Users

Zoe has a flexible user management system. All users that need access to Zoe need to have an entry created in the Zoe user database through the command-line utility (zoe-admin.py) or the web interface.

The administrator can choose an authentication source for each user. Currently the following sources are available:

  • internal : the password is stored in Zoe
  • LDAP(+SASL) : authentication is performed by contacting an external LDAP server
  • textfile : the password is stored in a CSV file
  • pam : authentication is performed by using the PAM subsystem of the operating system where the zoe-api process is running

More backends can be developed, the authentication system is designed to be pluggable.

Each user has a Roles and a Quotas associated.

By default Zoe has an admin user (with password “admin”), created during the first startup. While deploying Zoe, this user must be disabled or its password changed. The default password is a security risk.

Experimental OAuth2 support

This version of Zoe includes an experimental OAuth2 client implementation that points to a GitLab instance in Eurecom’s infrastructure. To use it with your own OAuth2 provider, you need to modify the source code under zoe_api/auth/requests_oauth2/services.py, zoe_api/rest_api/user.py and zoe_api/web/start.py.

Users that login with OAuth2 can access only the web interface (no oauth2 authentication has been implemented for the API). The user entry in the Zoe database is created automatically and a workspace is created too when the first execution is launched.

The following options are available in the Zoe configuration:

  • oauth-client-id: OAuth2 client ID as generated by your identity provider
  • oauth-client-secret: OAuth2 client secret as generated by your identity provider
  • oauth-redirect-uri: Full URL of the Zoe API OAuth callback as visible from clients (e.g. in front of a reverse proxy)
  • oauth-role: Role to assign to new users authenticated via OAuth2
  • oauth-quota: Quota to assign to new users authenticated via OAuth2
  • oauth-create-workspace-script: Full path to a script that creates user workspace, Zoe will call using sudo and pass username and fs_id as arguments

The user Zoe runs with needs to be able to run the workspace creation script via sudo.