Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: access control and user management with Keycloak #136

Merged
merged 42 commits into from
Oct 5, 2020
Merged

feat: access control and user management with Keycloak #136

merged 42 commits into from
Oct 5, 2020

Conversation

MyleneSimon
Copy link
Collaborator

@MyleneSimon MyleneSimon commented May 20, 2020
edited
Loading

What does this PR do?

Introduction of users in WIPP, access control and integration with Keycloak

Roadmap:

  • Integration with Keycloak, global security configuration
  • Supported roles: anonymous (read-only access to public resources), user and admin
  • Secure Data Repositories (GET)
  • Secure Data Repositories Event Handlers (POST, PUT, PATCH, DELETE)
  • Secure Custom Controllers
  • JUnit tests (WIP)
    • Data Repositories methods tests
  • ACL/auth documentation
  • Dev and Kubernetes configuration
    • Development instructions available in readme with sample realm
    • Single node testing Kubernetes deployment available in WIPP repo
  • Implement temporary download links for data download
  • Run WIPP and workflows as 1000:1000 instead of root
    • Bump Argo version to 2.4.3

Special considerations:

  • WorkflowExitController is not secured for now to allow for Argo to post workflow status without bearer token. Two solutions considered for next iteration:
  • WDZT is not handling auth tokens for now Fixed in [email protected]

MyleneSimon and others added 9 commits November 20, 2019 11:55
@MyleneSimon
feat: add security context in argo workflow spec
2886dae
@MyleneSimon
feat: change default user to 1000/1000
d48ff12
@MyleneSimon
Merge branch 'master' into feature/add-pod-security-context-argo
e633572
Feature/keycloak (#128)
7754b64 
* fix for windows

* disable CORS for development purposes

* add dependencies and quick test configuration

* new security config. linked back-end and keycloak

* WIP commit for fix

* add security on CsvCollection

* update security on ImagesCollection. Add security for Image and MetadataFile

* add security on Pyramid and PyramidTimeSlice

* add security on StitchingVector and StitchingVectorTimeSlice

* add security on TensorboardLogs

* add security on TensorflowModel

* add security on Visualization

* update helper classes for security

* add security on Job

* add security on Workflow

* add helper classes for Security Core

* add security on Argo workflows

* update Keycloak configuration

* code cleanup & add dependency

* fix dependencies for merge

* restore workflow converter for merge

* windev not active by default

* remove useless annotation

* add boolean editMode

* final cleanuo
@MyleneSimon
Merge branch 'develop' into user-management
15c6788
@MyleneSimon
feat: auth/access control (refactoring and fixes)
17beaf3
@MyleneSimon
test: add test for data, workflow and job repositories
b43e4d7
@MyleneSimon
fix: handle returnObject not found in @PostAuthorize in PrincipalFilt…
f786846 
…eredRepository
@MyleneSimon
test: add JobRepository tests
5d131e9
@MyleneSimon MyleneSimon added the feature New feature or request label May 20, 2020
@MyleneSimon MyleneSimon added this to the 3.0.0-RC1 milestone May 20, 2020
@MyleneSimon MyleneSimon mentioned this pull request May 22, 2020
Merged
Samiasa
Samiasa reviewed Jul 21, 2020
View reviewed changes
...src/main/java/gov/nist/itl/ssd/wipp/backend/data/csvCollection/CsvCollectionDataHandler.java
csvCollectionRepository.save(csvCollection);
@Override
public void importData(Job job, String outputName) throws JobExecutionException {
CsvCollection csvCollection = new CsvCollection(job, outputName);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

Samiasa
Samiasa reviewed Jul 21, 2020
View reviewed changes
...src/main/java/gov/nist/itl/ssd/wipp/backend/data/csvCollection/CsvCollectionDataHandler.java
csvCollection.setOwner(job.getOwner());
// Set collection to private
csvCollection.setPubliclyShared(false);
csvCollectionRepository.save(csvCollection);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation

MyleneSimon added 14 commits July 27, 2020 17:14
@MyleneSimon
Merge branch 'develop' into feature/add-pod-security-context-argo
f9acc72
@MyleneSimon
Merge branch 'develop' into user-management
cf513e5
@MyleneSimon
feat: secure job deletion endpoint
66eba01
@MyleneSimon
feat: add download temp link management
8cca9a8
@MyleneSimon
feat: bump keycloak version, refactor, fix mongodb auto index creation
ad83332
@MyleneSimon
fix: workflow copy controller
9f2d114
@MyleneSimon
feat: secure generic data endpoints + tests
d66bf45
@MyleneSimon
feat: secure delete and save endpoints for generic data
51f562d
@MyleneSimon
feat: data must be locked before being shared
9639e62
@MyleneSimon
feat: support for auth in wdzt
b665543
@MyleneSimon
fix: download controllers secured by token need security context to p…
1c4e0a1 
…erform repository queries
@MyleneSimon
feat: can make workflow and outputs public, add security to pyramid a…
305ca00 
…nnotations endpoints
@MyleneSimon
feat: add keycloak conf management in docker
cafe867
@MyleneSimon
chore: switch to wipp-keycloak database
0c2c640
@MyleneSimon
fix: keycloak config test in entrypoint
e1776bc
@MyleneSimon
fix: keycloak config test in entrypoint
072f128
@MyleneSimon
fix: keycloak config test in entrypoint
56319b8
@MyleneSimon
feat: keycloak log level
a3045cb
@MyleneSimon
fix: sed keycloak config
2acfd22
@MyleneSimon
fix: session strategy and bearer-only setting
61ff2a1
@MyleneSimon
feat: stateless session management
26565e1
@MyleneSimon
feat: keycloak proxy url
84eeaf7
@MyleneSimon
fix: keycloak proxy url
703ff78
@MyleneSimon
fix: keycloak trust manager
aeb9ec8
@MyleneSimon
fix: keycloak url
f4249fc
@MyleneSimon
feat: keycloak disable trust manager as property
4c1cea1
@MyleneSimon
chore: bump version to rc1
7045f1a
@MyleneSimon
Merge branch 'develop' into feature/add-pod-security-context-argo
4e302ea
@MyleneSimon
Merge pull request #157 from usnistgov/feature/add-pod-security-conte…
7c86aac 
…xt-argo

feat: add pod security context argo
@MyleneSimon
chore: bump argo version
4718537
@MyleneSimon
docs: update dev instructions + rbac/acl doc
1577cf3
@MyleneSimon MyleneSimon changed the title [WIP] feat: access control and user management with Keycloak feat: access control and user management with Keycloak Oct 5, 2020
@MyleneSimon MyleneSimon merged commit c6522d0 into develop Oct 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samiasa Samiasa Samiasa left review comments

Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
3.0.0-RC1
Development

Successfully merging this pull request may close these issues.
2 participants
@MyleneSimon @Samiasa