Ticket: https://hysds-core.atlassian.net/browse/HC-259
Background information required to understanding the thought process and planning behind integrating A&A to HySDS
...
ex (with Keycloak):
| Code Block | ||||
|---|---|---|---|---|
| ||||
curl -s -X POST \ -d client_id=<client_id> \ -d client_secret=<client_secret> \ -d grant_type=refresh_token \ -d refresh_token=<refresh_token> \ "http://localhost:8080/auth/realms/<realm>/protocol/openid-connect/token" | python -m json.tool |
...
Requires a SQL database (MySQL, PostgreSQL, etc.)
Keycloak guide from Red Hat on how to set up realms, client apps and client roles
uses Java’s
springbootframework in the rest API integration but can be followed
OCIO advised against using Keycloak, instead suggesting AWS Cognito
...
| Code Block | ||
|---|---|---|
| ||
def authenticate_and_get_token(username: str, password: str,
user_pool_id: str, app_client_id: str) -> None:
client = boto3.client('cognito-idp')
resp = client.admin_initiate_auth(
UserPoolId=user_pool_id,
ClientId=app_client_id,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
"USERNAME": username,
"PASSWORD": password
}
)
print("Log in success")
print("Access token:", resp['AuthenticationResult']['AccessToken'])
print("ID token:", resp['AuthenticationResult']['IdToken']) |
ElasticSearch
Authenticating ElasticSearch directly would require a major update in the HySDS core (hysds_commons, hysds) to fetch an access_token for every background process & celery worker
An alternative is to authenticate at the proxy (apache or nginx) level:
This is a work in progress as a lot of research still needs to be done
only authenticate for ElasticSearch requests coming from outside the server (
hysds_ui, etc)internal processes can hit ES directly without having to fetch an
access_tokenbeforehandNGINX OpenID Connect Implementation
uses
OpenRestyso it’ll require additional setup
current research documented in repo:https://github.com/DustinKLo/nginx-openid-demo