Move allowed_roles to admin app + Add bind example for private key

.dockerignore

@@ -145,3 +145,5 @@ cython_debug/
 
 # The app config
 /config.yaml
+/private_key.pem
+/public_key.pem

deploy/docker-compose.yml

@@ -29,6 +29,11 @@ services:
     - type: bind
       source: ../public_key.pem
       target: /app/src/public_key.pem
+    # If you want to generate a token for testing purposes with the `bartender generate-token` command
+    # also mount private key by uncommenting the following lines
+    # - type: bind
+    #   source: ../private_key.pem
+    #   target: /app/src/private_key.pem
     - type: volume
       source: bartender-jobs
       target: /tmp/jobs

docs/configuration.md

@@ -42,7 +42,7 @@ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:204
 openssl rsa -pubout -in private_key.pem -out public_key.pem
 ```
 
-The private key of the RSA key pair is used to generate a token in
+The private key of the RSA key pair is used to sign a token in
 an another web application or with the `bartender generate-token` command.
 
 The public key of the RSA key pair is used to verify that the token comes
@@ -55,7 +55,7 @@ The token payload should contain the following claims:
 * `sub`: The user id. Used to identifiy who submitted a job.
 * `exp`: The expiration time of the token.
 * `iss`: The issuer of the token. Used to track from where jobs are submitted.
-* `roles`: The roles of the user.
+* `roles`: Optionally. The roles of the user.
   See [Applications](#applications) how roles are used.
 
 ## Configuration file
@@ -87,8 +87,11 @@ applications:
   haddock3:
     command: haddock3 $config
     config: workflow.cfg
+  adminapp:
+    command: some-admin-application $config
+    config: config.yaml
     allowed_roles:
-      - easy
+      - admin  # Only users with admin role can submit jobs for this application
 ```
 
 * The key is the name of the application
@@ -97,8 +100,9 @@ applications:
 * The `command` key is the command executed in the directory of the unpacked
   archive that the consumer uploaded. The `$config` in command string will be
   replaced with value of the config key.
-* The `allowed_roles` key holds an array of role names, one of which a submitter
-  should have. When key is not set or list is empty then any authorized user
+* Optionally, the `allowed_roles` key holds an array of role names,
+  one of which a submitter should have.
+  When key is not set or list is empty then any authorized user
   is allowed. See [Authentication](#authentication) how to set roles on users.
 * The application command should not overwrite files uploaded during submission
   as these might not be downloaded from location where application is run.

docs/deploy.md

@@ -14,8 +14,9 @@ docker compose -f deploy/docker-compose.yml up
 
 Web service will running on <http://0.0.0.0:8000>.
 
-To login to web service you need to generate token with
-the private counterpart of the public key.
+To login to web service you need to generate token and sign it with
+the private counterpart of the public key.g
+If you want to generate a token with the
+`docker compose -f deploy/docker-compose.yml exec api bartender generate-token` command
+you should uncomment the private key volume bind in `deploy/docker-compose.yml`.
 See [configuration.md#authentication](configuration.md#authentication).
-To use `bartender generate-token` command inside container you need make
-the private key available in the container.