Authentication

Robot Raconteur provides a built-in authentication system. During connection, a client can specify a “username” of type string, and “credentials” of type varvalue{string}. Normally the credentials contains a simple string entry for the password, but some authentication methods may require more complex credentials like a token/password pair. A connection example:

credentials={"password", RR.VarValue("mypassword","string")}
obj=RRN.ConnectService( "rr+tcp://localhost:2354?service=Create","myusername",credentials)

Of course the current example service does not have authentication enabled. The first step is to create a UserAuthenticator. The UserAuthenticator will receive the authentication requests and compare the username and credentials. If they are correct, the user is authenticated. The only authenticator currently available is the PasswordFileUserAuthenticator. This authenticator uses a plain-text string that contains the user definitions, one per line. There are three entries separated by spaces: the username, the MD5 hash of the password, and a comma separated list of credentials (no spaces between). The two credentials of interest are “objectlock” and “objectlockoverride”. The meaning of these is discussed in Section [objectlocks]. Example [passwordfile] shows the contents of a simple password file. The MD5 hash for the password can be generated using “RobotRaconteurGen”.

RobotRaconteurGen –md5passwordhash mypassword``

myusername 34819d7beeabb9260a5c854bc85b3e44 objectlock
anotherusername 1910ea24600608b01b5efd7d4ea6a840 objectlock
superuser f1bc69265be1165f64296bcb7ca180d5 objectlock,objectlockoverride``

The PasswordFileUserAuthenticator can now be initialized:

with open('passwords.txt') as content_file:
  content=content_file.read()
  p=RR.PasswordFileUserAuthenticator(content)

The next step is to create a ServiceSecurityPolicy that describes the security requirements. The policy contains the authenticator and a dictionary of policies. Currently only “requirevaliduser” and “allowobjectlock” are valid, and both should be set to “true”.

policies={"requirevaliduser" : "true", "allowobjectlock" : "true"}
s=RR.ServiceSecurityPolicy(p,policies)

Finally, the service can be registered using the policy.

RRN.RegisterService("Create","experimental.create.Create",obj)

When the service is running, it may be useful to determine if there is a currently authenticated user. This is accomplished through the ServerEndpoint class static method. The current

AuthenticatedUser can be retrieved:

user=RR.ServerEndpoint.GetCurrentAuthenticatedUser()

Note that this call will raise an exception if no user is currently authenticated. The

AuthenticatedUser contains the fields Username, LoginTime, LastAccessTime, and Privileges fields to help determine the user currently accessing the service. This function will work during all transactional calls to the service.

The authenticated user will be logged out when the client connection is closed or after a timeout of typically 15 minutes.