Embedding Authenticated Arcadia Data Visuals into Your Application

Published on December 5, 2017

Introduction
Anatomy of a Trusted Authentication Request
Server Setup
Walking through an Example Implementation

  1. Add the new server configuration
  2. Set up three new user accounts: two standard users and a ticket granter user
  3. Create a new data segment and assign it to users
  4. Create a Django application
  5. Putting it all together

Introduction

Arcadia Data provides many ready-to-use and compelling ways to present data. Many customers not only want to use these visuals internally, but also want to offer them to their own customers through custom applications. The basic link-embedding feature works fine for cases where the app is public, or the user identity does not matter. However, if the app requires authenticated access to secure data or the information is user-specific, we will need to pass the accessing user’s credential to the embedded app.

In this tutorial, we will cover how to configure the server for trusted authentication with an example app. We’ll show you how to embed and configure the application so that different users can see either data for a single region or worldwide, depending on their role. You’ll also learn that when this app is embedded in a separate application server, it will need to map the application’s user to an Arcadia Data user, and then retrieve the user’s identity before requesting access to the information. If this sounds a bit complicated, don’t worry! We will break each step down in detail.

Anatomy of a Trusted Authentication Request

A trusted authentication request involves three different components:

  1. User browser – where the end user sees the application and where the Arcadia Data visualizations are embedded.
  2. Application server – where the application runs.
  3. Arcadia Enterprise Visualization Server – where dashboards/visuals are generated.

The request is initiated from the user’s browser and sent to the application server. The application server authenticates against the Arcadia Enterprise Visualization Server and retrieves a ticket that the browser can use to request a visual. Lastly, the browser uses this ticket to make a request to the visualization server.

Figure 1. Flow for a trusted authentication request

Here are the details for each step as outlined in Figure 1:

  1. The user requests a web page from the app server that includes an embedded Arcadia Enterprise visualization within an iframe.
  2. The app server requests a ticket via a POST request to the visualization server (refer to Ticket Requesting URL example below). This POST contains the username of the Arcadia Enterprise user that will be used for authenticating the iframe. The ticket request can be authenticated via two methods:
    1. Ticket-granting user. The ticket request includes the Arcadia Enterprise username and password for the trusted ticket granter. As a best practice, the ticket-granting user account should not be an admin or superuser account.
    2. Trusted IP. The app server is included as part of a list of trusted IPs. In this case, the POST request would only include the Arcadia Enterprise username, as the ticket-granting user is not required.

By default, the ticket can only be used once, but for debugging, the server can be configured to use a ticket multiple times. The ticket will only be valid for a configurable period.

  1. The visualization server validates the ticket request. If the request is valid and authorized, the visualization server creates a ticket and returns it as a response to the POST request. If there is an error, the return value will be -1.
  2. The app server uses the ticket to generate a unique URL containing the ticket for the embedded visualization. It uses that URL for the visual’s iframe code in the HTML that it returns to the client (refer to the Embedding URL example below).
  3. The end user browser uses the iframe URL given in step 4 to request the visual from the visualization server.
  4. The visualization server authenticates the iframe request based on the ticket which is part of the request URL. If it is a valid ticket, it automatically logs in the username specified in the POST in step 2. The visual is then sent to the client. The login session will expire at the end of the browser session.

Server Setup

To enable trusted authentication on the Arcadia Enterprise Visualization Server, we will need to add additional settings in the configuration file, settings_local.py. If you are using a cluster setup, this configuration file will need to be for the primary instance.

  1. Add the following to enable the trusted authentication module:

INSTALLED_APPS = INSTALLED_APPS + (‘trustedauth’,)

AUTHENTICATION_BACKENDS = (
‘django.contrib.auth.backends.ModelBackend’,
‘trustedauth.backends.TrustedAuthBackend’
)

  1. Add a TRUSTED_AUTH section with the following configuration parameters:
  • trusted_ips (IP list). A list of trusted IPs from which ticket requests are allowed. Typically, this is the application server on which your web application resides.
  • trusted_users (usernames list). A list of trusted ticket-granting usernames. For security reasons, this should not include any admin accounts.
  • timeout (numeric). The number of seconds for which a ticket will remain valid.
  • single_use (boolean). Specifies whether the ticket is allowed to be used once or multiple times.
  • session_expiry (numeric). The number of seconds to limit the user session, or 0 to expire the session when the browser is closed. Note that once the user is authenticated, the user is essentially logged into Arcadia Enterprise and can request other URLs in the system that he/she has access to.
  • allow_superuser (boolean). Allow an admin user to be authenticated with a ticket. Set the value to False to disable.

Here is a sample configuration section:

TRUSTED_AUTH = {
‘trusted_ips’ : [‘127.0.0.1’],
‘trusted_users’ : [‘tadmin’],
‘timeout’ : 120,
‘single_use’ : True,
‘ session_expiry’ : 0,
‘allow_superuser’ : False
}

Once you finish the configuration, you can test it using the cURL command-line utility. In the examples below, replace 127.0.0.1:8000 with the IP address and port number of the visualization server, and use your environment’s username and password where specified.

To get a ticket using the IP-based method:

curl –data “username=tguser” http://127.0.0.1:8000/arc/trustedauth/getticket

To get a ticket using the ticket granter method:

curl –data “username=arcuser&trustedusername=ticket_granter&trustedpassword=password” \

Sample: http://127.0.0.1:8000/arc/trustedauth/getticket

If the command is successful, you should get the ticket such as “cYvxerRSHSWOOWNCOeve1vA” from the server.

Now that you have a ticket, you can embed it as part of the requesting URL to retrieve the app. If you use an iframe to display the app, you can set the URL to a pattern similar to the following:

Sample: http://127.0.0.1:8000/arc/trustedauth/trusted/cYvxerRSHSWOOWNCOeve1vA/app/123

That’s it! In the next section, let’s look at an example implementation to put it all together.

Walking through an Example Implementation

For this example, we are going to use the ticket granter method to get a ticket from the visualization server. You can follow along in your own environment. We will add another Django application to display the World Life Expectancy dashboard. In a more typical installation as we outlined in Figure 1, the visualization and the Django web application would be on two separate hosts.

Let’s go through an implementation from start to finish. Follow these steps:

  1. Add the new server configuration.
  2. Set up three users: two standard users and a ticket granter user.
  3. Create a new segment in Arcadia Enterprise to restrict the view of one of the standard users to the World Life Expectancy dashboard.
  4. Create a Django application that allows the two users to log in and see the World Life Expectancy dashboard.

Now let’s get started!

1. Add the new server configuration.

Find the settings_local.py file on the visualization server and add the following to the file:

INSTALLED_APPS = INSTALLED_APPS + (‘trustedauth’,)

AUTHENTICATION_BACKENDS = (
‘django.contrib.auth.backends.ModelBackend’,
‘trustedauth.backends.TrustedAuthBackend’,
)

TRUSTED_AUTH = {
‘trusted_ips’ : [‘127.0.0.1’],
‘trusted_users’ : [‘arc_embed_ticket_granter’],
‘timeout’ : 120,
‘single_use’ : True,
‘session_expiry’ : 0,
‘allow_superuser’ : True
}

 

2. Set up three new user accounts: two standard users and a ticket granter user.

Log into Arcadia Enterprise and create the following three users:

  • arc_embed
  • arc_embed2
  • arc_embed_ticket_granter

The first two users are normal users for which we will assign data segments. The last user is the user that we will use for granting tickets. Make a note of the password assigned, as we will use that later.

3. Create a new data segment and assign it to users.

Next, we create a new data segment in our World Life Expectancy data via the following steps:

  1. Click on the DATA menu item and then select the samples connection in the left panel.
  2. Click on the World Life Expectancy dataset and then click on Segments in the left side menu.
  3. Click on NEW SEGMENT and input the following:
    1. Segment Name: gdp-africa-segment
    2. Segment Group: gdp-africa
    3. Filters: [un_region] in (‘Africa’)

Click on SAVE when completed.

  1. Go to Users & Groups in the settings menu item in the upper right corner of your screen and edit the user profile for arc_embed2 by clicking on the pencil icon to the right.
  2. In the Group Membership, select gdp-africa and click on ADD.
  3. Click on SAVE to save the new group setting.
Figure 2. Segment created for viewing Africa-only dataset

Now we have restricted the user arc_embed2 to only see the Africa subset of the data.

4. Create a Django application.

For this tutorial, we will assume a general knowledge of the Django web framework and will add only a basic module handling homepage visits via a simple View and Template. This is to simulate the application server.

The flow of the application is as follows:

  1. Using the Django admin, we create two users with the same usernames that we had prepared on the Arcadia Enterprise side (passwords could be different if needed):
    1. arc_embed
    2. arc_embed2
  2. The user goes to the root URL (homepage) and gets routed to the custom view function that determines if the user has been logged in or not.  See Figure 3 on how simple the page is.
code for index.html
Figure 3. Code for index.html


If the user is not logged in, the index function in view.py (Figure 4) will show the index page template and ask the user to log in first without displaying the Arcadia Enterprise dashboard.Figure 3. Code for index.html

    1. If the user clicks on the login link, the user is redirected to a default Django login screen to sign in via the “arc_embed” or “arc_embed2” account.
    2. After successfully logging in, the user is redirected back to the homepage and the next set of checks will apply.
  1. After the user is logged in, the index function will send a POST request to the visualization server API asking for a trusted auth, using the trusted username and password as “granter” and passing the current session username as the target user.
  2. The Arcadia trusted authentication API would match the “granter” username and password with its settings. If all information is correct, it creates a new authentication token for the provided username.
  3. Our index function will pass the token returned from POST to the Django template-rendering homepage.
  4. The index.html template will check for the presence of the token in the rendering context. If the token is available, it renders the iframe with our Arcadia dashboard using a special URL path for trusted app forwarding: <arcadia_server>/arc/trustedauth/trusted/<auth_token>/app/<app_id>?embed=true

    Note that the “embed=true” at the end of the URL will hide the standard menu bar in Arcadia Data applications, allowing a cleaner interface for your embedded application.
  5. The visualization server creates a session for the user matching the current Django session username and renders the dashboard visualizations accordingly.
View.py's code for retrieving the ticket from the Arcadia Server
Figure 4. View.py’s code for retrieving the ticket from the Arcadia Server
  1. After logging out from the Django app, the user will not see the dashboard iframe anymore, but he/she could log in with a different account to try the segmentation access feature.
Figure 5. Sample application flow for the Django example

The complete source is available here.

5. Putting it all together.

You can try out the app deployed at: http://demo.arcadiadata.com:8081/

The password is “Ex1mple0” for both arc_embed and arc_embed2 users. Try logging in as both users and you can see the difference in the data, even though both are using the same dashboard.


Arcadia Instant, Release 4.2.1
Copyright © 2018, Arcadia Data Inc. All rights reserved.
Category: How To