Project

General

Profile

bug #6248

allow machine clients to access /manage/* OAuth2 protected web services

Added by Andreas Kohlbecker about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Highest
Category:
cdmlib-remote
Target version:
Start date:
12/06/2016
Due date:
% Done:

50%

Severity:
blocker
Found in Version:
Tags:

Description

The creation of the lucene indexes can not be triggered from Jenkins jobs or from the dataportal settings pages, since the /manage/ web services requires authentication.

The best solution to this problem is to allow the definition of global management user accounts which apply to any cdm-remote instance started by a system user.
These users credentials must therefore not be stored in the cdm databases. To store them independently from the cdm instances a configuration file located in $HOME/.cdmLibrary is the preferred storage solution.


Old issue description:

The authorization problem in the dataportal will be solved as soon as the oauth2 client capabilities are implemented into the data portal module: #6332. In case of jenkins it is not possible to provide proper cdm user credentials for each of the instances to be indexed. In this case another grand type is needed.
For this service endpoint it must me possible to authorite via the OAuth2 grant type 'client' (https://tools.ietf.org/html/rfc6749#section-4.4).

TODO:

  • enable grant type 'client' for /manage/
  • check for valid clients based on a key. The allowed keys are stored in $USER_HOME/cdm-remote-client-keys` each in a separate line. A key must conform to a md5 hash (or UUID?).
  • provide script for jenkins to authenticate --> subticket
  • implement client authentication into the dataportal. This should be doable by making use of the OAuth2 plugin available for Drupal7, see #6118 --> subticket

Related issues

Related to Edit - task #6118: evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2 Closed 10/11/2016
Related to Edit - bug #7087: description/accumulateDistributions webservice can not be triggered New 11/23/2017
Precedes (10 days) Edit - bug #6382: option to supply user credentials in the admin setting for the freetext index triggers Closed 01/27/2017
Copied from Edit - feature request #6351: jenkins cdmserver-index-job.groovy supports http basic authentication Closed 01/19/2017

Associated revisions

Revision d7c9d360 (diff)
Added by Andreas Kohlbecker about 2 years ago

ref #6248 disabling authorization restriction on /manage/ as temp workaround

Revision c05f3fc5 (diff)
Added by Andreas Kohlbecker almost 2 years ago

fix #6248 implementing global management users for machine clients

Revision 1b7ce0af (diff)
Added by Andreas Kohlbecker almost 2 years ago

ref #6248 also protecting /**description/accumulateDistributions

History

#1 Updated by Andreas Kohlbecker about 2 years ago

  • Related to task #6118: evaluate spring-security-auth2 and spring-cloud-security as a framework for OAuth2 added

#2 Updated by Andreas Kohlbecker almost 2 years ago

  • Priority changed from New to Highest

#3 Updated by Andreas Kohlbecker almost 2 years ago

  • Description updated (diff)

#4 Updated by Andreas Kohlbecker almost 2 years ago

  • Subject changed from allow OAuth2 grant type 'client' for /manage/ web services to allow machine clients to access /manage/* OAuth2 protected web services
  • Description updated (diff)

oauth2 with grant type 'client' is not really needed. It would require that the client can authenticate with username and login in order to get a token from the oauth2 token service. But ability to login alone would be sufficient to solve the initial issue of this ticket.

I am changing the ticket subject and description accordingly.

#5 Updated by Andreas Kohlbecker almost 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 50

#6 Updated by Andreas Kohlbecker almost 2 years ago

  • Copied from feature request #6351: jenkins cdmserver-index-job.groovy supports http basic authentication added

#7 Updated by Andreas Kohlbecker almost 2 years ago

  • Status changed from Resolved to Closed

This perfectly works, the managing-users.properties are all edited so that they have an according user.

#8 Updated by Andreas Müller almost 2 years ago

  • Tracker changed from bug to feature request

#9 Updated by Andreas Kohlbecker almost 2 years ago

  • Tracker changed from feature request to bug

#10 Updated by Andreas Kohlbecker almost 2 years ago

  • Precedes bug #6382: option to supply user credentials in the admin setting for the freetext index triggers added

#11 Updated by Andreas Kohlbecker about 1 year ago

  • Related to bug #7087: description/accumulateDistributions webservice can not be triggered added

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)