Ticket: https://hysds-core.atlassian.net/browse/HC-259
Background information required to understanding the thought process and planning behind integrating A&A to HySDS
...
ex (with Keycloak
):
Code Block | ||||
---|---|---|---|---|
| ||||
curl -s -X POST \ -d client_id=<client_id> \ -d client_secret=<client_secret> \ -d grant_type=refresh_token \ -d refresh_token=<refresh_token> \ "http://localhost:8080/auth/realms/<realm>/protocol/openid-connect/token" | python -m json.tool |
...
Requires a SQL database (MySQL, PostgreSQL, etc.)
Keycloak guide from Red Hat on how to set up realms, client apps and client roles
uses Java’s
springboot
framework in the rest API integration but can be followed
OCIO advised against using Keycloak
, instead suggesting AWS Cognito
...
Code Block | ||
---|---|---|
| ||
def authenticate_and_get_token(username: str, password: str,
user_pool_id: str, app_client_id: str) -> None:
client = boto3.client('cognito-idp')
resp = client.admin_initiate_auth(
UserPoolId=user_pool_id,
ClientId=app_client_id,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
"USERNAME": username,
"PASSWORD": password
}
)
print("Log in success")
print("Access token:", resp['AuthenticationResult']['AccessToken'])
print("ID token:", resp['AuthenticationResult']['IdToken']) |
ElasticSearch
Authenticating ElasticSearch directly would require a major update in the HySDS core (hysds_commons, hysds) to fetch an access_token
for every background process & celery
worker
An alternative is to authenticate at the proxy (apache
or nginx
) level:
This is a work in progress as a lot of research still needs to be done
only authenticate for ElasticSearch requests coming from outside the server (
hysds_ui
, etc)internal processes can hit ES directly without having to fetch an
access_token
beforehandNGINX OpenID Connect Implementation
uses
OpenResty
so it’ll require additional setup
current research documented in repo:https://github.com/DustinKLo/nginx-openid-demo