docs: ADR for AuthN/AuthZ in multi-tenancy #537
Conversation
ghost
requested review from
antonbaliasnikov,
yshyn-iohk and
BS-IO
as code owners
ghost
force-pushed
the
feature/atl-4362-authn-authz-multi-tenancy-adr
branch
from
c2e35fa to
8dee09a
Compare
|
Atala PRISM Code Coverage
Minimum allowed coverage is Generated by 🐒 cobertura-action against 8dee09a |
| - Possible increased latency due to JWT verification at both APISIX and application layers. | ||
| - Reupidation threat minimised by short OIDC access token lifetime but not fully mitigated as no digital signature implemented. | ||
|
|
||
| ## Pros and Cons of the Options |
There was a problem hiding this comment.
What alternatives to IAM were considered?
There was a problem hiding this comment.
I didn't include any other alternatives when writing. The reason for this is that I'm not aware of any other open source FAPI grade IAM components that can run self-hosted and in cloud. If you know of any I would love to do a quick comparison. My research in the past shows that there are many libraries for use on the application layer but very little full solutions that aren't propertiety cloud venodrs [like Okta, AD etc]
There was a problem hiding this comment.
Yuiry has suggested we compare it to the Hashicorp Vault access management capabilities so I plan to do that
There was a problem hiding this comment.
Another one I did hear mentioned was https://goauthentik.io/ so I can include this as well
There was a problem hiding this comment.
I'm exploring Hashicorp Vault, and it also can be configured as an authentication service with different auth methods.
I would consider using it and use AppRole for the Prism Agent authentication and JWT/OIDC method for web/mobile application authentication (when we switch to multi-tenancy)
I think we need a PoC to test how it works and if it fits our needs.
There was a problem hiding this comment.
... the Vault also includes an identity management functionality
... and the integration between the Vault and APISIX can be configured using jwt-auth plugin
There was a problem hiding this comment.
@yshyn-iohk I've read through everything again but I fear that the links you've provided cover authenticating to Vault only - it can't act as an IdP or PAP/PDP etc
There was a problem hiding this comment.
We propose to defer this topic until a couple of weeks - merge this ADR and sanitise the decision before implementation on Keycloak begins.
In order to not block progress - we can start building in the applicaiton layer assuming that a tenant string is available at the point a request is processed - we can later adapt this abstraction to work with IAM tool
There was a problem hiding this comment.
ADR is suitable but covers the integration with Keycloak only
I propose keeping it and discovering if the Vault can provide the same functionality.
The main motivations for using Vault:
- same service for secret management, authentication, and authorization, IAM
- fewer components to integrate and lower cost of support
Currently, it's hard to say which solution should be adopted. We need a PoC to test the capability of the Vault.
…epo subject to the Developer Certificate of Origin (DCO), Version 1.1. 40a0578 fix: consumer variable nesting correction (#606) d0372f1 fix: include helm Chart.yaml in git commit for release process (#604) 63f38d4 feat: add helm-chart for agent (#603) ab9d2b8 docs: ADR for AuthN/AuthZ in multi-tenancy (#537) 7d603f0 feat: restore JVM metrics endpoint capability (#527) 9b1558f feat: migrate issue endpoint to tapir (#516) 4ee0943 feat: Allow override of network name (#295) 6d3e5a0 feat(prism-agent): add JVM metrics endpoint, add health/version endpoint (#390) 2f60f22 Fix/e2e test fixes (#381) 198643e feat(prism-agent): set OAS version to 0.41.0 (#386) 3b348ac fix(infra): set local PRISM_AGENT_VERSION to 0.40.0 (#379) 32787ad ci(shared): added manual feedback for linting and changed linting config (#303) dcb6b51 ci(shared): enable megalinter checks on pullrequests (#300) 405f367 fix(prism-agent): didcomm endpoint now exposed in docker file and with correct path (#241) 2dcf5e3 fix(infra): change didcomm endpoint - remove suffix (#240) 32e33f1 feat(infra): switch to single instance of postgres for running locally (#203) e3a1aa6 feat(infra): switch to APISIX for local running instead of HAProxy (#196) df24ad9 feat(infra): improved scripts for runinng locally or develping locally (#153) dc641b1 chore(shared): move api folder into runnable and reset build settings for dockerRepository and version.sbt (#152) 775880a feat(shared): set OAS servers to `k8s-dev.atalaprism.io` and add API Key auth method - also update local docker-compose implementation (#126) 67bd340 feat(prism-agent): implement Flyway migrations from castor and pollux library and call on agent startup (#117) cd11493 feat(shared): add Flyway Migrations and expose in ZIO Layer to be used in consuming service (#115) a5b583f feat(shared): Add environmnet configuration for Iris DB and bump scala version in other components to enable build (#96) 6e388b3 [ATL-1869] docs: Bootstrap ADR decision log using log4brains, RFC-0016 (#34) Signed-off-by: David Poltorak <[email protected]>
ghost
mentioned this pull request
…epo subject to the Developer Certificate of Origin (DCO), Version 1.1. 40a0578 fix: consumer variable nesting correction (#606) d0372f1 fix: include helm Chart.yaml in git commit for release process (#604) 63f38d4 feat: add helm-chart for agent (#603) ab9d2b8 docs: ADR for AuthN/AuthZ in multi-tenancy (#537) 7d603f0 feat: restore JVM metrics endpoint capability (#527) 9b1558f feat: migrate issue endpoint to tapir (#516) 4ee0943 feat: Allow override of network name (#295) 6d3e5a0 feat(prism-agent): add JVM metrics endpoint, add health/version endpoint (#390) 2f60f22 Fix/e2e test fixes (#381) 198643e feat(prism-agent): set OAS version to 0.41.0 (#386) 3b348ac fix(infra): set local PRISM_AGENT_VERSION to 0.40.0 (#379) 32787ad ci(shared): added manual feedback for linting and changed linting config (#303) dcb6b51 ci(shared): enable megalinter checks on pullrequests (#300) 405f367 fix(prism-agent): didcomm endpoint now exposed in docker file and with correct path (#241) 2dcf5e3 fix(infra): change didcomm endpoint - remove suffix (#240) 32e33f1 feat(infra): switch to single instance of postgres for running locally (#203) e3a1aa6 feat(infra): switch to APISIX for local running instead of HAProxy (#196) df24ad9 feat(infra): improved scripts for runinng locally or develping locally (#153) dc641b1 chore(shared): move api folder into runnable and reset build settings for dockerRepository and version.sbt (#152) 775880a feat(shared): set OAS servers to `k8s-dev.atalaprism.io` and add API Key auth method - also update local docker-compose implementation (#126) 67bd340 feat(prism-agent): implement Flyway migrations from castor and pollux library and call on agent startup (#117) cd11493 feat(shared): add Flyway Migrations and expose in ZIO Layer to be used in consuming service (#115) a5b583f feat(shared): Add environmnet configuration for Iris DB and bump scala version in other components to enable build (#96) 6e388b3 [ATL-1869] docs: Bootstrap ADR decision log using log4brains, RFC-0016 (#34) Signed-off-by: David Poltorak <[email protected]>
Overview
Adds an architectural decision record - ready for review - for the research conducted in ATL-4362
Checklist
My PR contains...
My changes...
Documentation
Tests