Hi @bryce_nordgren,
The relationship between partners [publishers] and users is a bit complex, I will explain how it works.
Before I do, one important note: Publisher and Partner are the same thing, in the Admin Console UI the term “publisher” is used but in the code and DB, the entity/object/table is called “partner”, I realise that’s a bit confusing, it’s for historical reasons and as we all know, escaping history is difficult:)
The Kaltura Server is an API driven system, all actions done by the management web I/Fs [Admin Console, KMC, KMS, etc] are accomplished by making API requests, same is true for batch operations [transcoding, email sending, asset deletion, etc].
Seeing how this is the case, I feel no explanation can be complete without going into the basics of how an API session is established. If this is more technical an explanation than you desire, you can try to skip ahead.
When making requests to the Kaltura API, the first step is to generate a Kaltura Session [KS]. That is done by calling the ‘session’ service with the ‘start’ action or by calling the ‘user’ service with the ‘loginByLoginId’ action. A session is specific to a given partner ID and two types are supported: USER and ADMIN. The Kaltura API follows the general principles of REST and is stateless, meaning that each and every call to privileged services must include a KS which will be used to determine whether the request should be allowed or not.
And so, when logging into Admin Console or KMC, a Kaltura Session is generated for the relevant partner ID.
There are internal/system partner IDs [for Admin Console, the template partner, the batch partner, etc] and there are “external” partners meant to be used by actual human beings, interacting with the system.
The internal partners are:
mysql> select id,partner_name from partner where id < 100;
+----+----------------------+
| id | partner_name |
+----+----------------------+
| -6 | Play-Server |
| -5 | Media |
| -4 | Monitor |
| -3 | Hosted Pages |
| -2 | Admin Console |
| -1 | Batch |
| 0 | Global |
| 99 | Template KMC account |
+----+----------------------+
Each partner can have many users associated with it. When you are prompted by the install script to input an email address and password, a user is created according to your input and is associated with the -2 partner ID, the one used for Admin Console operations.
When you login to Admin Console, a request is made to the user service’s loginByLoginId() action; if the inputs are correct, a KS is returned from that call and you are logged into the Admin Console web I/F.
While the same request in KMC will work, it will result in an empty view since the Admin Console partner [ID -2] is not meant to be used for creating and managing media content. I realise this is confusing and agree that an informative message in that case would certainly be in order. We’re currently working on a new KMC, one that does not require Flash and is built on top of Angular 2, we’ll give it more thought there.
When you submit the form from Admin Console->Users->Add Users, additional users for accessing Admin Console will be created. These users can have different roles, limiting the actions they will be allowed to do within the Admin Console application.
For the purpose of managing media content [upload media, play it, add metadata to it, etc, etc], additional non-system partners should be created. This is done by going to Admin Console->Publishers->Add New Publisher.
If the email address you input in that form does not exist, a new record in the kaltura.user_login_data table will be created.
Next, a new record in the kaltura.partner table will be created. Lastly, a new record in the kaltura.kuser table will be created.
Let’s illustrate with actual sample records from my own local DB:
When prompted by the postinst script with:
“Kaltura Admin user (email address)”
I inputted jess.portnoy@kaltura.com, which resulted in the following records being created:
mysql> select login_email, first_name , last_name, config_partner_id from user_login_data where login_email='jess.portnoy@kaltura.com';
+--------------------------+------------+---------------+-------------------+
| login_email | first_name | last_name | config_partner_id |
+--------------------------+------------+---------------+-------------------+
| jess.portnoy@kaltura.com | Kaltura | Administrator | -2 |
+--------------------------+------------+---------------+-------------------+
mysql> select screen_name, first_name, last_name, email, partner_id from kuser where email='jess.portnoy@kaltura.com';
+--------------------------+------------+---------------+--------------------------+------------+
| screen_name | first_name | last_name | email | partner_id |
+--------------------------+------------+---------------+--------------------------+------------+
| jess.portnoy@kaltura.com | Kaltura | Administrator | jess.portnoy@kaltura.com | -2 |
+--------------------------+------------+---------------+--------------------------+------------+
mysql> select id,partner_name, description from partner where id=-2;
+----+---------------+------------------------+
| id | partner_name | description |
+----+---------------+------------------------+
| -2 | Admin Console | Administration Console |
+----+---------------+------------------------+
So, when trying to login with jess.portnoy@kaltura.com, my passwd will be checked against the sha1_password and salt stored in user_login_data and my privileges in relation to the partner in question [-2 in the Admin Console’s case] will be checked against the record in the kuser table.
Now, let’s say I created a new partner by submitting the form in Admin Console->Publishers->Add New Publisher [which will make a API request to partner->register() once submitted] with the email jess@kaltura.com.
A new partner record was created:
mysql> select id,partner_name, description from partner where id=101;
+-----+--------------+---------------+
| id | partner_name | description |
+-----+--------------+---------------+
| 101 | Jess Portnoy | My Partner |
+-----+--------------+---------------+
A new user_login_data record was created:
mysql> select login_email, first_name , last_name, config_partner_id from user_login_data where login_email='jess@kaltura.com';
+------------------+------------+-----------+-------------------+
| login_email | first_name | last_name | config_partner_id |
+------------------+------------+-----------+-------------------+
| jess@kaltura.com | Jess | Portnoy | 101 |
+------------------+------------+-----------+-------------------+
A new kuser record was created where partner ID is set to 101:
+------------------+------------+-----------+------------------+------------+
| screen_name | first_name | last_name | email | partner_id |
+------------------+------------+-----------+------------------+------------+
| jess@kaltura.com | Jess | Portnoy | jess@kaltura.com | 101 |
+------------------+------------+-----------+------------------+------------+
So, when I log into KMC with jess@kaltura.com, a Kaltura session for partner 101 with my user [jess@kaltura.com] will be generated.
If I submit the form in Admin Console->Publishers->Add New Publisher again, with the same email [jess@kaltura.com], an additional record in partner will be created, a new kuser record will also be created. In the upper navigation bar in KMC, the “Change Account” option will appear, allowing me to switch between the various partners my user has access to.
So, one user can be associated with multiple partners and each partner can have multiple users associated with it.
It is important to understand that while multiple kuser records can have the same email but different IDs in the partner_id column, the password for the user shall be the same and its sha1 hash and salt are stored in user_login_data.
To create additional users and grant them privileges on a certain partner, go to KMC->Administration.
Hope this helps clarify things, if you have additional questions, feel free to ask:)
