Closed boal closed 1 year ago
@boal What about passing the presigned URLs to the integration services instead of a s3 path? Each S3 Service would need an async interface... Also, async could cause difficulties when the URLs expire. But I think we should discuss this anyway.
@dominikhorn93
Yes, this is a third valid solution and maybe in terms of simplicity and security the best one.
One drawback ist the possible expiration of the presigned URL.
In case of an expiration, an response sould be send to the caller to signal the expiration of the presigned url.
1.Project-specific S3 service requires asynchronous interfaces analogous to the synchronous interface (own project-specific S3 topic) -> basic modules, element templates
https://github.com/it-at-m/digiwf-s3-integration/issues/73
https://github.com/it-at-m/digiwf-s3-integration/issues/72
https://github.com/it-at-m/digiwf-cosys-integration/issues/5
https://github.com/it-at-m/digiwf-email-integration/issues/20
@dominikhorn93
Which services are still affected?
Topics claimed: https://git.muenchen.de/openshift/kafka/-/issues/83
Todo: We need Topics for prod before we can relase the new feature
Pull Request: https://git.muenchen.de/digitalisierung/digiwf-engine/-/merge_requests/77
Pull Request: https://github.com/it-at-m/digiwf-s3-integration/pull/77
Pull Request: https://github.com/it-at-m/digiwf-email-integration/pull/25
Handling
Handling of files over S3 storages is currently restricted to the DigiWF specific storage. Its not possible to handle files in project specific storages.
Within a project specific process, it should be possible to handle files with project specific S3 storages.
Authentication/authorization
All project specific S3 storages expose REST endpoints which will be secured with project specific ROLEs/RIGHTs using Oauth2.
I.e. the call to project specific S3 storages in the Cosys/Mail integration will be handled by Oauth2 client credentials flow. For each call to a project-specific S3 storage, the corresponding ClientID and the corresponding ClientSecret are then required in the Cosys/Mail integration.
Currently, this cannot be handled in the Cosys and Mail services. As a result the current images cannot be used for this purpose.
Concept
Todos
DigiWF Engine
S3 Service
Mail Service
Cosys Service