Accounting¶
Accounts¶
Luna-API supports a data separation by accounts. An account is needed to delimit the visibility areas of objects for a particular user. Each created account has its own unique “account_id”. All data created by this account is stored in the Accounts database under this identifier.
When creating the account, you need to specify the following data: login (email), password and account type. The account type determines what data is available to the user. There are three types of accounts:
user - user who can create objects and use only the data of his account.
advanced_user - user who has rights same to user and also has access to the data of all accounts. Access to other accounts data means being able to get data (GET requests), check for its existence (HEAD requests) and perform matching requests by data of other accounts.
admin - administrator who has rights same to advanced_user and also has access to the Admin service. Administrator account creation is impossible using Luna-API. To create administrator account use Luna-Admin service.
By default, there is the account in the system with the admin type and default login and password root@visionlabs.ai/root.
Restrictions on performed requests for all types of accounts are hard-coded in the system and cannot be changed. If you require restrictions other than the standard ones, you should create the “user” account and then create a token and configure the restrictions as required.
Tokens¶
The token is linked to the existing account and enables you to impose extended restrictions on performed requests. For example, when creating the token, you can give the user permission to only create and modify lists and faces, or you can prohibit the use of certain handlers by specifying their ID.
Note
See token coverage table for specific resources in the Token permissions section.
The token is created for a certain period of time (the token expiration time can be infinite).
Using the token, you can also control the visibility area of other accounts data using the “visibility_area” parameter (all - data of all accounts, account - data of this account only). For the user account type, you cannot set “visibility_area” = “all”.
Token permissions¶
The following table describes token permissions for Luna-API resources
route |
method |
token permissions |
---|---|---|
/6/accounts |
get |
account - view |
/6/account |
get |
account - view |
/6/tokens |
post |
token - creation |
get |
token - view |
|
/6/tokens/{token_id} |
put |
token - modification |
get |
token - view |
|
delete |
token - deletion |
|
/6/sdk |
post |
resources - sdk |
/6/iso |
post |
resources - iso |
/6/samples/faces |
post |
face_sample - creation |
/6/detector |
post |
face_sample - creation |
/6/samples/faces/{sample_id} |
get |
face_sample - view |
head |
face_sample - view |
|
delete |
face_sample - deletion |
|
/6/samples/bodies |
post |
body_sample - creation |
/6/samples/bodies/{sample_id} |
get |
body_sample - view |
head |
body_sample - view |
|
delete |
body_sample - deletion |
|
/5/samples/{sample_id} |
get |
face_sample - view |
head |
face_sample - view |
|
delete |
face_sample - deletion |
|
/6/samples/{sample_id} |
get |
face_sample - view |
head |
face_sample - view |
|
delete |
face_sample - deletion |
|
/6/extractor |
post |
attribute - creation |
/6/attributes |
post |
attribute - creation |
get |
attribute - view |
|
/6/attributes/{attribute_id} |
get |
attribute - view |
head |
attribute - view |
|
delete |
attribute - deletion |
|
/6/attributes/{attribute_id}/samples |
get |
attribute - view |
/6/faces |
post |
face - creation & list - modification *1 |
get |
face - view |
|
delete |
face - deletion |
|
/6/faces/count |
get |
face - view |
/6/faces/attributes/count |
get |
attribute - view |
/6/faces/{face_id} |
get |
face - view |
patch |
face - modification |
|
delete |
face - deletion |
|
head |
face - view |
|
/6/faces/{face_id}/attributes |
put |
face - modification |
get |
face - view |
|
delete |
face - deletion |
|
/6/faces/{face_id}/attributes/samples |
get |
face_sample - view |
/6/lists |
post |
list - creation *2 |
get |
list - view |
|
delete |
list - deletion *2 |
|
/6/lists/count |
get |
list - view |
/6/lists/{list_id} |
get |
list - view |
head |
list - view |
|
patch |
list - modification |
|
delete |
list - deletion |
|
/6/lists/{list_id}/faces |
patch |
list - modification |
/6/matcher/faces |
post |
face/event/attribute - matching *3 |
/6/matcher/bodies |
post |
event - matching *4 |
/6/handlers |
post |
handler - creation |
get |
handler - view |
|
/6/handlers/count |
get |
handler - view |
/6/handlers/{handler_id} |
get |
handler - view |
put |
handler - modification |
|
head |
handler - view |
|
delete |
handler - deletion |
|
/6/handlers/{handler_id}/events |
post |
event - emit_events *5 |
/6/handlers/{handler_id}/stream_events |
post |
event - emit_events *5 |
/6/handlers/{handler_id}/events/raw |
post |
event - creation |
/6/events/statistic |
post |
event - view |
/6/events |
get |
event - view |
/6/events/{event_id} |
get |
event - view |
head |
event - view |
|
/6/general/events/statistic |
post |
event - view |
/6/general/events |
get |
event - view |
/6/general/events/{event_id} |
get |
event - view |
head |
event - view |
|
/6/ws |
get |
event - view |
/6/general/ws |
get |
event - view |
/6/tasks/clustering |
post |
task - creation |
/6/tasks/reporter |
post |
task - creation |
/6/tasks/exporter |
post |
task - creation |
/6/tasks/linker |
post |
task - creation |
/6/tasks/gc |
post |
task - creation |
/6/tasks/cross_match |
post |
task - creation |
/6/tasks/roc |
post |
task - creation |
/6/tasks/estimator |
post |
task - creation |
/6/tasks |
get |
task - view |
/6/tasks/count |
get |
task - view |
/6/tasks/{task_id} |
get |
task - view |
patch |
task - modification |
|
delete |
task - deletion |
|
/6/tasks/{task_id}/result |
get |
task - view |
/6/tasks/{task_id}/subtasks |
get |
task - view |
/6/tasks/{task_id}/notification_policy |
get |
task - view |
put |
task - modification |
|
/6/tasks/{task_id}/errors |
get |
task - view |
/6/tasks/errors |
get |
task - view |
/6/tasks/errors/count |
get |
task - view |
/6/tasks/errors/{error_id} |
get |
task - view |
/6/tasks/schedules |
post |
task - creation |
get |
task - view |
|
/6/tasks/schedules/{schedule_id} |
get |
task - view |
put |
task - modification |
|
patch |
task - modification |
|
delete |
task - deletion |
|
/6/verifiers |
post |
verifier - creation |
get |
verifier - view |
|
/6/verifiers/count |
get |
verifier - view |
/6/verifiers/{verifier_id} |
get |
verifier - view |
put |
verifier - modification |
|
head |
verifier - view |
|
delete |
verifier - deletion |
|
/6/verifiers/{verifier_id}/raw |
post |
verifier - verify *6 |
/6/verifiers/{verifier_id}/verifications |
post |
verifier - verify *6 |
/6/liveness |
post |
resources - liveness |
/6/images |
post |
image - creation |
/6/images/{image_id} |
get |
image - view |
head |
image - view |
|
delete |
image - deletion |
|
/6/objects |
post |
object - creation |
/6/objects/{object_id} |
get |
object - view |
head |
object - view |
|
delete |
object - deletion |
|
/6/lambdas |
post |
lambdas - creation |
get |
lambdas - view |
|
/6/lambdas/{lambda_id} |
put |
lambdas - modification |
get |
lambdas - view |
|
patch |
lambdas - modification |
|
head |
lambdas - view |
|
delete |
lambdas - deletion |
|
/6/lambdas/{lambda_id}/update |
post |
lambdas - creation |
/6/lambdas/{lambda_id}/status |
get |
lambdas - view |
/6/lambdas/{lambda_id}/logs |
get |
lambdas - view |
/6/lambdas/{lambda_id}/image/status |
get |
lambdas - view |
/6/lambdas/{lambda_id}/image/logs |
get |
lambdas - view |
/6/lambdas/{lambda_id}/proxy |
post |
lambdas - view |
/6/streams |
post |
video_stream - creation |
get |
video_stream - view |
|
delete |
video_stream - deletion |
|
/6/streams/count |
get |
video_stream - view |
/6/streams/{stream_id} |
put |
video_stream - modification |
get |
video_stream - view |
|
patch |
video_stream - modification |
|
head |
video_stream - view |
|
delete |
video_stream - deletion |
|
/6/streams/{stream_id}/ws |
get |
video_stream - view |
/6/groups |
post |
video_group - creation |
get |
video_group - view |
|
/6/groups/count |
get |
video_group - view |
/6/groups/{group_id} |
get |
video_group - view |
patch |
video_group - modification |
|
delete |
video_group - deletion |
|
/6/groups/count |
get |
video_group - view |
/6/linker |
patch |
video_group - modification |
/6/analytics |
get |
video_analytic - view |
/6/analytics/{analytic_id} |
get |
video_analytic - view |
/6/analytics/{analytic_id}/docs |
get |
video_analytic - view |
*1 - face creation request requires list modification permission if one or more lists specified in request body
*2 - list/lists deletion requests requires face deletion permissions if with_faces parameter specified
*3 - face matching request requires face/event/attribute matching permissions if face/event/attribute candidates/references specified in request body
*4 - body matching request requires event matching permissions if event candidates/references specified in request body
- *5 - The “emit_events” permission enables you to specify whether requests can be made to
the generate events resource, as well as blacklisting or whitelisting handler IDs. If handler IDs are blacklisted, then only their use will be prohibited. If handler IDs are present in the white list, then only their use will be allowed. When using the “emit_events” permission, the user must not have the “creation” and “modification” rights to use the handler.
- *6 - The “verify” permission enables you to specify whether requests can be made to
raw verification and perform verification resources, as well as blacklisting or whitelisting verifier IDs. If verifier IDs are blacklisted, then only their use will be prohibited. If verifier IDs are present in the white list, then only their use will be allowed.
Authorization modules¶
Module .. attribute:: LunaAccountIdWhiteLists
storage with white lists for authorization with Luna-Account-Id header
- luna_api.app.auth.white_resources_list.WhiteLists[source]¶
storage with white lists for authorization with basic/bearer authorization header
- class luna_api.app.auth.white_resources_list.AuthIgnoreList[source]¶
White lists for ui authorization
- class luna_api.app.auth.white_resources_list.LunaAccountIdWhiteLists[source]¶
White lists for authorization with Luna-Account-Id header .. warning:: Authorization with Luna-Account-Id header is deprecated
- class luna_api.app.auth.white_resources_list.WhiteLists[source]¶
White lists for authorization with basic/bearer authorization header
Authorization middleware
- async luna_api.app.auth.auth_middleware.authMiddleware(request)[source]¶
Authorization middleware, check a request account id
- Parameters:
request – request
- luna_api.app.auth.auth_middleware.checkCredentialsRights(verificationRequestKwargs, requestCredentials, request)[source]¶
Verify request credentials rights :param verificationRequestKwargs: verification request kwargs (authorization data from headers) :param requestCredentials: credentials for request :param request: api request
- Raises:
VLException(Error.AccountTokenPermissionError, 403, False) if specified token supposed access to any data, but – account type is user (does not imply access to other accoounts data)
VLException(Error.AccountQueryPermissionError, 403, False) if account type is user but specified query – parameter account_id (imply as data filter in other luna-* services) does not match the account id from authorization/Luna-Account-Id header
- luna_api.app.auth.auth_middleware.checkVerificationKwargs(request, verificationRequestKwargs)[source]¶
- Return type:
None
Check verification kwargs according due to request path, method and system configuration :param request: api request :param verificationRequestKwargs: verification kwargs
- Raises:
VLException(Error.BadHeaderAuth, 401, False) if no verification kwargs specified, service allows to use – Luna-Account-Id header and request required credentials
VLException(Error.BadHeaderAuth, 401, False) if no verification kwargs specified, service not allows use – Luna-Account-Id header and request required credentialst
VLException(Error.PermissionByTokenDenied, 403, False) if token kwargs specified, but request path and/or – method not allows access using token
VLException(Error.AccountIdAuthDisabled, 403, False) if Luna-Account-Id header if specified, but service – not allows use Luna-Account-Id header
- luna_api.app.auth.auth_middleware.getAuthenticationHeader(sendBasicAuthInfo=True, setCookieHeader=False)[source]¶
- Return type:
dict
[str
,str
]
Get authentication header for 401 response :param sendBasicAuthInfo: whether to send basic auth info, otherwise bearer :param setCookieHeader: cookie header flag
- Returns:
dict with headers
- async luna_api.app.auth.auth_middleware.getRequestCredentials(verificationKwargs, request, ignoreAuthError=False)[source]¶
- Return type:
RequestCredentials
Verify and get request credentials :param verificationKwargs: keyword arguments for credentials verification request :param request: api request :param ignoreAuthError: whether to ignore authorization credentials verification error
- Returns:
verified request credentials
- Raises:
VLException(Error.CorruptedToken, 400, False) if failed to decode jwt token –
- luna_api.app.auth.auth_middleware.getVerificationRequestKwargs(request)[source]¶
- Return type:
VerificationRequestKwargs
Get kwargs for credentials verification from request :param request: api request
- Returns:
kwargs for credentials verification
- Raises:
VLException(Error.BadAccountId, 400, isCriticalError=False) if specified Luna-Account-Id header content – does not match expected
VLException(Error.AccountIdAuthDisabled, 403, False) if Luna-Account-Id specified, but disabled by config –
- luna_api.app.auth.auth_middleware.ignoreAuthError(request)[source]¶
Ignore auth error
- Return type:
bool
- Parameters:
request – request
- Returns:
ignoreAuthError flag
- luna_api.app.auth.auth_middleware.logWhoIsRequestBelong(logger, verificationKwargs)[source]¶
- Return type:
None
Log auth info who is request belong :param logger: logger :param verificationKwargs: verification kwargs
- luna_api.app.auth.auth_middleware.morphRequest(request, requestCredentials, verificationRequestKwargs)[source]¶
- Return type:
None
Morph request query/json/headers according to request method and request credentials :param request: api request :param requestCredentials: verified request credentials :param verificationRequestKwargs: verification request kwargs
- async luna_api.app.auth.auth_middleware.verifyCredentials(accountsClient, verificationKwargs)[source]¶
- Return type:
dict
Verify credentials :param accountsClient: account client :param verificationKwargs: authorization credentials
- Returns:
dictionary with account-type and permissions (for token validation only)