diff --git a/microservices-connector/config/authN-authZ/README.md b/microservices-connector/config/authN-authZ/README.md index 887489a2..1f7c506f 100644 --- a/microservices-connector/config/authN-authZ/README.md +++ b/microservices-connector/config/authN-authZ/README.md @@ -2,7 +2,6 @@ In enterprise settings not only do we want to identify who is using a service but also what they are entitled to use. This is where authentication and authorization comes in. In contrast, API tokens provide full access by virtue of possession as long as they are valid/not expired. With that aside, we first provide the solution on AuthN and AuthZ in OPEA using Istio and JWT tokens. Another option is to leverage the oauth2-proxy with various OIDC providers for authentication and authorization. Using oauth2-proxy with Istio ensures secure, scalable access control, centralizes user management, and provides seamless single sign-on capabilities, improving overall security and user experience in complex microservices environments. - Currently we provide three kinds of setups for authentication and authorization: via fake JWT token, via JWT token generated by OIDC providers and via oauth2-proxy and OIDC providers. And here we use the chatQnA pipeline as an example. ## Prerequisite @@ -40,7 +39,7 @@ Authentication and authorization are essential for securing microservices archit ### Perform authentication and authorization via fake JWT tokens -Here provides the case of authentication and authorization using fake JWT tokens. Fake JWT tokens are generated through a sample script provided by Istio community. +Here provides the case of authentication and authorization using fake JWT tokens. Fake JWT tokens are generated through a sample script provided by Istio community. In this example, we setup rules that only users with JWT token issued by "testing@secure.istio.io" and with claim "groups" equal to "group1" can access the chatQnA workload. @@ -197,6 +196,7 @@ export HOST_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster export KEYCLOAK_PORT=$(kubectl get svc keycloak -o jsonpath='{.spec.ports[0].nodePort}') export KEYCLOAK_ADDR=${HOST_IP}:${KEYCLOAK_PORT} ``` + **Note:** Double check if the host ip captured is the correct ip. Access the Keycloak admin console through the `KEYCLOAK_ADDR` to configure the users as well as roles. Use the username and password specified in the yaml file to login. @@ -284,9 +284,10 @@ envsubst < $(pwd)/config/authN-authZ/chatQnA_authZ_oauth.yaml | kubectl -n chatq **Validate authentication and authorization with UI service** Add both host names for ChatQnA UI and backend service into /etc/hosts + ```bash sudo sed -i '1i\127.0.0.1 chatqna-service.com' /etc/hosts sudo sed -i '1i\127.0.0.1 chatqna-ui.com' /etc/hosts ``` -Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service. \ No newline at end of file +Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service. diff --git a/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml b/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml index b2a525e4..fa67f81c 100644 --- a/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml +++ b/microservices-connector/config/authN-authZ/chatQnA_authN_oauth.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: security.istio.io/v1 kind: RequestAuthentication metadata: diff --git a/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml b/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml index 515400aa..ad0a9fd7 100644 --- a/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml +++ b/microservices-connector/config/authN-authZ/chatQnA_authZ_oauth.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: @@ -14,4 +17,4 @@ spec: - /realms/* selector: matchLabels: - istio: ingressgateway \ No newline at end of file + istio: ingressgateway diff --git a/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml b/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml index 572e77b5..6f0c47bd 100644 --- a/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml +++ b/microservices-connector/config/authN-authZ/chatQnA_istio_external_auth.yaml @@ -1,3 +1,6 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + apiVersion: v1 data: mesh: |- diff --git a/microservices-connector/config/authN-authZ/oauth2_install.yaml b/microservices-connector/config/authN-authZ/oauth2_install.yaml index 39bd90af..f5ca3732 100644 --- a/microservices-connector/config/authN-authZ/oauth2_install.yaml +++ b/microservices-connector/config/authN-authZ/oauth2_install.yaml @@ -1,4 +1,7 @@ +# Copyright (C) 2024 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + --- apiVersion: v1 data: