Closed tomkralidis closed 2 years ago
Notes from 2022-03-09 discussion:
Authentication: verification of identity Authorization: verification of access
In:
Out:
adding #140 as a pre-requisite for this.
I just wanted to point out... in Sarracenia, we implemented bearer_token support to work with NOAA sites ( https://omisips1.omisips.eosdis.nasa.gov ) the above example implements an "access_token" I'm not sure what standards apply to this stuff or if everyone uses their own stuff and every client is supposed to use custom javascript... it's odd
https://swagger.io/docs/specification/authentication/bearer-authentication/
I'm not sure if the two things are describing the same mechanism or not ... the implementation of bearer token support was quite simple:
headers = {'user-agent': 'Sarracenia ' + sarracenia.__version__}
if self.bearer_token:
logger.debug('bearer_token: %s' % self.bearer_token)
headers['Authorization'] = 'Bearer ' + self.bearer_token
....
urllib.request.Request(self.urlstr, headers=headers)
One just includes there Authorization header when opening the request. I get the feeling OAUTH2 is huge and has many options, and so one can have completely different implementations of "OAUTH2" that don't work with each other because they implement different options or parts of it. The spec is open to many different use cases.
might want to clarify what, beyond just OAUTH2, needs to be implemented.
Found a link about the different token varieties:
perhaps good to target bearer_token as first pass, likely sufficient for needs. the access token stuff seems to include continuous replacement of tokens, and looks a lot more complicated for the client to deal with.
We should use "static" tokens to alleviate users from refreshing tokens based on expiry/etc.
Needs to be shared across nginx and API.
@tomkralidis and I have been iterating a bit over the last couple of days. Going to collate some of the considerations we have discussed thus far. @petersilva interested to hear your thoughts!
authz
=====
username,dataset
tomkralidis,data.recommended.foo
benwebb,data.recommended.foo
Restricted
/data/restricted/data/recommended/1/2/3/4/foo
Open /data/public/data/core/5/6/7/8/bar /data/public/data/recommended/11/22/33/44/baz
I think we should constrain things to be at least entire folders aka topics... not allow some files under the same topic to have some restricted items and other public ones. I don´t think we can restrict more than that...
@petersilva agree, for WAF access control is on directories, for the API, this equates to dataset collections.
I think we are all in agreement on this point
Updates:
We should also cover cases for embedded data. In this case, a possible option would be to have the entire channel to be authenticated. We should be able to advertise various data for various channels.
Initial capability now in main branch.
User story
As an operator, I want to add access control to some data so that sensitive resources require authentication and authorization.
Acceptance criteria
Definition of done