Integrating rmf-web as a microservice

[rmj1405]

Hi!

I have a project with a microservices architecture and RMF is one of the microservices involved. Instead of using the RMF Dashboard, I have my own frontend and server that I would like to use to communicate to RMF using the rmf API server and client. Essentially, I would like to swap out the dashboard with my own UI to control and receive real-time updates on the robot.

I have looked through the repository and I understand there is socket.io being used as well as the main openapi but I'm unsure of how they are working together. The dashboard accesses the api through rmf-ingress.ts file to set the app context but sometimes I see components importing directly from 'api-client' as well.

I'm quite confused about how the different modules(server, client and dashboard) link together and how I can begin on this task of integrating rmf with my own system through rmf-web(which packages do I truly need?). Any guidance or an outline/steps would be much appreciated! Thank you!

Currently:

1. Working with ROS2 Humble, Ubuntu 22.04
2. I have created the fleet adapter and can move my robot with CLI and rmf dashboard

[aaronchongth]

Hey there @rmj1405! Thanks for the background information,

Let me give a quick summary of the packages and how they work together,

• api-server is the main server working with a database, and communicates directly with the fleet adapters, infrastructure adapters and RMF core libraries, through a combination of ROS 2 and websockets. The server sets up REST routes for any frontend to use
• api-client is the typescript library generated using openapi on the routes that are provided by api-server. This library is used by dashboard to actively work with the api-server
• dashboard is the frontend appplication which is built with the api-client and react-components

For your use-case, I would say you would just require an api-server instance, you can see all the routes at localhost:8000/docs, and integrate with your application accordingly

[rmj1405]

Thank you for breaking it down @aaronchongth! I also have some further questions on https://github.com/open-rmf/rmf-web/tree/main/packages/api-server#authentication-and-authorization. I understand that in a custom integration used in production, it is critical to secure access to the api server to prevent misuse and information leakage, thus I would like to implement it. My questions:

1. how do I get started with setting up the authentication and create my JWT public key? (unfortunately it's not very clear from the readme)
2. From the readme it says:

rmf-server does not manage user identities and access levels by itself, it uses an OpenID Connect compatible identity provider to perform authentication. Authorization however, is performed in-app by rmf-server.

and

rmf-server maintains its own database of users, roles and permissions.

Do you mind elaborating on the flow of information between OpenID Connect and the rmf-server's internal database and how they interact together to authenticate and authorize the users? I'm unable to visualize it at this moment.

3. As rmf is using a default in-memory sqlite instance as its database, are there any mechanisms in place to authorize the use of this data source as an additional layer of safety or is recommended we switch to our own database if we are concerned abt this?

Hope my questions are clear and thank you so much for taking the time to do this!!

[aaronchongth]

auth related questions

https://github.com/open-rmf/rmf_deployment_template is a good place to start for auth related questions. We've currently been using Keycloak extensively, so I can't say much about integration with other auth providers. But just in case I butcher the answers, I'm gonna tag @koonpeng to make sure I am on track.

For setting up authentication, we have mostly been using Keycloak, and the cloud_infra branch of the deployment template, https://github.com/open-rmf/rmf_deployment_template/tree/cloud_infra, has some steps on how everything works together

As rmf is using a default in-memory sqlite instance as its database, are there any mechanisms in place to authorize the use of this data source as an additional layer of safety or is recommended we switch to our own database if we are concerned abt this?

Yup, that default database is mostly for quick testing with simulation and demos in mind. Since we are using Tortoise ORM, https://tortoise.github.io/, users can technically support all the databases that it supports upstream, https://tortoise.github.io/#pluggable-database-backends.

As for authorized use of the database, we have so far kept it simple and give the API server full access to the DB, and use the API layer to handle authorization where needed. We have not fleshed all that out fully, but will intend to do so once we reach a stable release.

[koonpeng]

Authentication is done through oidc, the dashboard uses keycloak client to get an access token, currently it only supports keycloak.

However, for your use case, the api-server can work with any auth provider that uses jwt access tokens. It is pretty barebones at the moment, it doesn't support oidc discovery and jwks but you can configure it with the public key of the auth provider directly

rmf-web/packages/api-server/api_server/default_config.py

Line 18 in e3d2b1c

"jwt_public_key": None,

[rmj1405]

I understand now! Thank you so much for the detailed responses!