From d96e81eaf4874c0e8454920149923010b1225882 Mon Sep 17 00:00:00 2001 From: Richard Conway Date: Tue, 17 Dec 2024 10:40:35 +0000 Subject: [PATCH 1/3] Add IAM to overview --- docs/building-blocks/overview.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/building-blocks/overview.md b/docs/building-blocks/overview.md index f6bd315c..60ac8541 100644 --- a/docs/building-blocks/overview.md +++ b/docs/building-blocks/overview.md @@ -18,55 +18,61 @@ To simplify and standardise the deployment process, each Building Block comes wi Below is a list of the EOEPCA+ Building Blocks available for deployment: -### 1. Resource Catalogue +### 1. Identity & Access Management (IAM) + +The Identity and Access Management (IAM) Building Block provides authentication and authorisation services within the EOEPCA+ ecosystem. It ensures users can access resources and services safely across the platform by managing identities, roles and permissions. + +[Deploy IAM »](iam.md) + +### 2. Resource Catalogue The Resource Catalogue BB provides search and discovery of all types of resources available within the EOEPCA+ ecosystem - including datasets, processing workflows, ML models, applications, services, and more. It provides metadata management and search capabilities. [Deploy Resource Catalogue »](resource-catalogue.md) -### 2. Processing +### 3. Processing The Processing BB provides deployment and execution of user-defined processing workflows within the EOEPCA+ platform - with support for OGC API Processes, OGC Application Packages and openEO. [Deploy Processing »](processing.md) -### 3. Data Access +### 4. Data Access The Data Access BB provides efficient access to Earth Observation data. It provides data visualisation and retrieval services, enabling users and applications to interact with large datasets. [Deploy Data Access »](data-access.md) -### 4. Resource Registration +### 5. Resource Registration Resource Registration BB allows for the addition of new resources to the EOEPCA+ ecosystem. This includes harvesting data from other (external) data sources - and associated population of Catalogue and Data Access services. [Deploy Resource Registration »](resource-registration.md) -### 5. Workspace +### 6. Workspace The Workspace BB provides collorative work environments for users and teams (projects). It offers workspace-scoped storage allowing projects to manage their own resources within the platform - with associated workspace services that support project work within the platform - such as catalogue, data access and processing. [Deploy Workspace »](workspace.md) -### 6. MLOps (Machine Learning Operations) +### 7. MLOps (Machine Learning Operations) The MLOps BB faciliates the machine learning model development lifecycle - including model training, model version management and management of training data - and supports discovery of published models and training datasets. [Deploy MLOps »](mlops.md) -### 7. Resource Health +### 8. Resource Health The Resource Health BB provides a flexible framework that allows platform users and operators to monitor the health and status of resources offered through the platform. This includes core platform services, as well as resources (datasets, workflows, etc.) offered through those platform services. [Deploy Resource Health »](resource-health.md) -### 8. Application Hub +### 9. Application Hub The Application Hub serves as a platform where users can discover, access, and launch Earth Observation (EO) applications. This includes a JupyterLab environment for interactive analysis with notebooks. It provides a user-friendly interface for managing application lifecycles and facilitates collaboration among users. [Deploy Application Hub »](application-hub.md) -### 9. Application Quality +### 10. Application Quality The Application Quality BB assesses and ensures the quality and compliance of EO applications before they are made available to users. It performs validation checks and enforces best practice for open reproducible science. From b9e7c9247f5850b9c04c23a4263db97e79956c5a Mon Sep 17 00:00:00 2001 From: Richard Conway Date: Tue, 17 Dec 2024 11:31:18 +0000 Subject: [PATCH 2/3] [oapip-engine] add openid-connect apisix plugin in bearer_only mode --- scripts/processing/oapip/ingress-template.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/processing/oapip/ingress-template.yaml b/scripts/processing/oapip/ingress-template.yaml index 7f893230..452feef5 100644 --- a/scripts/processing/oapip/ingress-template.yaml +++ b/scripts/processing/oapip/ingress-template.yaml @@ -19,6 +19,14 @@ spec: - serviceName: zoo-project-dru-service servicePort: 80 plugins: + # Authenticate - expect JWT in `Authorization: Bearer` header + - name: openid-connect + enable: true + config: + realm: eoepca + bearer_only: true + discovery: "https://auth-apx.$INGRESS_HOST/realms/eoepca/.well-known/openid-configuration" + secretRef: oapip-engine-client # Require authorization for access to API - name: authz-keycloak enable: true From 86efe49bed561800be337cf095320ddbf89886db Mon Sep 17 00:00:00 2001 From: Richard Conway Date: Tue, 17 Dec 2024 11:40:16 +0000 Subject: [PATCH 3/3] Create `eoepca` test user --- docs/building-blocks/iam.md | 24 +++++++++++++++--------- docs/building-blocks/oapip-engine.md | 2 ++ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/docs/building-blocks/iam.md b/docs/building-blocks/iam.md index 3548a9fa..7b89f50e 100644 --- a/docs/building-blocks/iam.md +++ b/docs/building-blocks/iam.md @@ -121,11 +121,15 @@ Replace `your.registry`, `eoepca/keycloak-with-opa-plugin`, and `your-tag` with --- -### 5. Keycloak Post-Deployment Configuration +### 5. Create `eoepca` Keycloak realm -After deploying Keycloak, you need to perform some post-deployment configurations. +Keycloak establishes an initial `master` realm which should be reserved for global adminsitration only. It is best practice to create a dedicated realm for platform identity and protection of BB resources. -#### a. Obtain an Access Token for Administration +Thus, we create a dedicated `eoepca` realm. + +**Obtain an Access Token for Administration** + +Retrieve an access token using the admin credentials. ```bash source ~/.eoepca/state @@ -142,9 +146,9 @@ ACCESS_TOKEN=$( \ ) ``` -This retrieves an access token using the admin credentials. +**Create the `eoepca` Realm** -#### b. Create the `eoepca` Realm +Creates a new realm named `eoepca`. ```bash curl --silent --show-error \ @@ -160,9 +164,11 @@ curl --silent --show-error \ EOF ``` -This creates a new realm named `eoepca`. +--- + +### 6. Create `eoepca` user for testing -#### c. (Optional) Create a Dedicated `eoepca` User +For convenience we create an `eoepca` (test) user to support usage examples in this guide where a user must be assumed. ```bash curl --silent --show-error \ @@ -187,7 +193,7 @@ Replace `"changeme"` with a secure password of your choice. --- -### 6. Integrate GitHub as External Identity Provider +### 7. Integrate GitHub as External Identity Provider This involves two main steps: @@ -266,7 +272,7 @@ On the **Sign-in** page, select **GitHub**, and follow the flow to authorize Key --- -### 7. Deploy Open Policy Agent (OPA) +### 8. Deploy Open Policy Agent (OPA) #### a. Create Keycloak Client for OPA diff --git a/docs/building-blocks/oapip-engine.md b/docs/building-blocks/oapip-engine.md index 827fd7f6..e3995e1c 100644 --- a/docs/building-blocks/oapip-engine.md +++ b/docs/building-blocks/oapip-engine.md @@ -200,6 +200,8 @@ This section provides an example resource protection using Keycloak groups and p The example assumes protection for the `/eoepca` context within `zoo` - protected via the group `team-eoepca` that represents a team/project with common access. +The user `eoepca` is added to the `team-eoepca` group - assuming that the user was created as described in section [Create `eoepca` user for testing](iam.md#6-create-eoepca-user-for-testing) + ### Obtain an Access Token for Administration ```bash