Augment authentication behaviour to support Cognito credential set #36
Comments
|
@alexdunnjpl can consider realizing this ticket #15 for the current task. |
|
Status: Blocked pending provision of |
|
@alexdunnjpl is working on that. |
|
@alexdunnjpl continuing to work on this. |
|
Ongoing. Aid from @nutjob4life. |
|
Back and forth w/@nutjob4life and on hold today due to provenance issues |
|
@nutjob4life is taking that on his shoulders |
|
@nutjob4life can you pause on that development ? We have just discussed during the breakout that the multitenant deployment might use a serverless version of the AWS managed opensearch which does not support Cognito as an authentication system. If we go for that, we would implement the cognito authentication in API proxies in front of opensearch. That would change/simplify the authentication for harvest/registry-mgr. Maybe we would have one API end-point for each opensearch role... That to say, you should not spend more time on this ticket until we know better what we are going to do. We are waiting for expert feedback on the opensearch solution chosen before we move on. We'll let you know. |
|
@tloubrieu-jpl I pressed the ⏸️ button on this ticket. However, this is my only ticket! I need something else to work on. |
|
Blocked until we decide on the AWS OpenSearch service we eventually use. |
|
Regarding the signed URL management there is some new doc: https://code.dblock.org/2022/07/11/making-sigv4-authenticated-requests-to-managed-opensearch.html |
|
@nutjob4life @alexdunnjpl @jordanpadams @tloubrieu-jpl I need to make some pretty sweeping changes for cognito: see NASA-PDS/harvest#146 if you like gore. Point is, it looks like it y'all may have done some of it already. Maybe you had a different plan of attack. I want to make a bunch of the classes polymorphic so that we do not have CollectionWriterHTTPS and CollectionWriterCognito sprinkled heavily throughout the code. Do y'all have a branch with changes on it that you could push/PR so that I can see where it is at and maybe where it was going before the great pause. PS: Tried looking at slack convo and had screen that said did not have permissions to read it. |
|
@al-niessner I've added you to that slack convo, and mailed over snips from another DM between Sean and I which may have some useful gotchas/thoughts. No code to show apart from that toy sandbox I sent over a while back |
|
To be tested with harvest and registry-common before we merge. |
|
@al-niessner is working with the lambda now and experimenting issues with it. @sjoshi-jpl is investigation this issues. |
|
There are issues when using the opensearch java sdk with the api gateway proxy. To be discussed at the breakout. |
|
@al-niessner is progressing on using and expending the OpenSearch AWS SDK to work with Cognito authentication. |
|
@al-niessner was able to get the credential from the lambda developed by @sjoshi-jpl . now he's getting a 404 error when trying to reach to the OpenSearch server. |
|
The new SDK requires some more updates. |
|
Status: PR created to fix bug introduced with initial refactoring. |
💡 Description
Currently, auth.cfg contains a user/pass set which is passed to OpenSearch as a Basic header. It is now necessary to support Cognito alongside Basic auth (Basic may be deprecated later).
This will required shoehorning additional functionality into
gov.nasa.pds.registry.common.es.client.EsRestClientBld(probably).See Slack convo for more details
May be smart to depend this issue on #15 if still applicable (it appears so -
registry-commonsis still using an ElasticSearch client)The text was updated successfully, but these errors were encountered: