Help us understand the problem. What is going on with this article?

オープンソースMBaaS「Apache Usergrid」を使ってみる(1) インストールからログインまで

More than 5 years have passed since last update.

BaasBoxと同様に、オープンソースのmBaaSであるApache Usergridについて起動させてログインするまでの手順を試した。
こいつはランチャーでGUIを使うので、Vagrant環境でさくっとできるCLI環境ではなく普通のVM環境で試すと良さそう。

ダウンロード&起動

http://usergrid.incubator.apache.org/docs/getting-up-and-running-locally/
のとおり進める。

準備としてJDK 1.7とmavenが必要とあるが、別件でJDKは入れているので省略。
Ubuntuなのでmavenはとりあえずこんな感じで入れた。

$ sudo apt-get install maven
$ mvn -v
Apache Maven 3.0.4
Maven home: /usr/share/maven
Java version: 1.7.0_51, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-oracle/jre
Default locale: ja_JP, platform encoding: UTF-8
OS name: "linux", version: "3.11.0-12-generic", arch: "i386", family: "unix"

続いて、usergridをダウンロードして動かすところまで。

# 最新コードを落とす
$ wget https://github.com/usergrid/usergrid/archive/master.zip
$ unzip master.zip

# ビルドする
$ cd usergrid-master/stack
$ mvn clean install -DskipTests=true
# けっこう時間かかる...    

# 起動
$ cd launcher
$ java -jar target/usergrid-launcher-*.jar

GUIでランチャーが立ち上がったので、再生ボタンみたいなのを押すと http://localhost:8080 でREST APIが立ち上がる。
webappとして動かしたいならtomcatでROOT.warでとあるが、省略して書いてあるとおりにやってみる。

OrganizationとAdminユーザーの作成

APIでOrganization, Adminを作る。
Organizationの下にApplicationが作られる形になる。

$ curl -X POST  \
-d 'organization=testorg&username=admin&name=Admin&email=admin@example.com&password=admin' \
http://localhost:8080/management/organizations
{
  "action" : "new organization",
  "status" : "ok",
  "data" : {
    "owner" : {
      "applicationId" : "00000000-0000-0000-0000-000000000001",
      "username" : "admin",
      "name" : "Admin",
      "email" : "admin@example.com",
      "activated" : true,
      "confirmed" : true,
      "disabled" : false,
      "properties" : { },
      "adminUser" : true,
      "displayEmailAddress" : "Admin <admin@example.com>",
      "htmldisplayEmailAddress" : "Admin &lt;<a href=\"mailto:admin@example.com\">admin@example.com</a>&gt;",
      "uuid" : "fa944bda-86a7-11e3-b5f4-af1ee48f50ce"
    },
    "organization" : {
      "name" : "testorg",
      "properties" : null,
      "uuid" : "fb88e500-86a7-11e3-b60e-6965ad32d83e",
      "passwordHistorySize" : 0
    }
  },
  "timestamp" : 1390754177185,
  "duration" : 3221
}

Applicationとユーザーの作成

まずはadminを使ってログインする。ここではOAuth 2.0のResource Owner Password Credentialsを利用する。
例ではクエリにパスワード含めてるが、頭おかしいと思う。request bodyにしても動く。

# adminでログイン    
$ curl 'http://localhost:8080/management/token' -d 'grant_type=password&username=admin&password=admin'
{"passwordChanged":1390754177668,"access_token":"YWMtjauhmIaoEeOA86PtyEYB2gAAAUPzeOkHDrLU8wKxfWtPftRQSGea_LuEMDs","expires_in":604800,"user":{"organizations":{"testorg":{"users":{"admin":{"applicationId":"00000000-0000-0000-0000-000000000001","username":"admin","name":"Admin","email":"admin@example.com","activated":true,"confirmed":true,"disabled":false,"properties":{},"adminUser":true,"displayEmailAddress":"Admin <admin@example.com>","htmldisplayEmailAddress":"Admin &lt;<a href=\"mailto:admin@example.com\">admin@example.com</a>&gt;","uuid":"fa944bda-86a7-11e3-b5f4-af1ee48f50ce"}},"name":"testorg","applications":{"testorg/sandbox":"fc15bbb0-86a7-11e3-800c-cd0d1c5cbaaf"},"properties":{},"uuid":"fb88e500-86a7-11e3-b60e-6965ad32d83e"}},"applicationId":"00000000-0000-0000-0000-000000000001","properties":{},"htmldisplayEmailAddress":"Admin &lt;<a href=\"mailto:admin@example.com\">admin@example.com</a>&gt;","username":"admin","confirmed":true,"email":"admin@example.com","adminUser":true,"name":"Admin","activated":true,"uuid":"fa944bda-86a7-11e3-b5f4-af1ee48f50ce","displayEmailAddress":"Admin <admin@example.com>","disabled":false}}

access tokenを用いてまずはApplicationを作成する。

$ curl -H "Authorization: Bearer YWMtjauhmIaoEeOA86PtyEYB2gAAAUPzeOkHDrLU8wKxfWtPftRQSGea_LuEMDs" \
-H "Content-Type: application/json" \
-X POST -d '{ "name":"myapp" }' \
http://localhost:8080/management/orgs/testorg/apps
{
  "action" : "new application for organization",
  "uri" : "http://localhost:8080/null/null",
  "entities" : [ {
    "uuid" : "776e28f0-86a9-11e3-ab5c-bd3289ab11e6",
    "type" : "application",
    "name" : "testorg/myapp",
    "created" : 1390754816300,
    "modified" : 1390754816300,
    "accesstokenttl" : null,
    "applicationName" : "myapp",
    "organizationName" : "testorg",
    "metadata" : {
      "collections" : {
        "assets" : {
          "title" : "Assets",
          "count" : 0,
          "name" : "assets",
          "type" : "asset"
        },
        "users" : {
          "title" : "Users",
          "count" : 0,
          "name" : "users",
          "type" : "user"
        },
        "events" : {
          "title" : "Events",
          "count" : 0,
          "name" : "events",
          "type" : "event"
        },
        "roles" : {
          "title" : "Roles",
          "count" : 3,
          "name" : "roles",
          "type" : "role"
        },
        "folders" : {
          "title" : "Folders",
          "count" : 0,
          "name" : "folders",
          "type" : "folder"
        },
        "activities" : {
          "title" : "Activities",
          "count" : 0,
          "name" : "activities",
          "type" : "activity"
        },
        "devices" : {
          "title" : "Devices",
          "count" : 0,
          "name" : "devices",
          "type" : "device"
        },
        "groups" : {
          "title" : "Groups",
          "count" : 0,
          "name" : "groups",
          "type" : "group"
        }
      }
    }
  } ],
  "data" : {
    "testorg/myapp" : "776e28f0-86a9-11e3-ab5c-bd3289ab11e6"
  },
  "timestamp" : 1390754816241,
  "duration" : 1386
}

作成できたっぽい。ここでApplication用のユーザー作成。

$ curl -H "Authorization: Bearer YWMtjauhmIaoEeOA86PtyEYB2gAAAUPzeOkHDrLU8wKxfWtPftRQSGea_LuEMDs" \
-X POST "http://localhost:8080/testorg/myapp/users" \
-d '{ "username":"myuser", "password":"mypassword", "email":"user@example.com" }'
{
  "action" : "post",
  "application" : "776e28f0-86a9-11e3-ab5c-bd3289ab11e6",
  "params" : { },
  "path" : "/users",
  "uri" : "http://localhost:8080/testorg/myapp/users",
  "entities" : [ {
    "uuid" : "268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3",
    "type" : "user",
    "created" : 1390755110043,
    "modified" : 1390755110043,
    "username" : "myuser",
    "email" : "user@example.com",
    "activated" : true,
    "picture" : "http://www.gravatar.com/avatar/b58996c504c5638798eb6b511e6f49af",
    "metadata" : {
      "path" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3",
      "sets" : {
        "rolenames" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/roles",
        "permissions" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/permissions"
      },
      "collections" : {
        "activities" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/activities",
        "devices" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/devices",
        "feed" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/feed",
        "groups" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/groups",
        "roles" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/roles",
        "following" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/following",
        "followers" : "/users/268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3/followers"
      }
    }
  } ],
  "timestamp" : 1390755109954,
  "duration" : 604,
  "organization" : "testorg",
  "applicationName" : "myapp"
}

ユーザーログインとソーシャルログイン

applicationへのユーザーログインにもOAuth 2.0のResource Owner Password Credentialsを利用する。
ここでもクエリにパスワードとか含めるのキモイなーと思いつつ、request bodyにしても動いた。

$ curl 'http://localhost:8080/testorg/myapp/token' -d 'grant_type=password&username=myuser&password=mypassword'
{"access_token":"YWMtygCpAoaqEeO25HW4o7Qe-AAAAUPzh4_d87d7xp-gy5OJDS7FjGeKYRT0cuM","expires_in":604800,"user":{"uuid":"268aa6ba-86aa-11e3-92f4-d1ddaabbd7a3","type":"user","created":1390755110043,"modified":1390755110043,"username":"myuser","email":"user@example.com","activated":true,"picture":"http://www.gravatar.com/avatar/b58996c504c5638798eb6b511e6f49af"}}

ソーシャルログインとして、facebookアカウントとの連携を試す。
Node.jsのクライアントライブラリを読んでリクエストを把握した。
ここでもクエリにaccess_token含めるの(ry request bodyにしても動いた。

$ curl -X POST "http://localhost:8080/testorg/myapp/auth/facebook" -d "fb_access_token=(facebookのアクセストークン)"

これでログイン/新規ユーザー作成が可能。既存ユーザーとのリンクについては未確認。
一見問題なさそうに見えるが、予想通りusergrid側ではfacebookのAPIをたたいて返ってきたユーザーID"だけ"で登録済みかどうかを判断しているので、ある攻撃に対して弱さがある。
この対策ぐらいなら頑張ればコントリビュートできるかもしれない。

次回、コレクション周りを触ったら書く。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした