-
Notifications
You must be signed in to change notification settings - Fork 59
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
- Loading branch information
1 parent
2b12a68
commit b267cf9
Showing
5 changed files
with
17 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,6 @@ | |
|
|
||
| In enterprise settings not only do we want to identify who is using a service but also what they are entitled to use. This is where authentication and authorization comes in. In contrast, API tokens provide full access by virtue of possession as long as they are valid/not expired. With that aside, we first provide the solution on AuthN and AuthZ in OPEA using Istio and JWT tokens. Another option is to leverage the oauth2-proxy with various OIDC providers for authentication and authorization. Using oauth2-proxy with Istio ensures secure, scalable access control, centralizes user management, and provides seamless single sign-on capabilities, improving overall security and user experience in complex microservices environments. | ||
|
|
||
|
|
||
| Currently we provide three kinds of setups for authentication and authorization: via fake JWT token, via JWT token generated by OIDC providers and via oauth2-proxy and OIDC providers. And here we use the chatQnA pipeline as an example. | ||
|
|
||
| ## Prerequisite | ||
|
|
@@ -40,7 +39,7 @@ Authentication and authorization are essential for securing microservices archit | |
|
|
||
| ### Perform authentication and authorization via fake JWT tokens | ||
|
|
||
| Here provides the case of authentication and authorization using fake JWT tokens. Fake JWT tokens are generated through a sample script provided by Istio community. | ||
| Here provides the case of authentication and authorization using fake JWT tokens. Fake JWT tokens are generated through a sample script provided by Istio community. | ||
|
|
||
| In this example, we setup rules that only users with JWT token issued by "[email protected]" and with claim "groups" equal to "group1" can access the chatQnA workload. | ||
|
|
||
|
|
@@ -197,6 +196,7 @@ export HOST_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster | |
| export KEYCLOAK_PORT=$(kubectl get svc keycloak -o jsonpath='{.spec.ports[0].nodePort}') | ||
| export KEYCLOAK_ADDR=${HOST_IP}:${KEYCLOAK_PORT} | ||
| ``` | ||
|
|
||
| **Note:** Double check if the host ip captured is the correct ip. | ||
|
|
||
| Access the Keycloak admin console through the `KEYCLOAK_ADDR` to configure the users as well as roles. Use the username and password specified in the yaml file to login. | ||
|
|
@@ -284,9 +284,10 @@ envsubst < $(pwd)/config/authN-authZ/chatQnA_authZ_oauth.yaml | kubectl -n chatq | |
| **Validate authentication and authorization with UI service** | ||
|
|
||
| Add both host names for ChatQnA UI and backend service into /etc/hosts | ||
|
|
||
| ```bash | ||
| sudo sed -i '1i\127.0.0.1 chatqna-service.com' /etc/hosts | ||
| sudo sed -i '1i\127.0.0.1 chatqna-ui.com' /etc/hosts | ||
| ``` | ||
|
|
||
| Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service. | ||
| Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service. | ||
3 changes: 3 additions & 0 deletions
3
microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 changes: 3 additions & 0 deletions
3
microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,6 @@ | ||
| # Copyright (C) 2024 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| apiVersion: v1 | ||
| data: | ||
| mesh: |- | ||
|
|
||
3 changes: 3 additions & 0 deletions
3
microservices-connector/config/authN-authZ/oauth2_install.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
|
|
||
| # Copyright (C) 2024 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| --- | ||
| apiVersion: v1 | ||
| data: | ||
|
|
||