From 5a7eeb93af61a43a40e94d2b08b9be72ae704811 Mon Sep 17 00:00:00 2001 From: David Moreau Simard Date: Mon, 21 Jan 2019 17:23:24 -0500 Subject: [PATCH] First iteration of authentication and security docs This is a first iteration on basic security and authentication documentation. It documents the security settings users might want to pay attention to and explains how to configure them. We're bumping the version of sphinx in order to enable the "autosectionlabel" extension so we don't need to create explicit labels for sections. Change-Id: I694eb1a2aa03193335f11cbda40ed6962357c428 --- doc/source/_static/admin_panel_auth.png | Bin 0 -> 4405 bytes doc/source/_static/admin_panel_login.png | Bin 0 -> 8068 bytes doc/source/_static/admin_panel_users.png | Bin 0 -> 27950 bytes doc/source/conf.py | 1 + doc/source/configuring.rst | 40 ++++++++ doc/source/index.rst | 1 + doc/source/security.rst | 112 +++++++++++++++++++++++ test-requirements.txt | 2 +- 8 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 doc/source/_static/admin_panel_auth.png create mode 100644 doc/source/_static/admin_panel_login.png create mode 100644 doc/source/_static/admin_panel_users.png create mode 100644 doc/source/security.rst diff --git a/doc/source/_static/admin_panel_auth.png b/doc/source/_static/admin_panel_auth.png new file mode 100644 index 0000000000000000000000000000000000000000..5bccc182bbf15ca82acf175a9a00c22b471760b4 GIT binary patch literal 4405 zcmb_gcT^MWw#NesDo96=-r*o%p@$*@0@6Hy6s4#EL@@~^5GesgkRs(sD1lIvBGP*& zfb<>_siB7+LZk*Hz#Z;;@4vIwTX(Jd{W0Ind~5I7{kQi-JTTQ~x^(Rl4Gj&Gp@FVB z4b2~5;NFDc0&rd50k=jHLU&dp8g~(smRI{pH)*7YE|^CD6?D&6Ulw^;zb5J2B&u$DDPX3 zmrq!Ecq)w9gvfly$iey4{+%ZBjym}^PIZTXobl~iq#PZGpDp43dx$%_y1I+Q#!rob zz5UK5un4d&m~*qUva;U%+xu&)U}GsF^GFzYyB$%z|3yzHk=TnqBYw-#36SVAX5Wwi z4xb5y-ULWkX{DngfJ1JBe`eVFPo$rOgD{@gn<@eXauf$PRHj%g(>cH^M>3jy%%{~! zfv5UQvyNM~4l_Z)&K1MSi5&EACUl<&!h*DzPqB2|2TZw+P}$tN26=bt^armz=$aE^ zM0#|lQtB)8jU%jN4z3TIJFu2<8@Km<`F+dRf?cQj6jl)V`sA2ksp#{h=20zlhH-nC zed{;XQc-o>(j!hFNqG@Hg|MALPezue)D^p5I9xMCn@GecsJ(u1da?eu`dg)YYBd#o zclRLI_mB!Rfqr%l_uU?k`+efdI0eI6r6w5_wXUT3gz(io*r8=mO?;k#8YU22!SwQp z*261X=hxMDW_0m|Q}sfUt5f|FuX8frE5}}l^;N;0V`aT4zrxY^#WYf46q+R@>ia#+ zU#fZ9`^GQIB!+9N0P;;RKZ|p{R%XTNffb%@S6C^1ANFT`I730`>4dpy^DM3^)OM;` zC~UUbTgtWhbEi`wWZF(0C4~v?s19@8-DSy_sS_E9<( zOl#v?eXoRv8yu+S-cV8&jVPbw>V5fGs@p)*5vf*E%~vS?d|OQJegrRqKhNVY_dWd8Y7Uwm@JO%=asK)m?T zO81o&mx^Qez1ZPKyW%;JRRO%NBnahT-X_x4e727)yfTNY%8 z3@=4*9sJhWL}+%3wZ7yjmyN~ghbXFmVwa}w4cBZ%CG-*6TzJ%m&D!~RUIa$@T*v)< zs)%vjfR{fdclYI?2${9;QOi-%SH4Qw)Ri~k;UT#mVP&oT9A6|mw%gp6X<0a*ii<17 zCH^%ve0!TT^GyJWJpII5sXwV1Pcc>S*ox}8o}R4qK2d97e~+10Wza_s%;wq$g4dSW zUa!Tz)B2?E56vRsZMu4)ylN^@IRmjE#~pAb*!N4!DuWE=de2hi6eD1L{&EfW(s~t) z{li?>&1(Sy^Xl}vx?<|lpeRl!u`;N>xGANjW-zfo^{%$dEj%-m-TBq^ojLl2tPK@E zdm11q7epZNzzqS+<1W>&J{m8sO8oJ6=hsgKmarr0N!P=fdeuL=p~6k~#Xr zC;>l#|w8X8~AuE3c*&%iL7 zf~3@mC)}|m8Ev`zc8}3|QPcOcA#+145Dhs%fE5zmy@Ht`9X+HBkLc8_Lh6-V3@uYp zq1+&l`J%lpPnV|FENkEwg2!C}i6{N-`P4@Si!OT_M3$jgIKP>6OzhUG^J$W}$LgZ1 zU|Bo`KgSK4YTda6Q(xxhx&1og$sdS73leyYVoL;xH>|bUGevCDlX}iFPph4v{=aE) zZ7c!syHkuJf-YgC+8f0UkyMnsRT{7})dUXsEc5~9sK|`EnEzPqkbn<+PZi=Vf!S-w zukN8>0@?LBZrw;_!LQ;$Aq4`W69<8cV>rw=idFw*x`+z087~PP)wx3!B-FR^Oa;swY-9898tEv}9P~?amf2z4P1o@Zh&0Q9n(x}}dCV90--jpj zvoA=zFaFQL?VoUQ@s9~x3P)@bGBnNGjAxp&O@;aRa$3XoFK?1^z06aiGwfXa;}Acj zud*&R57QT{6WW`tfr|1{EMt7}x*lUCUEZGj$Aj1EXYCb>?~IO;oDOx&9tV4m&ANSYp=D_O>|kT}urQ@6H_pV`i57Vm001%7ccm4lIps z_UySgvv_T@HImLIkx1D&8k+?V;FR4-W`Q^)QE9vL1k65aon;%nc}MCvP|F3?vkC>Q zY|H?}Hi@%q)w5p3a<)G;$}+1#!3E1nSs+fv)dc>aqthE|`_b1|TRsh?suO z$8Z}2TE1}7baTbgCefGj_Yq0M?p?<#mlrdP)d>&Jhn9&l$x;_O>{ET<6;7sHawP~$ zyu^=WA(xom*5Rs%ncg4~zfD-Fg#A6;&a`(Fgzsyp*?Fx7H%?Ux)H$0}P#W&)lDYXq zUIs8(uwdnFu0vKXt|K8-HGq&}bR&6A*8&vVMCE$OBrDc=Z)>DLetElYqS6~=yR*X- zKz?uJyF73VS39Z=*fehP7+|9@RRSFxUIyhsUxDWfU+7Livc=myD4ZRsQ1U{OJhq3v z$|PH|V~0dca`^rr;M*pTjK)k0%)viwEiWQ~Sf5kry|>-Qgz@l4Rw6)$V_HqUdHbf& z$B)8?m*(elYZg}5F7q`PHAXh}_W(wXwn+j|vDV$MVbHf()>*$+0d^s2<#`2mo7=%r z>qcoj<(Ff1oR&tkR=|!D*Fd@{Dhsq&9l^oTo}zTV7Yk{4&-jd{O7_a{qvJ&r44dUi zv|FP4Y1p@mpN578O32u^RfwX6svn|_j~`xciOoQ!1s5tPX}T*rKC)`ZrO%q`ll6Tw zi|{=t%4{pFsX7G^K`Jl5jU0CR+J*PFgk<@AgQJtPhg<`*74z=M815ZW8I{hBt2m{K zTX765=$paXcIJ=Vh3!gjj1oL)S$Lj0TlrmzJt6F=`;eIcVDPaN=vv!%CyIwodDyZl zU+>KtTl!3G&uiI|`QYU{mnefqeN=m94>YgyBGR|sC8N0LPSQvl+u7Yw!m)_m-7V-t z*`y`M_ST7EccAw3717Q;fru8_V*~cqKNyBbIN6@)85Mi9}PN)?QKCTSDUU zK+7wokJkistX_&prc9~~{k&&VA$r5%gNqq>|L0p7clwvt@?LoSN+{q0^jzu;J*-4f zJgIPEZI?v6hnz(qcQEx^PGGZE>0X@b?b_oXzKwR<=U@Wr+Mad_6g$<7HR+3~K8)1Z zxt=0%^|~rC_W(C*=Aj;1RM*QxDajbie}{q%+DG*AFqE-T)BnZxNv2ka`bl(TR=eJW zbbm_Z#H)pcRO9Ld>oOID+CZ9ySi3G8xQ0m$nhjz9T(jUX#T3+;0$)Q1b2Hkxo^$sN z5T>2rQTo7B^Zbc-A+=rF;dO4@po8@j|K_080voFeo|-XzujkA@n9%I;ui8fn-i&sC zH6Avfa9GYvj)3x;qPuEaZSES2-T6Ldd~|%$LJUDm#VA+ba(j7+*z5(8#PCzM$qk1c z9~z_w2Zh8nFT7DSx?Fc%3-q9C(eS3FBBN=#=!l}Yu#b8!&~vf*RL5HlEx|qdM2UcK zjR$YjHI=vi^6{Ha7j7O``cWM*2f>?Ao#|Jl?b)SxO;~8riE(cLodJ*QO{~4$cEs*- zxl}~R%gS8aA16dZ3Xz*kqce4J=T(yrejgW7hfu=!s1N0Y?F09E4P8At`tkS!ZV`x; zL%^@}i@bdvvKB59W|=}V(QSJJ>eOAUbflXWbMdS((oNE6+36z-d(V(X5%pkV%$Bk) zaE;#{P4i(QWZK2qHc;uKk_^Tu_JR3Bqn;tP^vNdX0_Rm-b@Q{p&7d2JhVX%=d(Fsp zJ+S7cl-WR}qS;K)WuJo3H2VA=jM8~bN9*zr(UumbBPJ4UpNA*}!*D!v#ZFRC^2;jE zlU;2_p-CuV88@(0W&-orfb$BJ#A5YdPE5C!XKKEbmT@WTJNOQY$ifT`YeaFA1NkLe{iNti9nIA$R7(Ek`wTS%x2l*30U9Tf)n*9(8@ZW>RP|sAi`0kV7e*p)9oB{v< literal 0 HcmV?d00001 diff --git a/doc/source/_static/admin_panel_login.png b/doc/source/_static/admin_panel_login.png new file mode 100644 index 0000000000000000000000000000000000000000..6c9105ee441180373bc8efe516681f304997ac1b GIT binary patch literal 8068 zcmchc2T+q+*Y6*SRDol|BS<*{(gZvz(wj;NNDVbK6;L2j1VV3$ihzPf5tWX#gc5p- z6bm3AAT_j5M5IY*2_+D?JKp=w-1lDReDi*D=Vm68$>w<;*4}%q|NpmkVoZ#5xj6VZ zAPC}u>0L2{Acm*lEyux5-}vye1N#T>V2;=4AO`g?wW~fPD(6vzMt- z7cTVI7r$5gBd-sG!f%AspM@eLY^#xtDMq)VP+W}J4Gn2-(vYTzOX2_)hx00l&ntl- z9kxH9$U}_G(6##z1N7%#n*Z5QBiGZ?%ZJI|UtRAUoY=Buab5VF=`h-zEE~Bq+ zD4aT4)&Fo-5T4Mrq^8y%l!IrS`7AmtH(UE{z#Ynrez?U|M%OLxQ^paPy@MO*t!pk-LSCJhZ)K zAy@C^^b0%t&zPXl)^BZHA+0ELQ=11Hv&WE*4$lrx=%#G{hma?_-LK9U{W^eZzbu90Lx{6{S;_GE2T*YZH?R zT|V#f<0NWXWA7zHEQeR7_Hx*1Sg_BRvrDRhS7h!L@r{T(T>tAm2OHa0X=G!66|Hu5 z%ot7L8`2G!2z`rqSZ$J6Z@Cz-)VIjrfc|KcH@`WS^?k8UAHBEdcti}AAR7$N5tpWb zvyM4ZyFy=$4!(E z3{_s{H>{P>R>S)}6?GAi>^Bg)-5c;Ahve}lm>ZhBt;#1Xa=5s!b#y}?tv;TXGerx& z$nkVTMnrx#6JIe&uXu1<3eY5l>wS%lT@s9 zM0b7}gm2JG7F*Us2RFCOZSss^qSGP_X9hNW2Lm=c6&4&FUEEtbmi5u!MydzjMe8D| z=xS6=&CkM}$NCLgB8P()2)JFiw#$sWz=_-wP7fC~Ncsco%Y}qp3x4NH=J{!*K5|@b z$Bg%&{LudRU+joR-*iE}2n&jAlBgs`HzhnMBsP41lPA&MB<%^AE9Vye8wgxCCe$vj~miln>_kbOu|Hg@~CeX z&!dN~auzUKE*3b(ciW?c`0717qFTg&|J+8w_>36^gOG8=YwxVZ@=;!+YD{b!JMYLv zJbPWV%wdo?GK&bv*XvCiV_Z`7z9Ly)mtNhn+k1pMw-fn1J0)ux(TGep+p!Dj3Ns5v z5j50CbF<2PV7;rc?zB5I2;v`v`FBpKrlDD8US4DK+&r*Y&l8vjNOicsR*WcS&?avN zS)E@bV<#|rMIJLDl&tLY$kJmZhoZ8H0g=^r_;lqy`HefUlbH+thoAjQ8z6!6&`9A6^!!o7TIyOcyd~OKcZV@@WjN)cCQK&tq4z{ z*yKKLm%?ZXAi{+s+IRvzT~_%fNYH@0phDX;CG9!ONrsLpzO>gb=|)ay|jMYlQFYHC<{ zMyg}`+pv5VgDLL)H*u)^ig)@;wj<^?eTs@*HD8q=sO>Vt;o(zPU~1o9^otam+5%mo zOF&^6;w}S28Os68;5_-tiF08;7DIQ21&q}8yMiA)V3uATk>&IGXiT0+;-@p^;Z)D7p&h-oaXsKpzhY-VcOiF z&hz`x4_(dIxa#&B9eYaGun(WGq<_;EZ$EZy{L)nBdu$ouqAO=5qW_}QSlB)bB>O;@ zboZd~9Hu)!NEJES^5r(yPEQg?fKWSOa$Li$BDJyWeIxZd6Bp?(J+qr#ru6BZ`A(+R z)ddgW?aEl}1NkH*&T4|v+qpwLUmW9^vlYL@SBTVawAeth=g94OUNn~WlI=lxr;*xQG&vP%dUdVI?-StpMS|5jOw&i=2~Kr5Pvf3%NV1@uyMp$0^UwJ_-8g67l*$VF*D#V zAf=ict#j~&yoBESm%=&Zh2qve&z>ptbQv>k1(%PZ$p$a`5>;x_ACCWli;V1pTSkTK zU)jt%?LPIUy9+M|U9c!;{k#&cR_SKE5mY@~Gn?^nb5Ro3E~%V5EUn%v=Vjaz(zxS@ z*!aYJ-~h|QOu|Kl0JqL>#>?T@%MWsbr;?n=8+|;;VR9cueP?8ctID?G$9cnAHSL1E z?xQGI7ZtDc#{C`Eg&s`m`0MQw%iSLl?oFsWRN~@(@6@+4ot=w06F`pMtoGumLJIb{ z>hy4HFAZ9W&S}cvzC#_g(722tG6upENokdGa&m;Q_3;%KH3-t6{CGa?TuxijC=TCI z4gfYU@*mpvKl!~IIqrT>PftT3D>Rv>udlzQeF>y&E^O)VC(1 zbQX0J1dE#Ej)%NuhBVJlbNmZsR+FK&wzeLT1l6n;FOEJrsbnT?RqR)7VPWC+xJp@v?2kr)}O(>hHfz3oMJw5QsNFx>8545t(>YGqj>u+}6IgwRd#*Zd#d} zXN#wYnqe>)KK0O=-oCyWKV`AD`hAVPRUTr*K8;V&JL9zBo9x})(9SpV29lDJb+c(9 zWD3F2u|yrl_xFwa4k1hOa;e(TieMxA(-Y@!N}M}qhHIc=>35OIejdYR+GujL#;(@z z@G#i6fy}@D)2A1FIwhRocK~%W@1=BY&veeOec>3zA$?=;%hf3W?tBOXdJPO`Nu_9-? zQtS5jc8DHc^^})BzP`r<1;e|j4|#-&cS!i|=Xu;vXp0=9=-IO-3F_2*upyOqrggaZ zF6e!H$OXT0<^Dy_F$vfkWfV4Kr>;)fK7vLexx~%vMjztk&5e!a*z~!6J(E|~E}you zS&*BnW0VJn!CW*-ufNDv;n>lm zuH)~5Vjn;5uemc_5xVVD=`m_qV1=`^vr7?e^Q@MZmF=Q+zn;g$(Ra7KUElEaIqj*b zDRlM`aic$lY<&r=P!cDO`SYikBa|Lpq4}I7hhDJ2^yM;4SGQLSCVvH~?p!`ho{AQ7 z-`m}8@9G-NHB2@)G0CW@QACl(Y%WK0{|a3|#a}{N+CZ*hD{HXW9%*g>_Lh-}sWNE& zX5!12?!#p+BXy{P)l&QX28D@G`0LlNTWCy?jcfXmW5J6>Z!{tr8n(W18m1_k`p$M) z`1q9Z$~l~gYt8~oB4b^mSzB8hyz-t^9yxf17_wZiZ(#7;kBY$vss+z!?5}H3RzC6| zyVKO_Hb#(7+}$P`>ggqtXM;nqPxLGEA@%Kks~0-;D&n<7ipLO*N?6zAF;s@g$lGQ?w~!ZawTwzYLNFjDa(H||R_17uW=D8d#MQMMFS9~}5U zgZ|w-CYbdm8p0|)iOP;i43O)o#_iax4!OocPh#D6-9bq6$hKjm=;_ncI(h@Uk}O#W z6rvtfA=;?%{bpvgpc%MZ{>CRZ+IsrFpI5;5&xh223fHZ+@XNdROSm{YZ(*IG8Z3B9 z%9Nk7yj!nmb89QIFV`@5WB3-OA8zb6TIJ!Rc=C;EP+6Vde3o3}t{Kp=gj}Q4g~X(X z3=rQM9vW^4!^fXg%9`)XlU7x=1DRCriC?-{WLIl8TJ2@!?_ZT`oL*c~a@O$GS*@I$ z9O}lXSD5`p$PTspL-6y70|ySc_vJphbonxIQ5m(64U%?luIH^!t=$t+($V9`L-1F@ z-fi1Qe){xjZm84=T=U}6rAwl)?d|Q@m>5%#(;q&3c=7C6W|L+kK9Di8Aa){*V{>`J zF;yAW%PIFRV`0IauGT_fQWz!UzO0rY4KFWyVi8 zN?qrBbAXccHr-{C_x*9T^YwY%n3xz2ZtlU}90SULl_PKqn265fuRvyNW4IypNd>sI zY?1*30|Po+*1m2IT%xw<59C4Z7C+P!5-KQMSy`zJM8YUVF%wx_+d`Oupf{gq;nqUo zTbaGRy%#*k6e;t4t^aG>N;rUsN+Q)Q%F?&JMo+zwkpZ$x`%U)`ns&T!#Pw!4-g94v^oC1}W zMi(y(Ts$G+__gX$`&+!gLyrjv5PwF2%$@oEJs*qJN1;%i;~J1AFcULp=WKetlwR21 z{A8f75432k!(sb$-GIAAXy`kIhm24lyYY2~e=gGB z%+4C1!J?6YXG+P-TYQY>u?h~ZOEJm|*-1$`skZi6gia`*pNUlZ%(Qb>b*5`LYV2=! z6G!W58>7HSP@8zvqNUjB)7X*{6STRF4d(UvTkfBq{zdngpTp%Y)uUoC;AkMr5S8wU z^n?f?*}=?!<>g*|O(!C{2D5UXboEZ5=N%GPKUg@+4ej3TX8iso+TYKwLUjK1tu(r* z(pN#r_lGOcB}D0s2O&GZMVFa(9!x9;zXD&eu(6SZjnv!$EP@3^^cQTT{8j?k-GR)@ ztgzk`CEpi`i8%*2c_q};>}{((2X?pD`TJ@A8{UY)%5Qd>!C)~zy3=v6=cnf<_V)s! zmc#)jh100=>%&aY#Cp3Sd4D42h&XvxW8a2|53t%K5y6eWWs3|dHF#!b#%*_Nl@tal z{phh{sPQUbZ9pj`&!300v$F%}NPfsIfPKQRfQ{JSYya}4Kazn-6b7z9RC}iK${@b) zHAU>Mw*JyEVCEd0oXT?pZG4gK7Gi=p9_);rtCG!r7)HOgaBYG#-hNoZmDXtB5?JF+QyI*J?MPXx1z9U zZUM9?aGDN#-{tXo3oENUkm8h|!*H~7>8^J>kk)U4(~pI!nVJ&6AmP?-Zf^9AwJfyG z1S~UGNpOJE(E^i|bqNSJ96XIY9fbH8FAV#g(a#BS6gQD)s5pmFZtnD=G<&Dryccxq1z!K7(6@XUQ_{Dj@ zNM{!px7K(8P%5SXC=VY#Or|d402w)uq!Wwn@%rcu5^+&501yMm!Gq>Wvi4oUSO5O| zZ*=y%cdDDpNgXIm9tR}L8NO;re)a0l11v1=>pwaHmJO7-bX0))3cz>X?28r(&);63 zl~z%)1y*dPrFB>3ao50U7{M{3KD)2a@K*6f79PRE&SV9A-si6Vv$u!N(l-v!D?O)p z&sb-ezST)x?}(=-DF}s<)VQk+maM(4&CPq-QJL2K;memVKUD3Z$>Y1HG)JnvaG=2E z=#cj6ZzppLi=3Xfx&?)WSJ6iW1&ir*qo82LqrR1Kv-3?3fFvuheX}0VvokV;fgUX6 zCVQHBdzWPQF_>9d%{HutwRlDB*xCd65B^!&O8#`jI3MJ9@V6N8F58_#n{vOk@31F) z^7_Uav!t${P9G!Su+O*Qg|UR6e%PvDe30T`9ZE2w46yo zziG|>edyiVf;C8akbV}Hme}IrF8<4mO%~!35_;f38z9kod-8iV^?SfGEG=Ks!GCDT z8eoty4?AQf25$WJ?Zy%jZ&e>m@!7X~m=_qzAuT6oyfj*E1@@ht2U-y>7{D5(Dq}!J zaE%`(Nec2j1#DmG*4OgOs0g`+{E10PA)zM|SRZ|ynzW)qO>u>m1@1_snmYG?$59?R z)@NfYD$Idj!1eSV={){36BOo1{SY^Fycrz)ckP1W`RVQnFbCP|j}KV(r!0*U1^~!g z0g14?{P5tNW4ye*q#S?9>Sb>DhQnhpM?%8+k6yVY4uMk-Sa3pJ9UXmu3*0u%R3N)E zpjUjWn{W|fWn!Xif5PhrYimB* zy1ELBk#ySH-=ihJ3j;oIhSwnKl-s6*N~HA1=J1V++CZUiUrY`e#tBX*`n{JH9#I?R zh74yEHtD%>{NEGd{{v~vt|m$9=kZ91i|c|eA6rm>+}LA)%z(_E5)nDZ&o3R9v+anQ zd!8hTD6#}p8sa1YMJBBr<^3)3|06m4Q>*Zs8y__j4oogsUJsZfrcTVStm<13l*8=f zbsrqC?ax8o@1>&P&iMlX)sh}d|FL!T$y=j1_0In42jazBD^If*5P1zUs+rp9Hyw_( z#z_k?Fs5%46qKZ@3DmlSIO%G_LKLyKL6)h;nVBv0W<(FnF=_I=)q3f4yH;e=Eh%HA zQ2Tq`cAc&9(yae?WAmG6|1~swc84U2N~i*TL6g@Z;hNiOVY(3%($I(#O>Sbhh{MP- zq%dOAr*-)*H0xdR>bM}|?B&SG*#2{8uDFHau?ER(i3G)p>yByX;!i#ot&F>!*+au) zqGYb_#2L-KD0grf$g5D7#%T$aFB|oi8QMrm;d>S?K3N7_lrJzq6 zM`=GqQ1VbGs2xRmGSuu9y@NeXmraDDAS6RyX(Vh_&bx z)E7M%(XRU18WNw69mIrbi@%7-!op~zHVxS%qkUm>Q|(ISp%1Dd!jb7Bn%>PZ?uWA4 z;oM4#_9PUT4SnXOGWTZk3mU&qOy}bQ+75qC=PCBwJun&TTlV9{sY``r%q%s8N)FDR zm<2c%Q}i7C1o2*LH;>0oYA@EixlPS7vupv*7fzE0N6%QKZE|pcdyz-2m~wEL{)~Jj zpFd6B{W@1KN&tcNE%0_sI%xMYkb^U+GF`m6gYxleqP~=S#Wk7&qG8@Phq8#x^E5W8 zC1zTvG{Q-x9I#$~Tb?;mxIGGPry(GrjzM$a6R@nZUUZG8&4QDj|Jff$6?}#-ds0yB z=xj%#Pn7>j*`C~}2Mz+8JZ>-t0iGK3U(IuPpbC?faLs~UpVXzhcNvr|-K;iUlSf8B z_~lo8Ah<9j2{1BSrG7Rk@LVD`hdG4}#4r0*#3ZaSZZR<2E9e@(cWy~WVjXp&$tB^x z_#smL$e|k`8g*ZJA(i5jAjfkso^ASWyNaq`4!r zi{~N@biiM3XIdK4+`Q}wnK>Ws;dYZw-9KRKXCM9Y4Yh9^Eae(XsYwjKw(mYgICZ%w z_}Vod&>uBHR{wAm@UQatk9!flD2N?kNLW}s&Yc0;!T=~ez;f~357!dVVgX>UM;wKk z_J^1JZO*)8S>$8Zb9K!JDh9MnEU9B=;2Q+(w6viEGyR2* xut!jnh3v0im2*r3^=5(MLbCV&eQm$*GjLgp9Az%l@qxe#rfqbk_|mm|{{z?t1c?9u literal 0 HcmV?d00001 diff --git a/doc/source/_static/admin_panel_users.png b/doc/source/_static/admin_panel_users.png new file mode 100644 index 0000000000000000000000000000000000000000..103977d5c5983c4caf3871a3eac4a224d0eb5716 GIT binary patch literal 27950 zcmce8c{G=8)b3A;RFYDJh>B9mlra>dqEeYM6*7bjAu^XK2}y~}q>?%FT!c!6%w(2% zo@eKJdf)F`=a26@>zwtib^KH6H$2aM-+S+CU)QxCZ^cV;)LR(0kVquz^XFu)l1SvN zBof*8%@p{TjDX$L_+z7$)On@N_;K8P>k)q6YkgMD`kJ|cwXM!weUhP>`5k?3E4{n= z`es%}=GNon#S$dae$siFGfH-0BW<>tn)*eO6ICC1cuK1s%-Nnk4Q@Zgdq#oR@=$qi zd4vtOgN@eknswvwP`yokp#k@Bn{P9Njozy(buzV2IG#Oy9KC7tjtd*2Z5eJ3jr)&; zRc_h`TbP;g=}ciJusqzMJEuN5s#-(#Kx6zkf4* z_?42D_-Wo4Nb~n)AE-E3Wr&|!yL25WPyhX!iLbBk;S(q1^z{$5w6;bo9*$B;7~R+K zh;5G#Tj1CIFDq$x?tJ*@(Pldb2O9f)_Dh-a#M>Hu%FAV6$Hhgzc~jmV{Y3Q4nKQwX zE)tH8juZvd|9pu+-x0bkVd4&Z=uc>8*dC76c62;t@Z;5{cqL;St$$zg1}|YgWw*n| z#%6B2{`ZOL>C#_u^7!7w_Z4LQ#1{z|+|E>YTwk46IOVCPrM0hUea*orQ$1nG_fhWw ze*Rr2iWXuDOQXnytp|3rJI!l3c%8w!ZvFD!#i^*Jb!VKX{Poa~ahRyhxA&qdRrlg* z2PbMTOLl$s-u3SN`-dtC9>v9y22~Nhy}h>{m4%)5Ay#fAB`uA1adB~OyPiVjj~{0> zHN(o>s*}FaS&Qyln|E2K$K{?ofBwv^TL+n$nH5!3JnQO|ZW$W(#J`PrD8s&2aiVmz zUiHS=t5|15!@9@XBJ9OF50?imQHQ&~_2jZYH)B+L4vrsFUiT8 zxqMOfW@ct;#m?ec<{f@>bN6&|mAJ|Z=i7by`V2^}SK~j2@Ecmp4%JIE?wy{UEqiuI zKGk8~Os9EavWIr>UTRa@(j zR6A%bY&*t$L0&#d)OppZ=#aO}Wz}TOPgwkAZbRiMwt#chO-)AkR$reF>>L|2OI1ix z(OX|z6}~@p@KtDN*WjRcbGo74pKmW#{b=cOYOt25UW!bNxcODw(nx;oaDPygb@3y#L|rZjR!UyAwP zR{p7p85wjA^J8c4-xm>Jq<;ADVXF1uRlKKus7C~6$=Jjs&2jPW2;Sl0;gPdC*P3?g z>oe`N8C%T@aXXji$1AWx)pd0ng@l9@LItT4RFWPhB$!0@w?CV1x#r*?R%W7?I_9jl-ty`z#mDo?6Vm@-@$h+iZ+4JYA z#`4D{5}av>pvj{aSY!|~V}5?&P`NLY*Z1!VZZ?d*vga5J3JcS8%eFYqx7iMij0of> zr#Kj1`>f0R?Af!4GWr`)nVGwzqodXGtdHPev>&C=6K}k4XSe^*p-sDY?^cXgQYquv zp|7tm9qIV})yb{q1(Otfe0)55y0NrQ6i_ZIL%yHSX_*L|9(sU zy-_IyFN^&ETl(^cjN}V(C9USgzMY*nPp!_>PE1Uk#x~p=`|XWb{q3^8+LWq8E@;}s zb4>5Rw{PE4Eqi1WucuScoSGnEub&16y7^14F$_1RRD_9GB}&jEg*6r2=kNO-;x)(A&Yk;s?Xvi$Tur}UzpgsY zH5=yG&vK0w&TG3dsH>}|>R0YLrk=6cq#^ME&g$Cg@?>N2+U}I1rS}sznZhr56|b+3 zV-XjAm^+i-xN$>CMWx&4M3HNLe*T%5lffp>5T3IBSy@?R^-S12#1QZOsb1}`a+h&~ zUyz8Tq&EBv7c;!4rLO);d70j)Y=^hZz|hbJizNM?nZepZiG|V2^732r^71J6PtewyHjHzaHM zASIO6*6w=n-~n+;dhd!juPquz|HeOejg9#^jO9`~J3BwU5Em?L$v#%R?i?m;xnYY( z$$rn@zcmvzvbXaae0TNoq9h_-rA)7*U9W*;jn>mwOXnUVmwYu);an4Jt$`-(*n%<_NCn$Rqv|Qd{R_Ygix0;F)@i;_VMv4eXpG0o)Tey z+~3D%*h(xY!aQL)_Gl9Cb&loRbX!^9+qzVCaF0Vl8re2EIn&K7!eInpmEXiqvfrSut&z>or+ zaDKz>y1KgVkx3%-NKA!4<1#OW2|tLFe@WcW&D?VbOK?dOh~S%Tc{YXJHR*i?<>lpb zOX81Z*guz-Glqqp59A0bu!xO~jjkO;3cOX#sArbnQ|`;paC&aKN>Z;O@p@t2v)r7V zPERH?9wTGs?ZIG<*-5gswPlucW;V{W|7f|*i_FHt*2=2%+l!-VcmG^aQc~(f zNomTlJU~?P{IR^Petv${gVyifz5AG~l|QlAA35J5tEx)RaXG^D?s8B={h&1wxKh&6 z7tQ){r_5ivuIo>Bm)TAK5SsLNSt0lK_I~8+>mkGbK!*K{g#{0((qHa!N4QZ`UVi=+ z4GkZJMc{C3OiYv#7k)LV4trxbdjI6hkHl%}6S10>91f-TjeL6BY{f%?gWu>-F1~H& zu3Z;{MsM>p9z-qoJ$^Mlql!iJ&F9abKYsc|W@%|@VPWBVA#R9&abjjhMqb`Wd02@{ zIfce6JS@zeM!xO$@6Ms2$H_z{=9d!N9FSm zANbrN9kwS8+#f0bgMeQb9jM79k~&I=S<#}wO4a%b&DCqy(hPnu9)58FV2X(FiP_mq zu5OH?QQA)GWFS+iG|ap8xcKXw0oZZ578gwdnNkGELgyC?OwmdtgcZ6|RU9SsfNp8fGEYfT&> z9tslab&ZYlT;qTKcmTjK3tN1AZw6FGr0VYOei|N5-Koz03?YI1x&>Lw!qV~q@SJQc@A89`BNs1TM1gbHJU-69 zXk=t`T3Xs|B0aY^Rx;?PpT6>x<x za?%WGZgcnX+3IRS?yGQU2mU`iJX}gd@6x49rFXSySS6l}7cFnM{cTA(mfO$bc3h>; zfF<2MFfj1!>b5(p4*LNUm#MaHO&=0r70=fk9L(1q45V?&=ICr$t*eQZ^EhJhBZ>b_ z?Vv^HN3vsTsibs+9~(%T1$MM$Wo4vfY86SFA-bUBT3aY7DY3N#a;`QKDAXmnzIw&T zEOzgEFK=dcc4=j0<*g}!I%GR;E+DZqr{#M{xwEe%l&dN#+2^bCuw)`dCNRRCYI)U(cR-O zDSP+sRMgM1)52n6rBziladB}R6(^nt1xW#u?%)6M)@qk<3J@D$SeYj^6VIKN4DDeG z;+6Qg)u8m*@dpGN=R9_78&GjZ&dOv@g#)*kRo|0|y!7;4tj-J3U-O)j_|Hm`$BVo? zt~K;x^YxvjLEIYKf<{}jtGa_{(9tXx&${i$2%H>yW|bOXL^E8qJ) zRES1$ZQ%go+Tq3Mc%ZTT@J}RPN#MtnV7e`vB-U4~+-`j;D~qc#;4J*|<=pd^FXtbp zrKhJiJ~v@?oOtk+;|M)HJ>rNh84z>ZePi}=2dk3vW9hXP5gZT|FMP9UR z2ve0uFB8bmhix!br22x4ZZT9BuU+xJ#z;{~=~k+#u*+ZccGu3{{?)$X3w@)_>6BQU zlLO8Tk=50TKKWYLUpW50-ycq7HUdB;CLR+I5|WNqi~^d~$TIzeyGnIlwU1swdDyXI zhwFU11I^15H$2soWcBn8Y{%(S)xKZWOC6PI6Zq^|RE^QZSI)?&q9PWq7h4V;I%J3A z!mIy{&h7GAX=$kk<=EcK!!6fjWH#cUOwJdt@53P&7#KKx<_wv{LZ_RyTMiCx8ae~u zFpAO9(SflsS>pe&e8)6%6oUtE^7O|@zVSOMBC_{xE;AO4jEjp49VU@P0nRrgOw|hQ zZ6aGU`U=#g5PGN>AA#2`7pL?yva@3g3Yc57|E9K2r;nQaz;5AVLIv-X)F-H-9D6@| zwzB~DSV)mZ)BpFh$nII4ZuoK+VW+IDtU}!oDQ25orhiuSsN~&-c^xsdBk$k8$9;E> zj{2gG=`?@PFO+C*kknrWfHE>O^HkzOzsGD=IIGe{A&3UkVQ%D;NlKxCjn>DB^S`%v zY#<{eBcKh^IrSS6lRJ0HaNvllrVzpxS4H{F#@hO3W3m>?*TYM1rInQER8q8kS5_R6 z)tF9ot(16d6}IRkC2JRMd2wNri;D}9M1aUcZkT%+R}cN4|P8Qmf9Wu`5I zUPJHKKmxD%RBD7f?(pSUU#O7m93J*LY0}UnMu+6|fjmjY$7y-)x`4#<#9hGDFOI6J z&(7EkN7P;tcnkzYMKi#LR(Cki&5ay6F^DbvQ(*GN1*=N#Y_%75B-6zx-fpy!7B)6# z&z;+h;&DYw%h$YUkpi7r@p9XEqO%?P~NOZ>@=vq<=nF@%Bkl$j?;_74k=xnX|G#{Yd(*FnZEbC(dkF?8pbV=#`k|xaZA4b3 zv$w2U;DY|A*XqN{caB(Iw`rv*x`nS=_T1}S>2!t{Ovp&{KYZM-CVl#u zUM3a(`x^!G&jg-#(~8|PGK+a3ZH*d~{AoI83cjwct`2O{ylp(bJ5Yr(!}{KV;S1z` zy{e~UYpF+0dw>6DuY19-I7&Hqy^Oexm(kB@^P~1F%H$Ox5w9t z-Q(or9>~7s&()HjYfNg0n(d%EZ}oO(bX;aIL+_7XH&5n@zuOo<_Cj_mr(8S7uj(G< zv&21ba1lCUAhXc5^1|N1OG6N>w3wd8S8VN9>8H|aI1wB#T-nE0aX1|E2Xi0rN(T!VJq$a0n zC#l4ukp`AfV0eep#GYEy@NDimf7%Td01(-NN(sl zM^okQBegLB3{38kPbl8+qHYLYtbC1nqp7(KP)kNumO%aOYzVmh@k(5E4Gl5x-fd1x zOWVV_-#C-;?Af!Mw``Fj;xsI5|4whx=>@ZuJWi|1I~NTNUe!ia&ZgLi?o;C0&B(;$ zFsN~)YP z_df}eAs-NHkEkpxD5yqLmyr5}LNo01#B&iQ$Lpd@FXHoby^3~OWXc{rCGBo>*f%7I z=Ea4wK7IBW-fvj0_m)f`QwCz{)8k4thrJFZvCSETSu`o|l!S;JEne)|F;-uLlnvJdJI?LHh1I?voU_Q+|z`iIYXV zc)0kuX3ovYMMmHMD$dLME^Y#0DQq{ff6JCFirU(KXxVXc2~sCHIXP>)*P} zAaW;8h6C{$LAek5%7?*4aD{TPBHb!ng zYddMK360H-dFqcUs4k7i-eKNKt98RP$T3XJ_R_giV7}5!oB0-&mSRxQDQQ?_oSei3 z&D*z0N=o7*nz)X!vorQQ3EbAh%L+V*LeQFZr?kD$p{Bap6)nf9rGeOB{;50O8GOXUl_s5jAU7)eGVI$p`u!OI{AKf6=yO2ro!%(a+o zrlIiyDU)@l)pR$yd0!oI^K#!C^O}It1aCtSeZ`AE%v0}A8+?zHWW6l0c#w~upZZ(# zP^GX$kKWMH$(uW+WDbN}eCGeRn%@ZZ?dtMk9m{M-loGFYHEBy78X7XC-9vo3Q`>i@ z6fso#v4ZJKz(PBCd3o*7Rr5N`nL19E(H~%6Oq~&K8h!joRy6bwD~U&^WMjJ9x7C%E z{efRer_U(?`BIer3Uy3Vdyh`DV)buuj;nUF|7#j3tX?BykuV26J47@Bs`>mm_ zt`lvp9N18mM70OLOhQsgD&#p0zQ*kZ_ZNl|Qc^)b6oADfxq{(c>7sG@*j?t6W?av; zG99@taE=kMY~srS|C>Y?JX0fQ37Fu#YX=95jKHtSPYj?GIretAhcc;cC)u{y(6`(5 zPy_Q4q)sr8&W69t z_Eg{~)i5vgux-Cj>9SaP!``NJXz>-K4qt1*^AZN%gCBq&?d|UeKT&#XSPsM@-D4A) zG%6aJ?6YdP5zj&EJc(U?5&A00np9wK9dWzF&d~1KP6FI?y}6p zp%6?WsTJ7qIxlol9=rZw4sIZ_wETcq}(_$vi^XQ<)g1q`{qvd z1X+7~(RP=0r>^VFASofO#GP5ZKix-0BCsI0MpiI0`LF5BNwpp9F#+WqU*!O>9i5y! z_9hVosoTcar~{!w<`e{enYxcEEnrkG)VU;68s@Q;Ubm~nFwNR8U%VhA zmHV@rKQ%>?jm}r8(zCF&l`}C(XznfjZA)C3L0dA5^MX#n+S2fsFJHjW=JK>EJ3C8k zXF2sn1%eXe)u49QqjX#7=;`&kKYJrHV-r7ZJyGEL<_(AA+G2k&ubyXWQt{es3K-rU zL!x40v2k&mh=XiaFe$q-c-aM%`B80`RT}{Tfzt`~QVI22CTAR}Ki({~{QX9qZ;8u9 z)627hRaGI=cC$?Es~>M#!g1P&ivnH)pgwT&HBqn`9-ql`1P_^m7)>ex`sBUf zl5TE%`d-za+1Xiw&kP6;zoS^**hmjlgr(WMbt^duV3qCEDb0l~n>U{ZxrkCD;?6$$RJY%9b?))w$L{)GG_2)FNXucl-+uF2REyC1?h%xia5d3-FKG7r z(evkY3c);Q7V>az|ARmxxkA2qO0^k9=t5Pf)vC$0O2i2d;=f?BoJrVz<}iej$W&FNd5M%HBN#dQ4Y?{o zHAOJ@()zZi85shO;Kd25RK)5Hcj*BvTgmUY>*5v812>ANz8!5UbPy7})8g*wNwJZF zqC2gErF7~~r3ceue}u#K@#1v}=k?_dX&kp-ug@dQAEu<7aGnnBATrV?To93664f)e zh=_<#c)MBBC;WX|!Swcs`+a+J^73>?TQb$sbUk?bq$3p=D%u-et*+@KmG2DrSyHS> zpx1pqH&F=A$;+4GBaeLN`W1;P_#MY8_`m^nc89NDzU(mY9J*{~Mu=RqaZU0QF(xtXc8C$ zGt@_;)Wt{IHYF4ve2D)LVC2OcVtBu5%0IA7s5oan$zx!=BX4pzfKiOLCiuJruoPNg zwmtqK(m1Lv*W#5d?%w^7Q-F+B-9i=|(RIQ6b*3G|@X>$)lfI+gGJJ`aI7FX=bFYE* zlt$^?Ku$ioZwvk{4QByN+I3Cs<1b@DiR|?Le2cF}HKD@D=;T1ktaQAR6xWLu(PQi} z&doDyZlyTvdY70;*LRMSJ*MVj+|}rqm<_-ODo#0cbad|EijgSXD986o?k*^P z>+YX%Lf-ETz$YRXB5&zJC>uLtFzsTP|ASvf0^lKBrJ`MBW7BMfk*3apcSWO0Ksq-! zo5+{(^~Ord%F(#63vqXY*_p5ZCul8q6uKqR?`G7S*6Sql<{2SR=SiSLV!Ti6P>7i- zU;#ex1F@3CPbfp{J}GZPA9>oS?LeKGnMq3ay*&lJ7-fv;SH4#e5S z=UtbBHDv`D{)PL8d3kBipFgjdP=EOF;g3*J2wei|3R`OhbQ%!h59n_=)^v-4%o7HK z2Jy)ij7xf@C%@-|y675@zfyVt_4&A~5W>kxE32!PT_u|!`qJE<;@v?_O^xhXQ5PRp zQ(^ZXUVv-M#P|E1C|;SW45I6;%OvjTYLf|9*Qa(G$X=H>Z`<}6ov?>KA_THfu!NJS z#M*)$!5OLLSVX6;{SfMq(a~W;4mU_m0)J=PmbW|7WlaQKZr8v7R%5ei^M_4@@+v1s zIXB+nZ`o7+siJ}stjfYjdR3}P<8fwjdpi93$j8SG>4Q*vL7R~wxSEPxB)fZh(p=Wp zv?~!Rp4=4IY@nt@I4|7>Pw=UugOy|fmellj4z2vli(AH?O`Uz+~ikPm^-zk2`t z(JA$$Cb?cuH|Xk*bdkMyk$S_14Mgq#_U*zkjjTk~HWWKBeIz316G9$}J&4pUh)y1n zk*ps+e3(E9+guxIhI|HD>GG+`jiREW1Sj>evT`f-OD)}i8W;C8BEpYe+m7t`@#8pL zgPEqndOXS%&nV?Web^)wz|DO~ zPY(zSdx9(iN|GpA6s<&^Oi8IA_%b@WgQwK4BK@-meEj;A3Kzr|qVUeD!)YD_;MsE< zv0PWw)wguEkaLykrk&Y$txm|p$wQ_!3SZMH^@OkWPE%;PWe|x z1UB=MVgHnIyOvNdVK%_Y(fjuN2m+t4$rGAOQg-`eafi81@I!=f_2yFe78oV&6=Uz3 z@@-FW9X%SY#1)MjqNf+?>|sdaed;tR^0$E(?1e7yPgk{{i)#y%UDl!D;eg0U8WI5v zu_9N)#8Lu}5<0uK!{|xGXvnby#lsT>!>6sS{TE$AbA=4$P+h_I zoA;4S44dzR5&wUJVBcUqBdAT%X^>lhEdaAOP%}eJ_kw5N(a-@c+iq#_Eg{AQa$bJ* zTMmsHNx{@cI4nnXXPw=)(|hC3pFcs-(*@nmY$2;SJy-FUR{7$I*VZ&O5mGH$ zVqH`@5c_AWtuqu2ASxa{cI-2F)6Ri`CKD!fFND8zU%wuLV(UWAa1-_Gdh{u0JLw6N&~|)@G$IH+=p@V`*O|$E zPlXx3B(hC-&8d1bU>-jf@yD@p{@uTGtt{@{D{r&y@csDlbaWW7D4Zr1h}hDKinopT zKI`%lf;)nAFVW_pfWrae|N8Yow6SP^y7A4z_eL0Y?%cTp@+ov=H%glBrZhdA>NDuF zjg5^{QU6H<965fY=m|8^t;@WBk9%?t>=5XMApdj&B}?7DeS|g(F<$yw=0Cv-Tp&7sa&2Q|{`R~6OO8ULkzJ%nlmjMb)!G8Xj69SXk^88w+6WGSe5 z!a;+Jt@`X%&g}O$${E>k?9y)6av&eD9Xaw9#00enNN9rL&>C-|4*zmW-u^<`pZ^QH z(f^cUN-HEM3IQXxx`u`Wx0S7Jw)8=n*j*ZbEiL~~EL+Xy$pj%9wv@!^Mw6Jde=Je~ zzIVi)`**n5{chLU(aijBAYV1f5DvZJ`$~4xh2*RzF=qBq-M=*AE$QoJHc;z6KFJ}4 z6t33P?B*Q6_sG6aXeLDkw{6qbH2vG6ZDe`iN*FWZKD+d#@wW+b`BXi$gnn^zi*^eA7#D{hhRwz-p|S?l?BU60~nffgA_J$!qLskn#L zrju&Ihd%$L-AOHZFP|u>A0Etvaeel*XJ`9G**w zrF#bW04+PnQm9CC+r7$#QEI@Hf;f^omX#cRC0?l;GAx)>&{CyzUDZ#|9en!r7T~p; z4EtYDQ2GX8+Q7qU2hpM zCvYar7Op@J+aLuI5b}0X4pRU}v;g3k(Xk9as+znXa3~@o0-Z~t*_`jL z2VE=MKG`k5(WU)|WCETgyi%rV1Rp(cPwNotojZ3RbEVlbScelPAvDd^EiJ~D;aORN z5c`>aFN7|caZ&9x<tkvZRYk#M&l zmPa!kVy=9$Tk(jWWatZ`nRVv&HGGXNoZC(aZEJTOo zSu#@4i5ovZb;vmJ6oq7Gcu3#41RiF%A!z}^bItGHPmm13MX0S5oorWi(Mq9st;8W*hp~nwFL=moHz&{~4T4o2_eUd5mU`5pvGB z>rnrnKj_Vv@8r@*fKI}xb^0{nbmM;S0=!2Eu5e=&HY91~?@>+BK5K8Er_4+J zvY_A;V4=nff+Y4miL3kb=MORjQ6bSiZhPhrSWUPklaseYzk-2H4#}Qi6rMkSP9nsh z$AoVMJ%9P*-A8x8aESx;kGqlr(L)Fwx_Wx>W~Sb06(j^Bpj6_{6%@9?vqU0MwC?}l zwNLC`XMh~bV5Vd3n~Sjatwv?tdH?6rFUl=kbX!K+3z^_4BH$+5PH&4+YN1ZTtcc8? zr3G|A_<3?Hx;CJkTLSKM1!y7+5Grly}E`+^jqrK7u5UqsgVJ%qoc;|*F-b_odrI}JbbtT4mmX2z;G6MAer?Vdg5$r`t8 zmo~;4Zs4QyrsT;9Nq}7w&KDpt!)iXu+KWPDIdetV66)>X2jjIJ(_Dc?R0tVsqGam{ z0{ja7wvdiYo0HXyo6&=fd(C zp7xf5W_w(_;1O~CFr^W~A%QM%I967st00`7gt2H6*zy1$->>~YLAwO%lRAM>2-plL za&Nrd7n=2NyB=SH3j#a!2!WbDdzPIR*xNlQs?cFx-ANO5<3NZq`Oo~kJc~cycFV}g z9YE-Dy|`fa%F@Q>BzO^Cz4C33%5-7>(FF)Y6Xj%<{^kt@(qZsPlRfBXi8BjR3_8fo z`Y|yvkP6^d*#Z}ZfS}-poCX{Db?-sN3&`lOJWafK`BI1@sCEK}R2=-m#+w5>X*ye| z3sn+MilpZE-%V0!P0+Np6(ViEEax(uluh`a4#@{~+7>VG14#l94~@^`#@f_Ng1g|= zqu9f(?hZ*Zq)qh(FLh(oG};eHc>txK{;}4mh;z3yqj==Nl0-Ov6B0_nyKD!w3Nj=H z?P+{`d{eq1O`Wk#3Z=}eqgJy+%3b5n)Q*)8)hBepN@vp1H>9epOjW_P$ESG+TB4qx zGB+#K5tKVZtT=a2%E;(2LLKq{0B#Y&2XvW|d+)*cl*Z{U7kF*4{({%raXAopUZo~w z*^X(Kn=5N%$B> zI_-h-EoEuRi$#FfuItaAO|Z&Eo87#*|E`r)biMJ#@>^f6^Bah!!cNjefbg;;WbrCO zWg#qSL>mCToUmlWG)jkrQR0NP~_iLma^K7P1Prr{dMC50U1iIRc65NJ#pC7!O%pR%l`9 z5+b4KM4?EaKQHm!P6%bEkH730X-+3PIcz!FPZS818K!Hnfq%NG9Fz9C|Dw~4Bo=Y= zh1p8DEeXzzAkXbUzY-=!q!L(#0i8EMSD~V!LU;60j@8M1dAyhvzI+*U2H^62B`BY2 z@J;-_ih~*~?jTsS*vCX_%u|z0F?^%zFrq9Jor#VVNS4 z0y!@3ED!ksJ1|lhxy7g^qrdX>+??R`^43-+r20}AI5&|V`TKjlealJOFDST2&Yz_W z)W#Foe*IXl&SA$IDsB-ynx)`ZhD)2Bo137S0A|6<MwRZ0Y>^`=H-H8g=;WIyYG#hq4Jot?P)B} zQ0E3qJ&DFKIxmkA?gc`gTAlBpQB_qXHLe8|V$;4jfX;PIVGgT84TO&z}YC4N+bJK@znK2?IP#E}yXmJFu!FBc@>I zX}(%LdF1){5bLY!VUABWDM%Rcn1(x|sUu50HJED6sBLn+bqR{k?xLzkM&B79_r~H9 z<@}f*z{bXLDeMu|E{@HWG%Tkc*$g*;3E712AoMw08&Z%*TfVIx2w-e5y#Zx!x|`9# zw1bNb)w_Or8!Ze{hH3CMX%;8GeZX;G)rp1od0R3%PC1x&L4LvIxD{4D_dnP;lB-t! zy}i%J;n@T1hNZ?cER5L^N)g!9^E-%B~ z#?Hw}34I(zImdc%r>n_Vf8!m0mbxU}NBwHX2tndY#-}nrHeW)kFR->2SrRjiOCWkM0podR9c3njFwwxYi2;@^ zNYMXcO1QBIdIggMgzt**KEe%qQK;>+A$iR^D=lha)r9(g;T(jvn-i|AF>9D5_%!sn z6iF3i=Rfx7n6k#OtMM}MW1kWiN0=#GdTTP)-&NfaWrf>7Vuw_SunQnKZ3F5uSF4z` z$LU%jQCH)MnHO-qIxbg50|2Tpb%MgDWAhKtPR2xJp9Ve1{7Sx*Ni-2M6GGqHKY}6_dFj zFmudo(a6}C@ux7L?4x6SfBxu?@1W3MTUlIyhPq?-ZvE;d!XO7AL5!B@rZIqdC)}@B zuF!&D9bw?DsYZbTFShrmaAHG!J>G5E#~W=yIGFa!Jq!2*YELIcFUk2#~9T$wLXxD|5R?B>*#@?aE{Wl*F43Z5v&3w zxKN^Nv9ZZa{SIcBVBTETPSqKo1ZQ>ymV%}xH8I%>0@nYyotnL0zNCk3;o!%N~B|ZTjn*hKBtX6}r3q78#a>`@kf954aF_uh|?7kJg;L z0OMc2;QwS*QdcUFG(cRj-q|&OYH{ZUXnMz@okfnlLUo{5_~JQ5Q_$dcS|J# zxNCge|4-#hy_JPYsc?AVdr+pxNh2M_tZ05qkERr`pIV$m^VXDY&Wc%`r(t2+NK#rD zzkq5%i%6uXAV!IxX#F(Rgv{Q_6J8d;4JRQ0BcIwHR#yMBK6`Xfj8V?)X6scwrtgpa z79mtbj3d~A!Sx`TY-wX-E?9>j<3h;)Hl^9^_FK{9yPaa z5gCAXR5}vr`t|D^**eUPv&Rn|I(v>M?&=ZbBr+0gr9fk!(VLKI%J(VMME1k5>BjW- z!GMVdusT*l7D$cQgSU~+E!{ToRS*+O#MIjg^kxBv5dw}u)gshm_}cdop5`pGw#VyB zDeF=gCTO-neRLBY3rOr2xr_EdqkMt6v9U2!{08Wj6X4>AHW?a07Y3G2l0G&zW;bSC z##jhk3sge&`oSlsBHkJplMn)_{k1*K@M2t*sIC5TGz&L9eT; z+iU}1GdI@e-eliqr?PgpgF==7#^Nv%6bYF&kngl0Lqfn43ci`@!M2I%uvz zT#c_Ue0>|W9VgGe#vBuX&7LG;7;DdQ%|{q)XzGm2pG+GLY{j4oF}eYWd;k7@(we!f z=(XYU4-x%e(Bgq3Df|{JT7g}49h~01bLR#U_zTqT9THt9%TR&QZrY8cRoEvDkH1Rm zWfYW<)mXpCV~dqFCsy`L?!b7{lN6Ixi6<{1vx!Cq zqj!6W@*=|?@KnJOMhB@y&ImgxyQF$!;0TP=Yy%uwSXkIBBmg;$5dF~8IgIiP3DE<_ z;cVHB7tTKo4K;b{sPIaF3dfe1Y`t`8JJd47s7L5+@t&OTPV7eJaPAPM1ybjmP&3A? zjkl)zev}NODOIr(hhv-|a*|XIfUN<+1$akjLEo@R(r;^Zz^E)#-dKB>n3zb$$r@xP z4}A>-2>bnt8U|CcedtfXgGhxvgDfp@e*`HKSh51PkrQx_ZHLE(I38fFz$h5sYg22O zW?mgqEq<7tZJWaP=4YA$2h+1@8@P*aj<*-WH8GNzTx?SQ%%o|7A<}8?dRHlx#^0s& zX<*peZ@#}jrugrXJs&uEch!rbbhlTg=TP4Mn412)%M!qiERGXrh;fR&d-oC?(4}zE zzf6Nv2$CDsk49W3JlB*r?WT#GQu5=+#d8v<$vohFh@r~DrPRLO-u(v;Zp3&hQL?d; z$k*<($eXZdZ%2C?00EH6Ea%g$U0Ifz2LdD}A^nnEAues#*zm!A)|jAMbLObBijVv?z%C#_Cm|t09A6ccJ;>OiQNo^gHNEjDkaBsQ2nEl<{-dD7x9&Oi zcgPlODO2Kq9#8nxee{^N^!e$$OU_QSSfjXmd`V2OXE-l0@q6!7mtX0g{)dmsJ$cu+ zHwq=;>$g^72GM=30F@BoDTRcC?1zyZU(991zJ4upc)Y*gaB5d7Q7~{bnC|!t{Os{5 z-X8W!Sm#Rs65RDcFC9L56kg9#m(@lWs!9jJD`Fxd$bDpJ0SOP(2mMNn!937j7NT!F zrxRvJ!T=SH=I5%a%L4}0f#7f8X182fumteeMgAt(YL8h=6CFNs1a32ahT&_fs)jb( z8ce~=#l*)`!AzBI)CSTA@y&@wczd8-9&)7eLKnLKKT(n^$=h2>?YW8+_ilOwdUWgqV1 zyu@&j#U2AA1nmmlTJ-gD0={M~ZSQ=41Uw8xnR0b?)n0!(+eXD=*GYzP7O7~(&Qcml z83ThiUqe*w$K==p7_4oFO*EEd(m=oh;=)%7UJ;cyx%yQ@qbT7Fg~k+HvmY%s5-Nx` z4u7qd%p(p<9VA0hGK{2*}yq zzCOl-dy(Ubfe$|Y$EdGYwgFEZa6s!`kAt%(Fv(lv`XCj6gW{diOW0r(;97Y<=C z`x9&vVA6L7ZGz4M-_xzB8Y@X$2StzkQcKX90UP)Uz(sJDCD@K9pupjjoX@{hg^5~V zd@Qt7wpfqeI%Wj_b}oci{p;7SPH4|!;|14pB$n0XJp1i1H6v|bM6f3_GuF|SVTT&G zRnMPHG#nCT*j_$P2Is;Y!?VCZEHO75+o$(dI)iD={M)U*dSRaTfd8q7gwCUpZRP>O z4s$dZ;`~Ndc3MWy>)hMg!DC07V9Bnb=x|=XqqAqL3Fglk6u4VnMqJDl5DaxpBW z+Ceuho^QD;fbCj(IwR8*XIP4Q<^_h=x2bV}A?X;uD4{@{@b?Xb|kal_@%FiE|$gPGLn2ynDd zYlEx&%@56{f^zg^BvSQW9CYEljZvj{ZEcHhGI>HU{`*!h;xC<3r|_r*(R(Ao2fsEq zUq=&~H~1!0zRw_VWa8o>4^n1D)+J>4m)u{ z?A}NEU-W=h-7f62J-kxj!{?pIsn3)sd#KDl8*TjQ_htvFU2|bDR!37L#OH>)w z-&YLlfrqE(d)x8$xjW!yL=iC*+ZdwI%M4=NsrnJ^fsy4K&Wrk^9mO|LIDRZa=u991c-qv&J&XD}g5d>VS#Ja}R2>*`*ktSSL4s%IDlfCGIK92~4t)u^6C z?~n|rCD`VM8Nh+zlwy@Tcal_+)Z+jaX9sGeG1aJEV3&r1{hpdh@LgV>I=%;JT(qAT z<@}}19aSd!ms=$pJHJwrNUm-uTE>7h_V6YjIu8-a4G&0&$8;~|V&8rEa22)n!sW~6 zmLm^0ZKd0}GX{#$5S*myA8vVLDg?xI{TnOu_JZr^`mSO6mAE@ROJopJ_0JA+Yvm~c z0KWpWiQ(^P!lJun+cqWe1qW|~0R@#22Jx%aI(fRDk)Gc6dcWw6VwibUuu9OBlJHe6 z()C`f&W8iPzTV4k@GdJ$1tqB{&vrcdN~~=7G=ops-Rq5>L7VXy2oi;Qx`8hQWzNta z90~RBwF~W!u(L}&12M^ot{B@d2M~MZ(j`AM?)BN`9R^NKrh>{!N=Ch30+8dcsi_5P zYHGshQr{S#hsjo4hP-XFv~5I zP#BS_q{&t>!NUvAh9@Mg=H=#ot*=++2#jwQzu) z!AZR{mY=C^Wo30@Q8Q`QK>~+m2_8NrP0d7Dp{^&Xl$DofEvmP~dM51aA}5hPo(96) zLPeG4;*9&4Nw~2J!Q(!zL+QeW$C#~11fnF4vj3^6FCxo(PZ~eRg*?X z&MW(w0n3_`;rkNSOFQ{&hLjc;7BY;c^*90tAFf8GH28?CYAjQ4-D*-Z2L|?)ka+}r zO9BA{+WM`970TZK-Z z%pB+$Sv(m3?%la(b+K|Z4z0CsFAHrw|0|dCHwe^B`=SP8aj~?br2f2MhY3CC3(8tr z;lvCluJqiq?*>*0{W)PKVye_R8_b1^pLepIhYMCcP4}z=m=02PbX|RY{QLJ8Q2w}% zA8#O%SXWmx0=T`M1ARIWfvT=DSoVy$rv>`DIjnd>5?PxJVt?)FJAP;5J3_^#mV96iVDr2nO(mX zvfxd>H_;n-`NA{p`+s&z`{h6V)x&vmaW-zt+zm_a)}=0{pNGD- zwGjp|M$9m$E5AoSGdopz!UXsOsJT&OS=4&qDKY+w$HjcDt-XeOY(S`TAWuM)<<>4x zgOOeZ5sk>o#AHq(CUZWhC)uML7Oe3OBf{psy}7axBf zvRomKRSIyDIG$NRWX4eL)z+59<4VJ25eZ52oj9lVXv37RUX2;7eLD;dpcaZc7_S?H zP;3|lO@qO=AlctsXR%M#JKo=tENI9%mHnpD%RkVDT0O(eYvokiY;lEa}eti8RAfIg=Yh59DitCTjk0hArFYnJnFj_d8Cm+5`t+Yf=h)_K?x! zG0|^4_ly(LE~*5v7R2fhMX0Ib$%c<*hXwmhuGLVssOSAEx}!J{&RAphp~NY8+3uu? zsi~5VPBd{oz@#KhHCkEU8I`~wOuUG43UBdh`k3<|`EnL`J?q$RD=0tE%>IY<> zz*hJw!eLCLzOk`&9@5&-;M>RsJX6IQZb%bMsmyuX;(;>p_VZ(H$Lv-VktI*sP25b< z$R2yRdZ#J%49EvKDFP2-;En6hp)zOF>(@i@fUr2E0pGp+vIvRHlp|(oYDio$5MzyC z*JTv7e&;;tbK_l3jv6s5EP!VOwK>hVwPfAVNS{N?P7Gk21VFhMDtHmI>ivc0No`)N zV$Lf$5%xnzi1kG42#0P_;T@CtW!)6=fuXD*=l31v#c!`q2&X&!SvOy=JM$v?0NTq2 z&<+@njz&cj$zzUcvss*&)Vp|5@W{|4xHm(vd1j_N zB_lRU?fjL-FO8)a<%`>6^+TGsCo|Lcz@?$8tsSv8;U#G__B(e8O#g@;|Diz-dTqrs zXC44crx3&q)b+ZSOp`Wo)B^Vs*_V8Oc$|OmW$9pG36g{(3gQ%3MY?#C8tN!6J~)U+pIyV4mc;T1KOSFn z^uPh>XVyT7M1G!|4o{Ih|LUYk5P`oW*Czd23LUbYoCB>5y1VdXfHxqgO{$~LF!J4c z1aQXPdd? z>vMnV;V3DJe|XAD!g-`RjqChX-QE!TVqvk6y73mp)%+M)FF)mkg1+zeRULbR28vXR z*Ei)AylGg_wLA}ib?7`Ox4ApOeS!7H^}zF^@@FpNL1;xC#+mQUJBqltxs@@43=DQF zO>G9ydI08`AQY(Y2I)?_cc9~1e$@f1b^qvPQGSJCB&s?@&MbyTkFv9uv?pg|D47?p zW??=d1rCYp$M#UOoLVSo>>D3XF>A|fmRw$1x*(d)*O;r)N#G?sPD$zN)n6kyS#_&0 zYwvsZ+F-m(B>#gNxP#Zz9pe&COPX~yB(3JGbynm06B8WD^)KGNp8L)hDdgTBzuX=1 z^57luysNDjR9hs;PpjUo_wY}57Je}7WtE$F(Xc#q{dJYih0AMeaT3RWsRc#!(nAkr&o(K?p!FY`?7JnMIWZXuv zuZ0<#%iP>teEK{8`*-hh224a6D`Q{tpGX$f7+=g#$*%cni~YLmYn$j?GtOOq{nEgw z77f>Lp`R=QYeAB&Eaym3NAreChxW|=d0^QV|Q&urr9Gu^cYYN z?PlZT3{1QzSl=Kd`sSu)M*8sU@wR+bHwx-!)&?=zcnn8!;heg|4mcysCo`h5vKl0= zfP+(qduEO|8#oF>ZmILObH3?@%fhNI&#Wgp&k$VzPS`I1on**VT!Mls*haq4ANIWg za=oLY+~@n5S!~jrg>_Czu7A&>=nR=y9d_+?KJ9;tmN}VT1{Kq&d!${rMfFS4ZR9 z-X_IG8Y>P6UzFEAe3@SIyy3%&EY^!sl&;Br@0Uefj7Bo^1mA_;+e0@zS?riR=%OBf z;7`R#9#PH06e=a-$a7k|I^Vj<9i6STT~9WAnOtABma62k$a!?qdJj}&MsfQLSUwWq z6u1o(wgeAnl-O8~G&-@N=JdCO9lmgBD4`|S>MiVd0+0O!Y&LC(IqNeL_)BBB${>9Z!whw>2%Lm8>dP#0m3X|QsbDAu z&G9IT*RU`WeFFFRjnKl{~`9DF@3%9kGfS_uvu`_+Q0cdpy+n-XAO3G@8WnQs#+J=xG^`{OT`G&t12gY~1_8pihoceTJ)h$iOh`_50~6|IqQz z$JVT5*!r9bvHYfsKW-=xrg8=8JFl9!Z+Jai_@qcB*yzPxiK!`n|IrB2V|GuD_5hG| z%wWZnKU#*0K`6(!nG2}IvLnVekf8Ao=35C#EwOQ-$i<}wo#57OXK#a?6DYREcHm`*xY zXIEDMe9X*^<6bC#QIC%=Tp!%KUSiIip$(X@j_f13ZQUc zX4<14yZ?aMYI>PB#m}pG0YK8?V zYxcYzYD?CYtcwgG z{JZlE=491E0Gt58;i#95no0@^ zyG^>G2xi@*3|^6uqFxToH3(iMa-A!CLf0SHTSr&xZ%Rfr_<8T!veMiaE6e; zs;a7jZ@K9$CA8;OOiOX-o$zW3Pk+pK6zgs|++9B^g~kRi+8@!m-2n8KGN{bxkH+d+ zif$*O^DaTJUcK69s$u%K+v)!#B+VgolM=sFMCK_nU%kcOD4w4ahHNVN>x=u`iZ?bs zNhad%5+Yvesm5#R;15jow)s#JmJ=;XxnWmud*yXIwqs8F0S!G|_O*($6t+e_<9=f! zU3|CMX}0T=p>T@XJo0{IPG{NYiQPDQdj7(^l1QH``aP=d^F5U_EA@+cyjoTS9#Xyo zu#)P2OT#d%$hJp9DeBM@Q}YDj$QqAlT2nPr8h7RxRXTrn~@6_Vg=12K2 zCz+1p-~1B3E=y5Osi64m{9BSd6+8w{c=gMy9*v?Bqmp}%ep*5gFbHO==LD2C+|S|r z3<=*d^IoRY?DpHGSgRJ4QufmA(wi^&EevU!e82A07MTN~$LrYlj_t#9iF^C1 zIr7i-E2{OFiN!9KdhyDJbMtb7W`bZ?iKnt6yZP>XX*?_#%NQQ*%7)l4t}RAeeBi(v z>B`4M`=LOsP&9gL4)9}KZEe#4^YuLID3VTd zmG612Sp*;OAwO<95I+A+dmsySge7*uuxDYek)55*g-lfln1qU74c-AJsX<3)ZH3-c zfZb_Uh>Q|;2uSH*Z=Vk%-;OMFt$q7MdV3CyO_@WX(B^H(eQj+Vi#C-1Tf(i zb#Qhrz=8t}b@eSQAf0loWgu??1N*44U7+ZY7uBJXO^kHw;3^W{6*W0ph=mTcw*m1< z-An5enSbp*3=^hdSJ@Ck6`f=>nod*(fRPADN=+c>8~T~)(3o%)mra!|w@7xty0)`t zX`|1@DDhk(5TQRpbFk7_v7!kUCW{I02rsN7QOq~WDZ`lr7O0g4H z_-33Bwcldr+)%oz{%DaNz!5>kMBqgBpNp^yM1f*xN?tSaFdTpIy$2Rr0MQ~@Yaz-{ zGup3`ib@eeP(a4LRoTtH^maH^*%f>)*B)<>eEaAw$hQ{28^A(?EAri+(WDcP17XV3 z1N7a7i*e<0jALBvFKtT$RK;8@QRE1n8h&)62H~sMXv-3CxmoD8+?Zv&Ln+Pdt z+X{PutqL^O@UXBp(8ca2MplqS0SPvLtBh2^3L+pA5&>^-)Y>Y(rOxXq3#)QFp*4{o zv6u*YC@oyLm6rbA0|E==2!vIM0)Tr8Vd;}6PNd;w$d!Orm-A($9avh}Lmzzg% zsGzW%4xO*fOn&19n2yd6sURXfB$g=AVp!|3X*33mr>UVK73uo9vMLv_j=*9kN`9SB zSa^8*P+LA}@#IaT*4oB1_};3;zigH>Rx9*s2oT5mBql)8^ucW&SIAE=G#E!&-#AV=*D^02p0$BJ3*ix;8byQBuq zy#JfYa~K*(14=r|l;`RvrnJ1zRmE{$PT#)06Kqf(q)abbNZi+~W?v0W&HI=YM(M&u zeh4`Dx!TbD?_Lq7WG(hBp~|cT26WvHPQ06ar#9KP?ZDT z1xuzIG##@CV`C-2^1g>}2kGDM>+74R@!421X$*rDsDcQSfT30Fm4>x}{*OYZk#r{y z^VwA6Ll_a62=}~bI<=JaVS_E`nVozOlPN!hLQXB-=z{AkeET#7O3B5gW(jKt#N87< z^4;I>@1H&reDLK*ThYJ!ZBy2M0#|(cp#1i$ZmRD1T&8|ufb|xc6s9vgs)a#j1flpZ zhlNc3EkLH`GyHuPu>8>{{s`9j?N@KzX_LS+x~(Sa7sjr(v7U{N7IQdD`Z4=VB&wr2 z>DWX|yaBD%tDD;{a-?k>k30viIZOVJfLToB4{WRgRUSnMQwkN{jq{<+Y}O61Y{^>X6ij@S!cOtTIGa7;Z~qg%N2PdaXa!H;%$Sr9Z_i6XJYf$M7Yu{7B40v`7JQA|OP4P74`afJL#Fw0 zZgntKg9LS)U>c8Sr=+Az3zDQgbi%ye>!1vUas*}^@N)H)+S-;#o4M2;x`wfcQR~0N z4&lX+=<7f*MVsITzZKu*M(FF+zhfSqQ}$BZO&*i57wr1CXwJZ^qrkM;zlarfp13j8ybFLG2;!5&B`JQwF<#0C; zMI9DYCQcy{bP=(PHUdze9`TrI$KGw&W+@A%k;EYg*du0wjkQGu=yS&t6S=tIOx`tG ztJ84?gou^C#?EnVfPNyD#_;HXW;oWD0YSBaNc*cJI&e2AQmG|KWllxn&zAsJN3bkE z$jKttIEHAK$aU>OTLyS+hoYP_|@5SBa_7R#xBY~&pToVuCK%sc%-xuqp*7NX_ z-i87%hN<7f3@^r)gdF`J)O+Rv=qQ-tLJ`=LR#YMsq&U}DVJSr-jk_FGw7 zr;ro)%rfSp+s?+<>crgFa(0$(-&FpU-Pr5Bk4caBn)TfOPK&G0TNel|Bn!{C<&BPO ztGX}nR2DhgU)AY6oFAixrnIh%jBxlACod^wMk~Yss`eAf_XIDUw7@Em>B2&d;8=bgyH^yw?FoU2AIlj!s=^RCrHQ&cQjpO1-erw?iOZE?FOU2Pn^yKj`y?R9 zr_A|G@PmeiR?rGn2PMx{q6;O43AE?v?y!1$tI$6Rp&X+0hI;zMhaGHOLOvdrF0xUS z0i{W?#t0q!n@n^99iTco3xE{DH8ur28yVpOWFZ8-g$02-FSxI=5qJ&~6HL;|adDdT zIZ=04r_o%1$I(%2Vdi1zkDZzdK_Vca9nbq5PXZS~3y(o68T>aL%nbYI_}J;#52uId zpt!S#2DxIoi$yrVbk=6;K!av~_nj7c4!s>>FQLw`OR%KB01Ouelf)9#5u%}E7Ze;> zVvB%~Q6m@CX?Tgg#>4+6e-mBC@4>2l)@40=_Ii4WBCZQwcL?TkdZTwhS1ke@phm<| z#OEP40cpZu#FLturhav$I=IMk*x=v{xZKpz0uj#^zyiEmJ?Bqq_9N@a*{w;v}h%ep{$y*8(5|z9D9tnlaL1n@hmcB z-4t;k1%}mFA`{=jIe-59HVq0jLv$F|5*6)V9>$LxvET6OCt#(_6+l32Krig6M8~;- z4R8TLK};LR_^{a<8UYmtNGbXEDXRa#pWBhqA&!4=U zZaDbAq&Uq9I}vFF`*FpNFBXmfBz>r^7o14*|~B>(^b literal 0 HcmV?d00001 diff --git a/doc/source/conf.py b/doc/source/conf.py index b044934..90f0767 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -29,6 +29,7 @@ sys.path.insert(0, os.path.abspath('../..')) # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones. extensions = [ 'sphinx.ext.autodoc', + 'sphinx.ext.autosectionlabel' ] # autodoc generation is a bit aggressive and a nuisance when doing heavy diff --git a/doc/source/configuring.rst b/doc/source/configuring.rst index c81d6cd..0761ffd 100644 --- a/doc/source/configuring.rst +++ b/doc/source/configuring.rst @@ -28,6 +28,12 @@ For more details, click on the configuration parameters. +--------------------------------+------------------------------------------------------+------------------------------------------+ | ARA_ENV_ | Environment to load configuration for | ``default`` | +--------------------------------+------------------------------------------------------+------------------------------------------+ +| ARA_READ_LOGIN_REQUIRED_ | Whether authentication is required for reading data | ``False`` | ++--------------------------------+------------------------------------------------------+------------------------------------------+ +| ARA_WRITE_LOGIN_REQUIRED_ | Whether authentication is required for writing data | ``False`` | ++--------------------------------+------------------------------------------------------+------------------------------------------+ +| ARA_ENV_ | Environment to load configuration for | ``default`` | ++--------------------------------+------------------------------------------------------+------------------------------------------+ | ARA_LOG_LEVEL_ | Log level of the different components | ``INFO`` | +--------------------------------+------------------------------------------------------+------------------------------------------+ | ARA_LOGGING_ | Logging configuration | See ARA_LOGGING_ | @@ -139,6 +145,40 @@ In order to use the settings from the "dev" environment, you would set Another approach to environment-specific configuration is to use ``ARA_SETTINGS`` and keep your settings in different files instead. +ARA_READ_LOGIN_REQUIRED +~~~~~~~~~~~~~~~~~~~~~~~ + +- **Environment variable**: ``ARA_READ_LOGIN_REQUIRED`` +- **Configuration file variable**: ``READ_LOGIN_REQUIRED`` +- **Type**: ``bool`` +- **Default**: ``False`` +- **Provided by**: `django-rest-framework permissions `_ + +Determines if authentication is required before being authorized to query all +API endpoints exposed by the server. + +There is no concept of granularity: users either have access to query +everything or they don't. + +Enabling this feature first requires setting up :ref:`users `. + +ARA_WRITE_LOGIN_REQUIRED +~~~~~~~~~~~~~~~~~~~~~~~~ + +- **Environment variable**: ``ARA_WRITE_LOGIN_REQUIRED`` +- **Configuration file variable**: ``WRITE_LOGIN_REQUIRED`` +- **Type**: ``bool`` +- **Default**: ``False`` +- **Provided by**: `django-rest-framework permissions `_ + +Determines if authentication is required before being authorized to post data to +all API endpoints exposed by the server. + +There is no concept of granularity: users either have access to query +everything or they don't. + +Enabling this feature first requires setting up :ref:`users `. + ARA_LOG_LEVEL ~~~~~~~~~~~~~ diff --git a/doc/source/index.rst b/doc/source/index.rst index 50fae4d..39824a8 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -10,5 +10,6 @@ Table of Contents Installing ara-server Configuration settings and preferences + Authentication and security Using API clients with ara-server Architecture and workflows diff --git a/doc/source/security.rst b/doc/source/security.rst new file mode 100644 index 0000000..d61a66d --- /dev/null +++ b/doc/source/security.rst @@ -0,0 +1,112 @@ +.. security: + +Authentication and security +=========================== + +ara-server ships with a default configuration that privileges simplicity and +lets users get started quickly. + +By default: + +- A random SECRET_KEY will be generated once if none are supplied +- No users are created +- API authentication and permissions are not enabled +- ALLOWED_HOSTS and CORS_ORIGIN_WHITELIST are configured for use on localhost + +These default settings can be configured according to the requirements of your +deployments. + +Setting a custom secret key +--------------------------- + +By default, ara-server randomly generates a token for the :ref:`ARA_SECRET_KEY` +setting if none have been supplied by the user. +This value is persisted in the server configuration file in order to prevent +the key from changing on every instanciation of the server. + +The default location for the server configuration file is +``~/.ara/server/settings.yaml``. + +You can provide a custom secret key by supplying the ``ARA_SECRET_KEY`` +environment variable or by specifying the ``SECRET_KEY`` setting in your server +configuration file. + +User management +--------------- + +ara-server leverages Django's `user management `_ +but doesn't create any user by default. + +.. note:: + Creating users does not enable authentication on the API. + In order to make authentication required for using the API, see `Enabling authentication for read or write access`_. + +In order to create users, you'll need to create a superuser account before +running the API server:: + + $ ara-manage createsuperuser --username=joe --email=joe@example.com + Password: + Password (again): + Superuser created successfully. + +.. tip:: + If you ever need to reset the password of a superuser account, this can be + done with the "changepassword" command:: + + $ ara-manage changepassword joe + Changing password for user 'joe' + Password: + Password (again): + Password changed successfully for user 'joe' + +Once the superuser has been created, make sure the API server is started and +then login to the Django web administrative interface using the credentials +you just set up. + +By default, you can start the API server with ``ara-manage runserver`` and +access the admin interface at ``http://127.0.0.1:8000/admin/``. + +Log in to the admin interface: + +.. image:: _static/admin_panel_login.png + +Access the authentication and authorization configuration: + +.. image:: _static/admin_panel_auth.png + +And from here, you can manage existing users or create new ones: + +.. image:: _static/admin_panel_users.png + +Enabling authentication for read or write access +------------------------------------------------ + +Once you have created your users, you can enable authentication against the API +for read (ex: GET) and write (ex: DELETE, POST, PATCH) requests. + +This is done with the two following configuration options: + +- :ref:`ARA_READ_LOGIN_REQUIRED` for read access +- :ref:`ARA_WRITE_LOGIN_REQUIRED` for write access + +These settings are global and are effective for all API endpoints. + +Managing hosts allowed to serve the API +--------------------------------------- + +By default, :ref:`ARA_ALLOWED_HOSTS` authorizes ``localhost``, ``::1`` and +``127.0.0.1`` to serve requests for the API server. + +In order to host an instance of ara-server on another domain, the domain must +be part of this list or the application server will deny any requests sent to +it. + +Managing CORS (cross-origin resource sharing) +--------------------------------------------- + +The :ref:`ARA_CORS_ORIGIN_WHITELIST` default is designed to allow a local development +instance of an `ara-web `_ dashboard to +communicate with a local development instance of ara-server. + +The whitelist must contain the domain names where you plan on hosting instances +of ara-web. diff --git a/test-requirements.txt b/test-requirements.txt index 996d1f6..5186483 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,7 +2,7 @@ factory-boy bandit>=1.1.0 # Apache-2.0 coverage flake8 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 +sphinx>=1.4 sphinx-rtd-theme black==18.9b0 ; python_version >= '3.6' # Exact version for prerelease isort