All CRUD operations need an authenticated user in order to be executed. Some
ls operations will not require a authenticated user, but might return a subset of available resources compared to that of a logged in user.
The user is loaded from the environment where
okdata is executed.
The CLI comes out of Oslo municipality, and any employee in Oslo will be able to use the CLI out of the box. The
OKDATA_USERNAME maps to your Oslo user.
# Your Oslo user export OKDATA_USERNAME=my-user # Password for OKDATA_USERNAME export OKDATA_PASSWORD=my-password
For machine to machine communication and datasets related to large projects an Okdata client can be generated for you. Please contact us at firstname.lastname@example.org for setup.
# Okdata client export OKDATA_CLIENT_ID=my-machine-client # Secret for OKDATA_CLIENT_ID export OKDATA_CLIENT_SECRET=some-generated-secure-string
Note: a client user should not be used as a shared user for convenience’s sake!
Order of loading user¶
The strategy of determining which user to choose is based on the following order:
OKDATA_CLIENT_ID are in your
OKDATA_USERNAME will be loaded and used for authentication.
If you have exported
OKDATA_USERNAME, and then later
env you will still use
OKDATA_USERNAME for authentication (and you think that you are using
OKDATA_CLIENT_ID), please check this before reporting on any authentication problems.
-d at the end of your command and see the authentication strategy that has been chosen in the output.
The following output is shown when no user is found in
INFO:root:Could not resolve value for OKDATA_CLIENT_ID INFO:root:Could not resolve value for OKDATA_CLIENT_SECRET INFO:root:Could not resolve value for OKDATA_USERNAME INFO:root:Could not resolve value for OKDATA_PASSWORD INFO:root:Initializing auth object INFO:root:No valid auth strategies available
OKDATA_USERNAME is used:
INFO:root:Initializing auth object INFO:root:Found credentials for TokenServiceProvider
OKDATA_CLIENT_ID is used:
INFO:root:Initializing auth object INFO:root:Found credentials for ClientCredentialsProvider
Okdata is currently only supporting the two authentication mechanisms as described above, but we will support other authentication strategies like token-based authentication for the CLI in the future. Follow this document for changes.
We are also planning for a configuration-file (in
~/.okdata/credentials) based authentication strategy with the possibility to choose between users and pass this as a parameter to the program:
okdata datasets ls --profile=my-dev-profile or
export okdata_default_profile=my-dev-profile && okdata datasets ls.
okdata can be run in either
prod, depending on where you have your user and what you are doing.
When determining in which environment to run a command, the application loads the environment in the following order, and chooses the first it encounters:
--env=prod|devoption for every command
OKDATA_ENVIRONMENTfrom the current environment