-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM <-> Workspace integration for scoped Workspace-API access #37
Comments
As discussed in meeting 3 Dec 2024, a similar approach needs to be applied to the STAC API Admin component (see EOEPCA/resource-discovery#101). In this case, coarse-grained authorization decisions will need to handle different HTTP methods rather than distinct routes - but should still be doable based on Keycloak policies. Other important topics for future discussion:
|
For the workspace API, what are the general rules for access protection? |
correct, if a user is associated to group the HTTP method specific protection we need (at the moment) for the eoAPI STAC API Transaction tool i.e. this coarse authorization checks (route-based here and HTTP method based there) are IMO the goal for this quarter, more granular (regardless if either external gateway resp. OPA or in app code) we need to discuss and plan for next quarter hope @rconway can help and step in here regarding delegation as I was also not directly involved in past - my understanding is that the services (=ProcessingBB) themselves could access anything on the workspace-api and just used the passed JWT to extract the user=group=team and called the I know that openEO (another new part of ProcessingBB) uses Device Token flow together with Refresh Tokens to mitigate that but personally I'm not sure about storing a Refresh Token on a service ... |
We are currently considering using offline tokens in the context of the Resource Health BB, for which they seem to be an appropriate solution. They would also work well for the processing and similar scenarios, but I am not yet sure if they are really the most appropriate choice there. |
The case of the Processing BB is that a processing job is invoked by a user (passing a JWT). During the execution of the job the Processing BB needs to call other BBs (acting as the originating user) - for example the Workspace BB for storage, or Resource Registration to publish outputs. This needs to take account of the fact, mentioned by @fabricebrito, that processing can take a (very) long time. @w-scho Do you think the offline token approach would help with this case? |
I have no real-world experience with OIDC offline tokens and am therefore still a bit unsure about the details. I am quite sure, though, that they are an appropriate solution for the Resource Health case where jobs are run repeatedly on behalf of a user. This case is a bit simpler than the processing case, because it does not involve delegated authentication. I'd like to first evaluate the use of offline tokens in the Resource Health scenario to get a bit more familiar with them and then see if they really fit into the Processing scenario or would just be a partially disarmed variant of refresh tokens there. |
So what is the typical solution for delegated access - ignoring the 'token lifetime' problem? |
We initially considered UMA 2 for this case. However, UMA 2 does also not fit perfectly, because it focuses mainly on party-to-party (usually in the sense of person-to-person) authorization from the resource owner's perspective, is quite complex and does not address the token lifetime problem. A typical use case for UMA 2 would be granting another person (or maybe an app) access to one's bank account. Granting the Processing BB access to some workspace or data collection is similar to this, but does not exactly match the purpose of UMA 2. |
For evaluation and demonstration, I created two additional ingresses/ routes for the Workspace API. Both routes use a newly created client named "workspace-api". A Keycloak-based one at https://ws-api-test.apx.develop.eoepca.org/ An OPA-based one at https://ws-api-opa.apx.develop.eoepca.org/ |
@w-scho |
@rconway |
So each workspace has an associated client - each client has an associated |
we are mixing up topics here: regarding #37 here: regarding #34: |
path based routes setup of OPA policy by IAM team: policy https://github.com/EOEPCA/iam-policies/blob/main/policies/eoepca/workspace/wsapi.rego authorization enabled via OPA plugin here: https://github.com/EOEPCA/eoepca-plus/blob/deploy-develop/argocd/eoepca/workspace/parts/ingress-workspace-api.yaml |
Builds on top of #34 introducing user<->group(=team) associaction!
The Workspace-API is a lightweight layer built on top of Kubernetes that exposes workspace-related information, such as credentials, via HTTP routes.
There is a single central deployment of the Workspace-API within the cluster, which is accessed by operators, (potentially) platform users , and services like ProcessingBB or MLOpsBB. These services use the API to retrieve credentials, for example, to stage data.
The API routes follow the pattern
<workspace-api>/workspaces/<teamname>/...
, ensuring that only authenticated users associated with a specific team can access the corresponding workspace resources.Sign-Off Checklist:
Keycloak orOPA policies, ensuring that platform users, such as userA associated with teamB, can access resources via HTTP GET requests like<workspace-api>/workspaces/teamB
The text was updated successfully, but these errors were encountered: