User AuthN

[rhiananthony]

As the Data Coordination Platform, we want to be protected, to protect each of our services from each other, and to protect the human subjects data we have. This requires authn and authz on our endpoints and on any access routes.

All components in a secure and federally compliant system need to have four main features: authentication, authorization #101 #99 , audit trails #103 , and encryption #102 . Even if hosting public data, a system containing Federal Government data still needs to have these features for all of the administrative and operational components to maintain integrity. This has the added benefit of enabling reuse of components in more settings than the HCA. Even though the first use of the DCP Blue Box (HCA) is an open data store, we need to add authentication to components of the DCP. Some of these will be operations-facing, those that are user-facing will be configurable so that they can be turned off during HCA DCP deployment.

AC: Integrate components with centralized auth hub

• [x] Switch Ingest from Auth0 to DCP auth hub
• [ ] UI piece
• [ ] Orange box auth
• [ ] Whitelist for ingest
• [ ] Connect green to DCP auth hub

[rhiananthony]

Kylie - June 5, 2018 - 11:43AM Ingest will be securing endpoints and putting HTTPS on them. Green will need to authenticate to use ingest. Likely the sprint after next. Think about securing RapidMQ as well

Bruce - Apr 3 2018 - 6:16PM @andreykislyuk - sorry, that was terrible wording on my part. I meant inter-component, controlled-access API, eg, ingest sending data to blue box, ingest interacting with upload service, etc.

Andrey - Apr 3, 2018 - 11:35AM @brucemartin22 "- internal controlled API, eg, pushing data to blue box?" - do you mean service-to-service authentication?

Kylee - Apr 3, 2018 - 11:13AM On pause because of preview, collections and release API. Then will resume and work with ingest team to update the ingest UI, working with the orange box, and finalizing the shared auth infrastructure

Bruce - Mar 27, 2018 - 11:11PM besides the list above, what about:

• Orange / data browser UI?
• internal controlled API, eg, pushing data to blue box?

Sam - Mar 13, 2018 - 11:27AM Andrey is working on a PR for the Ingest UI

[davidbernick]

Please separate out the HTTPS discussion from here. It's a prereq for any Authn work anyhow. @rhiananthony you have a separate ticket for that. Can you reference that here?

[kbergin]

Thanks @davidbernick, it's linked in the ticket description now, it's #102. Also added it as a dependency

[kbergin]

@Bento007 I hear you're looking into where everything is at with Auth, could you update this ticket with your findings?

[rhiananthony]

This is the document which came from the discussion between Tony, Rolando, Rodrey, Alegria, Norman, Parth, Trent

https://docs.google.com/document/d/19qWii-cL0mlzvZo_mqXjiJM7xXX8-gTojTleZHyudws/edit#

This was a great doc, but when we discussed this in the SecOps meeting, we decided that we need a little more in terms of implementation details.

[brianraymor]

Per the discussion on dcp-security with @kislyuk, closing.