Open mwinokan opened 3 months ago
The current Fragalysis contains modules in the api
package (app) that handles communication with the MySQL/ISPyB database to collect the Target Access Strings (TAS) (Proposals/Visits) that a user has been granted access to - validating the user's access to a given Proposal/Visit.
The basic architecture is illustrated in this diagram: -
This has drawbacks: -
We 'extract' the validation logic into a new 'separate' kubernetes deployment (a new Pod, and Service and Ingress): -
This validation logic architecture minimises MySQL connections and makes the security mechanism pluggable because: -
The security Pod would offer authorisation via a simple pre-shared key mechanism (passed in the request header). This is a common and safe approach and also avoids the security Pod from having to understand tokens or the authentication meachanism. Stacks are configured with some new ENV variables: -
SECURITY_ENDPOINT
(an https address)SECURITY_PROVIDER
(a string used to provide a name of the service i.e. "ISPyB")SECURITY_KEY
(a key required in the header of any security request)They then send a request to the security Pod with a username
(and key
) and get back a list of TAS
strings.
@alanbchristie please document/investigate the work required to separate the security module for authentication in non-Diamond deployments.
It is not a priority for the current releases so please spend up to 1 hour documenting this for now.