Ticket: https://hysds-core.atlassian.net/browse/HC-259

Background information required to understanding the thought process and planning behind integrating A&A to HySDS

...

def authenticate_and_get_token(username: str, password: str, 
                               user_pool_id: str, app_client_id: str) -> None:
    client = boto3.client('cognito-idp')

    resp = client.admin_initiate_auth(
        UserPoolId=user_pool_id,
        ClientId=app_client_id,
        AuthFlow='ADMIN_NO_SRP_AUTH',
        AuthParameters={
            "USERNAME": username,
            "PASSWORD": password
        }
    )

    print("Log in success")
    print("Access token:", resp['AuthenticationResult']['AccessToken'])
    print("ID token:", resp['AuthenticationResult']['IdToken'])

ElasticSearch

Authenticating ElasticSearch directly would require a major update in the HySDS core (hysds_commons, hysds) to fetch an access_token for every background process & celery worker

• Configure ElasticSearch for OpenID Connect authentication

An alternative is to authenticate at the proxy (apache or nginx) level:

• This is a work in progress as a lot of research still needs to be done

• only authenticate for ElasticSearch requests coming from outside the server (hysds_ui, etc)

• internal processes can hit ES directly without having to fetch an access_token beforehand

• Apache’s OpenID Connect library

• NGINX OpenID Connect Implementation

  • uses OpenResty so it’ll require additional setup

  • NGINX Plus supports OpenID but it’s not free

• current research documented in repo:https://github.com/DustinKLo/nginx-openid-demo