Insert users from Keycloak into collections rights¶
Prerequisites¶
Modules
Checkout branches
git checkout origin/osp-scripts-configuration .
git checkout origin/osp-collections-configuration .
Description¶
This tutorial shows how to use a JS script to fetch the list of OnSphere users and create an entry for each of them inside the collections rights collection. At the same time, we will create a profile (collections rights level 2) for each user group.
Note
The complete configuration for this example is available on the branch example-scripts-init-users-collections-rights.
git checkout origin/example-scripts-init-users-collections-rights .
Steps¶
1. Setup collections rights¶
First, we need to enable users and profiles level of collections rights. Then, define two collections for each one of these levels. If that step is not clear to you, try to follow this example before continuing.
2. Create a detached script¶
In this example, we create a detached script that will be executed every 15 seconds. This is just to have a simply way to call the actual script. Here you can proceed in the way best suited to your case.
root/scripts/detached.scripts
{
"moduleId": "modules.scripts.scripts-1",
"accessedValues": [],
"scheduledExecutions": ["0/15 * * ? * * *"],
"sourceFile": "root/scripts/users_retriever.js"
}
3. Get all the users and create rights entries for them¶
In this script, we will use:
users.list(): allows us to get the list of users. For each one of these users, we verify if an entry exist inside users rights collection. If not, we attempt to create one with the user information.collections.getWithCustomFilter(): use a custom MongoDB filter to query an entry of a collection. Here, we define the filter based on the user username. This will tells us if the user already has rights or not.collections.insert(): create new entry for each user
First, we fetch all the users. Then, for each one of them, we verify that the user doesn’t already have collections rights. If that is the case, we look at the groups of the user and create an entry for profiles rights with the group name (if it doesn’t exist already). Finally, we insert this user inside the rights collection.
root/scripts/users_retriever.js
const isUserMissingFromRights = (username) => {
const getResult = collections.getWithCustomFilter("root.collections.users-rights", `{username: '${username}'}`);
return getResult.success && getResult.content && Object.keys(getResult.content).length === 0;
}
const getProfilesRightsFromGroup = (group) => {
const getResult = collections.getWithCustomFilter("root.collections.profiles-rights", `{profile: '${group}'}`);
return getResult;
}
const isProfilesMissingFromRights = (getResult) => {
return getResult.success && getResult.content && Object.keys(getResult.content).length === 0;
}
const getProfilesBasedFromUserGroups = (user) => {
let profiles = [];
if (user.hasOwnProperty("groups")) {
user.groups.forEach(grp => {
const getProfileResult = getProfilesRightsFromGroup(grp);
if (isProfilesMissingFromRights(getProfileResult)) {
const newProfileRights = {
profile: grp,
forms: [],
collections: []
};
const insertResult = collections.insert("root.collections.profiles-rights", newProfileRights);
if (insertResult.success) {
profiles.push(insertResult.content.documentId)
}
} else {
profiles.push(getProfileResult.content._id)
}
})
}
return profiles;
}
function main() {
const keycloakUsers = users.list();
keycloakUsers.forEach(element => {
if (element.hasOwnProperty("username")) {
if (isUserMissingFromRights(element.username)) {
const newUserRights = {
username: element.username,
profiles: getProfilesBasedFromUserGroups(element),
forms: [],
collections: []
};
collections.insert("root.collections.users-rights", newUserRights);
}
}
});
}
main()
Once this script has ran, collections users and profiles rights should have been completed.