search

unity-sds / unity-cs

Unity Common Services
Apache License 2.0
0 stars 2 forks source link

R0.2 - Integrate WPS-T endpoint with Unity Authentication #67

Open galenatjpl opened 2 years ago

galenatjpl commented 2 years ago

  1. CRITICAL WPS-T endpoint (multiple REST APIs that exist) is accessible to logged in members of the Unity System. Unity SSO, in other words. Only authentication is needed here, to prove WPS-T access, not authorization in R0.2. Acceptance Criteria: At least one working example of locking down a REST API.

  2. CRITICAL Sounder SIPS + U-SPS Team (Luca, Dustin, Namrata, Drew) + UI Team (Anil Natha, Rob Tapella) + U-CS Team members have been on-boarded into the appropriate Authentication Realm.

    • (Cognito User Pool).

    • Acceptance Criteria: At least two Sounder SIPS members in the user pool, and able to use authentication via Cognito A&A.

  3. CRITICAL Jupyter Notebook Users can access WPS-T endpoint by API (e.g. command Line or machine to machine (app2app), non-interactive authentication)

    • Use Case for app2app would be Jupyter Notebooks. The Sounder SIPS operator will use the JNB to execute a job. They would authenticate beforehand?
    • Question: Can we use the same token for multiple calls? Can the token be intercepted, and made available to the JNB environment?
    • Comment from M20 experience: token should be re-used as much as possible.
    • For JNB use cases, it's preferable to use an actual User's account, rather than a service account scenario, for purposes of auditing, etc..
    • Question: do JNBs have access to get a user/browser token, and turn around and use it in a call. Is this even needed? Jupyter Hub accesses Jupyter Lab.
    • @ramesh-maddegoda to investigate possible options for passing / storing tokens. Acceptance Criteria: A working example of using JNB to authenticate, and use subsequent calls that leverage a User's auth token to interact with another service / endpoint.

  4. Users who are not authenticated are redirected to login mechanism (or a HTTP 403).

    • Initial login to get to JupyterHub first
    • ALSO (and most likely) another need for JupyterHub user to authenticate again (e.g. credss) in the Jupyter terminal.

  5. Users can access WPS-T endpoint by Browser (Human based, interactive Auth)

  6. Command-line app/tool to get credentials

NOTE: machine to machine is the most probably/important use case here.
NOTE: for R0.2 we only need authentication support (authorization would be extra credit here)

NOTE: M20’s design for token management is in these docs https://github.jpl.nasa.gov/pages/M2020-CS3/CSSO_DOCS/csso/docs/quick_start_guide.html

NOTE: integration point repo is https://github.com/unity-sds/ades_wpst

NOTE: command-line tool to get credentials, as well as libraries to interact.

ramesh-maddegoda commented 2 years ago

Moving this to "Done". All sub tasks are completed.

Additional details related to this can be found in slide deck: "Unity Security Model - Authentication and Authorization – Part 2" https://docs.google.com/presentation/d/1wNppS59cjFRivjkim6OdFNoTO-n0E2hGG66lvBw_EC8/edit?usp=sharing