config import Config +from mongogrant.server import Server, check, path, seed, Mailgun + +server = Server(Config(check=check, path=path, seed=seed())) +server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant") +server.set_mailer(Mailgun, dict( + api_key="YOUR_KEY", + base_url="https://api.mailgun.net/v3/YOUR_DOMAIN", + from_addr="mongogrant@YOUR_DOMAIN")) +server.set_admin_client( + host="other1.host.com", + username="mongoadmin", + password="mongoadminpass") +server.set_admin_client( + host="other2.host.com", + username="mongoadmin", + password="mongoadminpass") +``` + +### Appointing others to set allow/deny rules + +A mongogrant server admin can add "ruler" users who can set allow/deny rules for users via the `mgrant` CLI. An admin sets a ruler document in the `server.mgdb` collection, e.g. +```python +server.mgdb.rulers.replace_one( + {"email": "starlord@lbl.gov"}, + { + "email": "starlord@lbl.gov", + "hosts": ["mongodb03.nersc.gov"], + "dbs": ["mp_", "fw_"], + "emails": ["@lbl.gov"], + "which": ["allow"] + }, + upsert=True) +``` +Allows user `starlord@lbl.gov` to set `allow` rules for any user with an "@lbl.gov" email address on the Mongo host "mongodb03.nersc.gov" for any database name prefixed with "mp_" or "fw_". Any field in a ruler document can be set to "all" rather than an array. + + + + + +%prep +%autosetup -n mongogrant-0.3.3 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then + find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-mongogrant -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Mon May 15 2023 Python_Bot <Python_Bot@openeuler.org> - 0.3.3-1 +- Package Spec generated @@ -0,0 +1 @@ +c0fa7c60b5aef06465440da93b096c9e mongogrant-0.3.3.tar.gz |