Closed jraddaoui closed 6 days ago
Attention: Patch coverage is 85.71429%
with 15 lines
in your changes missing coverage. Please review.
Project coverage is 53.06%. Comparing base (
07ac6f6
) to head (673c572
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
@djjuhasz @mcantelon @sevein @sbreker
While this is still a work in progress and I'm working in a document explaining the existing OIDC implementation, I think there is enough information in this PR description and in code for you to see where this is going and provide some initial feedback.
I'd appreciate if you can take a look when you have some time. It will be better if you review each commit individually, they have a detailed message (the same as in the PR description), and also check the TODO section. Thanks!
Thanks @djjuhasz! I addressed most of your feedback, I'll ping you for another review after adding all the scopes we discussed yesterday and some of the dashboard TODOs.
This looks amazing @jraddaoui! :star_struck: I do not have anything to add beyond the others' comments. Thanks for your efforts with this!
I agree that follow-on work might work best as a second PR after this is merged...
Thanks @sevein and @sbreker!
I think I have addressed all feedback and added a few more commits. I'll leave it disabled for now until we add the dashboard side and the documentation, which as you said will happen in another PR.
@jraddaoui I tried testing the authentication out locally, but I'm getting an "NS_ERROR_UNKNOWN_HOST" error from keycloak when I click the Enduro Dashboard "Sign In" button. The only config change I made was to change api.auth.oidc.abac.enabled = true
in "enduro.toml".
@jraddaoui nevermind, I forgot to add keycloak to my /etc/hosts
. RTFM moment. :facepalm:
After updating my /etc/hosts
I logged into the Enduro Dashboard fine with the "readonly" account, and I navigated around the read pages without any issues. I also logged into the Temporal UI and MinIO without any issues.
When I tried to process a SIP, I got an error in the upload activity though:
{
"message": "[storage create]: invalid value expected *storage.CreatePayload, got &{79dc514f-d42e-40b4-a17b-2c2cc325f88f ZippedBag.zip <nil>}",
"source": "GoSDK",
"applicationFailureInfo": {
"type": "ClientError"
}
}
It's possible the error is unrelated to your changes, but I've never seen it before.
Thanks @djjuhasz! That's totally related to these changes, I fixed that issue in the tests, but I thought the service was created differently in the main functions. Will fix!
No, it doesn't. That was just a cosmetic commit:
Re-order API design methods in storage service
- Keep locations and packages methods together.
- Move
submit
to indicateupdate
is related to that method and not tocreate
.
Refs #957.
Use Keycloak instead of Dex in dev env
Dex allowed us to implement OIDC authentication in front of an OpenLDAP instance in the development environment. However, it does not provide the IAM tools to manage access control in Enduro.
7470
to avoid collisions.enduro
realm with:keycloack
instead ofdex
in/etc/hosts
.offline_access
from the requested scopes (a following commit/PR will make scopes configurable).Add optional access control to API
Optionally enable Attribute Based Access Control (ABAC) in the API. When enabled, the API will look for a custom claim in the access token and extract the attributes relevant to Enduro. If a custom scope needs to be requested to get that claim, it has to be configured in the dashboard.
package:read
will only provide access to that action(s).package:*
will provide access to all package related actions.*
will provide full access to all actions.submit
to indicateupdate
is related to that method and not tocreate
.TODO
Follow-up work that may or may not happen in this pull request.
Note: moving to a BFF auth. flow could simplify some of these changes and documentation, but that won't happen in this PR.