{"id":19578565,"url":"https://github.com/materialsproject/mongogrant","last_synced_at":"2025-09-10T14:34:31.579Z","repository":{"id":49228968,"uuid":"131356160","full_name":"materialsproject/mongogrant","owner":"materialsproject","description":"grant username and password credentials for roles on mongo databases via email verification","archived":false,"fork":false,"pushed_at":"2023-05-22T22:28:18.000Z","size":71,"stargazers_count":7,"open_issues_count":4,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-06-21T17:07:27.544Z","etag":null,"topics":["authentication","authorization","database-management","mongodb","pymongo","python"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/materialsproject.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-28T00:21:43.000Z","updated_at":"2023-06-15T23:22:14.000Z","dependencies_parsed_at":"2024-06-21T15:45:36.269Z","dependency_job_id":"23821d0b-a56d-4064-8a82-c760083e4243","html_url":"https://github.com/materialsproject/mongogrant","commit_stats":{"total_commits":54,"total_committers":7,"mean_commits":7.714285714285714,"dds":"0.18518518518518523","last_synced_commit":"711c2f7d70821ffc5b063fc32de00caf23847485"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/materialsproject%2Fmongogrant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/materialsproject%2Fmongogrant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/materialsproject%2Fmongogrant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/materialsproject%2Fmongogrant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/materialsproject","download_url":"https://codeload.github.com/materialsproject/mongogrant/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224062742,"owners_count":17249291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","database-management","mongodb","pymongo","python"],"created_at":"2024-11-11T07:12:00.511Z","updated_at":"2024-11-11T07:12:01.523Z","avatar_url":"https://github.com/materialsproject.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Quickstart for users\n\nSo, your friendly neighborhood mongogranter says you know have access to a\ndatabase through your email address. What now? First, install mongogrant:\n```bash\npip install mongogrant\n```\nNext, request a token link to be sent to your email:\n```\nmgrant init mcurie@espci.fr \\\n  --endpoint https://grantmedb.materialsproject.org\n```\nClick the link in your email to prove you're you, copy the fetch token from the\nloaded page, and then run:\n```\nmgrant settoken wh054900d70k3ny35y0u423\n```\nFinally, get credentials for your database. Here, Marie is asking mongogrant to\nprint out db.json and my_launchpad.yaml starter files for\n[FireWorks](https://materialsproject.github.io/fireworks/) and\n[atomate](https://atomate.org/):\n```\nmgrant db mongodb03.nersc.gov fw_mc_polonium \\\n  --role readWrite \\\n  --atomate-starters\n```\n## About mongogrant\n\nMongogrant is a utility to grant username and password\ncredentials for read and readWrite roles on various databases\non various hosts to owners of email addresses.\n\nA server administrator has fine-grained control via\nallow/deny rules for granting tokens and credentials.\nPeople request an email that contains a one-time link. That\nlink gives a user a fetch token. All tokens expire and\nexpiration time is customizable. People then use the\nmongogrant client to make requests like\n\n```python\nfrom mongogrant.client import Client\n\n# config file on disk has tokens and host/db aliases\n# `Client()` with no args looks to\n# ~/.mongogrant.json for config\nclient = Client()\n\n# No config yet? Set one up with at least one remote for fetching credentials\n# See below for how to obtain \u003cFETCH_TOKEN\u003e for a given \u003cENDPOINT\u003e.\nclient.set_remote(\"https://grantmedb.materialsproject.org\", \"\u003cFETCH_TOKEN\u003e\")\n\n# Set some aliases if you'd like:\nclient.set_alias(\"dev\", \"mongodb03.nersc.gov\", \"host\")\nclient.set_alias(\"prod\", \"mongodb04.nersc.gov\", \"host\")\nclient.set_alias(\"fireworks\", \"fw_dw_phonons\", \"db\")\n\n# pymongo.database.Database with read role\nsource_db = client.db(\"ro:dev/fireworks\")\n# readWrite role: config stores \"prod\" host alias and \"fireworks\" db alias\ntarget_db = client.db(\"rw:prod/fireworks\")\n\n# ...Do database stuff!\n```\n\nOne can also go entirely through a running app's API:\n\n```bash\n\u003e # Using the HTTPie command line HTTP client (https://httpie.org/)\n\u003e # Install via `{brew,apt-get,pip,...} install httpie`\n\u003e http GET https://grantmedb.materialsproject.org/gettoken/\u003cYOUR_EMAIL\u003e\nHTTP/1.1 200 OK\nConnection: keep-alive\nContent-Length: 59\nContent-Type: application/json\nDate: Thu, 17 May 2018 18:05:30 GMT\nServer: nginx/1.10.3\n\n{\n    \"msg\": \"Sent link to \u003cYOUR_EMAIL\u003e to retrieve token.\"\n}\n\n\u003e http GET https://grantmedb.materialsproject.org/verifytoken/\u003cVERIFY_TOKEN\u003e\nHTTP/1.1 200 OK\nConnection: keep-alive\nContent-Encoding: gzip\nContent-Type: text/html; charset=utf-8\nDate: Thu, 17 May 2018 18:06:17 GMT\nServer: nginx/1.10.3\nTransfer-Encoding: chunked\n\nFetch token: \u003cFETCH_TOKEN\u003e (expires 2018-06-19 18:05:30.508000 UTC)\n\n\u003e # end-of-line \"\\\" below only necessary if command spans two lines.\n\u003e http --form POST https://grantmedb.materialsproject.org/grant/\u003cFETCH_TOKEN\u003e \\\n\u003e   role=readWrite host=mongodb03.nersc.gov db=dw_phonons\nHTTP/1.1 200 OK\nConnection: keep-alive\nContent-Length: 108\nContent-Type: application/json\nDate: Thu, 17 May 2018 18:11:22 GMT\nServer: nginx/1.10.3\n\n{\n    \"password\": \"\u003cPASSWORD\u003e\",\n    \"username\": \"dwinston_lbl.gov_readWrite\"\n}\n\n\u003e\n```\n\nYou can run a \"server\" on your laptop in a Jupyer notebook\nand manage allow/deny rules, grant / revoke grants of\ncredentials, etc. A small Flask app\nis included as an example for deploying a server to which\nclients can connect to obtain tokens and credentials. \n\n## Set up a server\n\n```python\nfrom mongogrant.config import Config\nfrom mongogrant.server import Server, check, path, seed, Mailgun\n\nserver = Server(Config(check=check, path=path, seed=seed()))\nserver.set_mgdb(\"mongodb://mgserver:mgserverpass@my.host.com/mongogrant\")\nserver.set_mailer(Mailgun, dict(\n    api_key=\"YOUR_KEY\",\n    base_url=\"https://api.mailgun.net/v3/YOUR_DOMAIN\",\n    from_addr=\"mongogrant@YOUR_DOMAIN\"))\nserver.set_admin_client(\n    host=\"other1.host.com\",\n    username=\"mongoadmin\",\n    password=\"mongoadminpass\")\nserver.set_admin_client(\n    host=\"other2.host.com\",\n    username=\"mongoadmin\",\n    password=\"mongoadminpass\")\n```\n\n### Appointing others to set allow/deny rules\n\nA mongogrant server admin can add \"ruler\" users who can set allow/deny rules for users via the `mgrant` CLI. An admin sets a ruler document in the `server.mgdb` collection, e.g.\n```python\nserver.mgdb.rulers.replace_one(\n    {\"email\": \"starlord@lbl.gov\"},\n    {\n        \"email\": \"starlord@lbl.gov\",\n        \"hosts\": [\"mongodb03.nersc.gov\"],\n        \"dbs\": [\"mp_\", \"fw_\"],\n        \"emails\": [\"@lbl.gov\"],\n        \"which\": [\"allow\"]\n    },\n    upsert=True)\n```\nAllows user `starlord@lbl.gov` to set `allow` rules for any user with an \"@lbl.gov\" email address on the Mongo host \"mongodb03.nersc.gov\" for any database name prefixed with \"mp_\" or \"fw_\". Any field in a ruler document can be set to \"all\" rather than an array.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaterialsproject%2Fmongogrant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaterialsproject%2Fmongogrant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaterialsproject%2Fmongogrant/lists"}