This repository was archived by the owner on Jan 2, 2025. It is now read-only.
[#16] Implementing security for api-server #23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gaohoward
force-pushed
the
e_security_model
branch
4 times, most recently
from
0429085 to
0a629f7
Compare
gaohoward
force-pushed
the
e_security_model
branch
5 times, most recently
from
6ad299d to
e3daffd
Compare
gaohoward
force-pushed
the
e_security_model
branch
from
e3daffd to
391781c
Compare
gaohoward
force-pushed
the
e_security_model
branch
from
391781c to
f319505
Compare
lavocatt
suggested changes
Nov 27, 2024
gaohoward
force-pushed
the
e_security_model
branch
from
f319505 to
7a3de16
Compare
I updated the commit and description. Thanks! |
Thanks for doing so, much appreciated. |
lavocatt
reviewed
Nov 27, 2024
There was a problem hiding this comment.
I think this PR is a very good step in the right direction as it brings a support for having a JWT token & a jolokia endpoint passed in onto every requests being made 👍 .
As of for now, I'm not sure that for an OpenShift-centric usecase we might need to have to populate the user database, but that's a good feature to have in in any case to add more flexibility in the possible applications of the JAPIServer.
One thing we want to consider though in a future addition is to add the support for having a JWT Token issued from another 3rd party entity (a Oauth server for instance). For that usecase, the user wouldn't login to the JAPIServer, since the login part would be already done elsewhere, but upon every requests, using that token we would recover the roles of user and asseses that it has rights to talk the JAPIServer. After them checks, the token would be send to the jolokia endpoint where the broker would perform verification on his own.
I do have some questions below, feel free to ping me if you need more details about them.
gaohoward
force-pushed
the
e_security_model
branch
from
7a3de16 to
32f2d30
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
gaohoward
force-pushed
the
e_security_model
branch
3 times, most recently
from
d5ab9b4 to
6bc5bf6
Compare
The API Server provides a security model that provides authentication
and authorization of incoming clients.
The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)
Currently the api server support `jwt` token authentication.
The login api is defined in openapi.yml
/server/login
A client logs in to an api server by sending a POST request to the login path.
The request body contains login information (i.e. username and password for jwt authentication type)
Please refer to [api.md](api.md) for details of the login api.
Currently the security manager uses local file to store user's info.
The default users file name is `.users.json`
The users file name can be configured using `USERS_FILE_URL` env var.
See `.test.users.json` for sample values.
Currently the api server doesn't perform authorization on logged in users.
The server keeps a list of jolokia endpoints for clients to access.
The endpoints are loaded from a local file named
`.endpoints.json`. Each top level entry represents a jolokia endpoint.
An entry has a unique name and details to access the jolokia api.
See `.test.endpoints.json` for sample values.
When an authenticated client sends a request to the api-server, it
should present its token in the request header
'Authorization: Bearer `token`'
It also need to give the `targetEndpoint` in the query part of the request
if the request is to access an jolokia endpoint.
For example `/execBrokerOperation?targetEndpoint=broker1`.
Direct Proxy means a client can pass a broker's endpoint info to the
api-server in order to access it via the api-server.
For example the [self-provisioning plugin]
(https://github.com/artemiscloud/activemq-artemis-self-provisioning-plugin)
uses this api to access the jolokia of a broker's jolokia endpoint.
gaohoward
force-pushed
the
e_security_model
branch
from
6bc5bf6 to
e67fbb9
Compare
|
@lavocatt Hi Thomas, the PR has been updated. Please take a look. Thanks! |
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 12, 2024
PoC to test the jolokia api server in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on Howard's work there: artemiscloud#23 This PoC is a simple stripped down version of Howard's work. It's a draft for now, but it still demonstrate the capability, a bunch of work is going to be needed to make it to a final version.
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 12, 2024
PoC to test the jolokia api server in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on Howard's work there: artemiscloud#23 This PoC is a simple stripped down version of Howard's work. It's a draft for now, but it still demonstrate the capability, a bunch of work is going to be needed to make it to a final version.
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 16, 2024
PoC to test the jolokia api server in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on Howard's work there: artemiscloud#23 This PoC is a simple stripped down version of Howard's work. It's a draft for now, but it still demonstrate the capability, a bunch of work is going to be needed to make it to a final version.
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 16, 2024
PoC to test the jolokia api server in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on Howard's work there: artemiscloud#23 This PoC is a simple stripped down version of Howard's work. It's a draft for now, but it still demonstrate the capability, a bunch of work is going to be needed to make it to a final version.
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 18, 2024
The jolokia api server is now in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on @gaohoward's work there: artemiscloud#23
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 18, 2024
The jolokia api server is now in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on @gaohoward's work there: artemiscloud#23
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 18, 2024
The jolokia api server is now in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on @gaohoward's work there: artemiscloud#23
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 18, 2024
The jolokia api server is now in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on @gaohoward's work there: artemiscloud#23
lavocatt
added a commit
to lavocatt/activemq-artemis-jolokia-api-server
that referenced
this pull request
Dec 19, 2024
The jolokia api server is now in a mode where it doesn't perform any login verification and just forward the Bearer token to the broker. The user needs to provide a targetEndpoint and a Bearer token on every request except api-info. Based on @gaohoward's work there: artemiscloud#23
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security Model of the API Server
The API Server provides a security model that provides authentication and authorization of incoming clients.
The security can be enabled/disabled (i.e. via
API_SERVER_SECURITY_ENABLEDenv var)Authentication
Currently the api server support
jwttoken authentication.The login api
The login api is defined in openapi.yml
/server/loginA client logs in to an api server by sending a POST request to the login path. The request body contains login information (i.e. username and password for jwt authentication type)
Please refer to api.md for details of the log api.
Currently the security manager uses local file to store user's info. The default users file name is
.users.jsonThe users file name can be configured using
USERS_FILE_URLenv var. See.test.users.jsonfor sample values.Authorization
Currently the api server doesn't perform authorization on logged in users.
Endpoints Management
The server keeps a list of jolokia endpoints for clients to access. The endpoints are loaded from a local file named
.endpoints.json. Each top level entry represents a jolokia endpoint. An entry has a unique name and details to access the jolokia api. See.test.endpoints.jsonfor sample values.Accessing a jolokia endpoint
When an authenticated client sends a request to the api-server, it should present its token in the request header
It also need to give the
targetEndpointin the query part of the request if the request is to access an jolokia endpoint.For example
/execBrokerOperation?targetEndpoint=broker1.Direct Proxy
Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
For example the self-provisioning plugin uses this api to access the jolokia of a broker's jolokia endpoint.