forked from uc-cdis/fence
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/master' into feat/s3-delete-files
- Loading branch information
Showing
43 changed files
with
1,502 additions
and
768 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
|
|
||
| ## Access Control / Authz | ||
|
|
||
| Currently fence works with another Gen3 service named | ||
| [arborist](https://github.com/uc-cdis/arborist) to implement attribute-based access | ||
| control for commons users. The YAML file of access control information (see | ||
| [#create-user-access-file](setup.md#create-user-access-file)) contains a section `authz` which are data sent to | ||
| arborist in order to set up the access control model. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| ## Accessing Data | ||
|
|
||
| Fence has multiple options that provide a mechanism to access data. The access | ||
| to data can be moderated through authorization information in a User Access File. | ||
|
|
||
| Users can be provided specific `privilege`'s on `projects` in the User Access | ||
| File. A `project` is identified by a unique authorization identifier AKA `auth_id`. | ||
|
|
||
| A `project` can be associated with various storage backends that store | ||
| object data for that given `project`. You can assign `read-storage` and `write-storage` | ||
| privileges to users who should have access to that stored object data. `read` and | ||
| `write` allow access to the data stored in a graph database. | ||
|
|
||
| Depending on the backend, Fence can be configured to provide users access to | ||
| the data in different ways. | ||
|
|
||
|
|
||
| ### Signed URLS | ||
|
|
||
| Temporary signed URLs are supported in all major commercial clouds. Signed URLs are the most 'cloud agnostic' way to allow users to access data located in different platforms. | ||
|
|
||
| Fence has the ability to request a specific file by its GUID (globally unique identifier) and retrieve a temporary signed URL for object data in AWS or GCP that will provide direct access to that object. |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| ## Default Expiration Times in Fence | ||
|
|
||
| Table contains various artifacts in fence that have temporary lifetimes and their default values. | ||
|
|
||
| > NOTE: "SA" in the below table stands for Service Account | ||
| | Name | Lifetime | Extendable? | Maximum Lifetime | Details | | ||
| |-------------------------------------|--------------|-------------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------| | ||
| | Access Token | 20 minutes | TRUE | Life of Refresh Token | | | ||
| | Refresh Token | 30 days | FALSE | N/A | | | ||
| | User's SA Account Access | 7 days | TRUE | N/A | Access to data (e.g. length it stays in the proxy group). Can optionally provide an expiration less than 7 days | | ||
| | User's Google Account Access | 1 day | TRUE | N/A | After AuthN, how long we associate a Google email with the given user. Can optionally provide an expiration less than 1 day | | ||
| | User's Google Account Linkage | Indefinite | N/A | N/A | Can optionally provide an expiration less than 1 hour | | ||
| | Google Signed URL | Up to 1 hour | FALSE | N/A | Can optionally provide an expiration less than 1 hour | | ||
| | AWS Signed URL | Up to 1 hour | FALSE | N/A | Obtained by an oauth client through /credentials/google | | ||
| | Client SA (for User) Key | 10 days | FALSE | N/A | Obtained by the user themselves for temp access. Can optionally provide an expiration less than 10 days | | ||
| | User Primary SA Key | 10 days | FALSE | N/A | Used for Google URL signing | | ||
| | User Primary SA Key for URL Signing | 30 days | FALSE | N/A | | | ||
| | Sliding Session Window | 15 minutes | TRUE | 8 hours | access_token cookies get generated automatically when expired if session is still active | |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| ## fence-create: Automating common tasks with a command line interface | ||
|
|
||
| fence-create is a command line utility that is bundled with fence and allows you to automate some commons tasks within fence. For the latest and greatest run the command `fence-create --help`. | ||
|
|
||
| WARNING: fence-create directly modifies the database in some cases and may circumvent security checks (most of these utilities are used for testing). BE CAREFUL when you're running these commands and make sure you know what they're doing. | ||
|
|
||
|
|
||
| ### Register Internal Oauth Client | ||
|
|
||
| As a Gen3 commons administrator, if you want to create an oauth client that skips user consent step, use the following command: | ||
|
|
||
| ```bash | ||
| fence-create client-create --client CLIENT_NAME --urls OAUTH_REDIRECT_URL --username USERNAME --auto-approve (--expires-in 30) | ||
| ``` | ||
|
|
||
| The optional `--expires-in` parameter allows specifying the number of days until this client expires. | ||
|
|
||
| ### Register an Implicit Oauth Client | ||
|
|
||
| As a Gen3 commons administrator, if you want to create an implicit oauth client for a webapp: | ||
|
|
||
| ```bash | ||
| fence-create client-create --client fancywebappname --urls 'https://betawebapp.example/fence | ||
| https://webapp.example/fence' --public --username fancyapp --grant-types authorization_code refresh_token implicit | ||
| ``` | ||
|
|
||
| If there are more than one URL to add, use space to delimit them like this: | ||
|
|
||
| ```bash | ||
| fence-create client-create --urls 'https://url1/' 'https://url2/' --client ... | ||
| ``` | ||
|
|
||
| To specify allowed scopes, use the `allowed-scopes` argument: | ||
| ```bash | ||
| fence-create client-create ... --allowed-scopes openid user data | ||
| ``` | ||
|
|
||
| ### Register an Oauth Client for a Client Credentials flow | ||
|
|
||
| The OAuth2 Client Credentials flow is used for machine-to-machine communication and scenarios in which typical authentication schemes like username + password do not make sense. The system authenticates and authorizes the app rather than a user. See the [OAuth2 specification](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for more details. | ||
|
|
||
| As a Gen3 commons administrator, if you want to create an OAuth client for a client credentials flow: | ||
|
|
||
| ```bash | ||
| fence-create client-create --client CLIENT_NAME --grant-types client_credentials (--expires-in 30) | ||
| ``` | ||
|
|
||
| This command will return a client ID and client secret, which you can then use to obtain an access token: | ||
|
|
||
| ```bash | ||
| curl --request POST https://FENCE_URL/oauth2/token?grant_type=client_credentials -d scope="openid user" --user CLIENT_ID:CLIENT_SECRET | ||
| ``` | ||
|
|
||
| The optional `--expires-in` parameter allows specifying the number of *days* until this client expires. The recommendation is to rotate credentials with the `client_credentials` grant at least once a year (see [Rotate client credentials](#rotate-client-credentials) section). | ||
|
|
||
| NOTE: In Gen3, you can grant specific access to a client the same way you would to a user. See the [user.yaml guide](https://github.com/uc-cdis/fence/blob/master/docs/user.yaml_guide.md) for more details. | ||
|
|
||
| NOTE: Client credentials tokens are not linked to a user (the claims contain no `sub` or `context.user.name` like other tokens). Some Gen3 endpoints that assume the token is linked to a user, or whose logic require there being a user, do not support them. For an example of how to adapt an endpoint to support client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/a5078fae27fa258ac78045cf2bb89cb2104f53cf). For an example of how to explicitly reject client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/0f4974c25343d2185c7cdb48dcdeb58f97800672). | ||
|
|
||
| ### Modify OAuth Client | ||
|
|
||
| ```bash | ||
| fence-create client-modify --client CLIENT_NAME --urls http://localhost/api/v0/oauth2/authorize | ||
| ``` | ||
|
|
||
| That command should output any modifications to the client. Similarly, multiple URLs are | ||
| allowed here too. | ||
|
|
||
| Add `--append` argument to add new callback urls or allowed scopes to existing client (instead of replacing them) using `--append --urls` or `--append --allowed-scopes` | ||
| ```bash | ||
| fence-create client-modify --client CLIENT_NAME --urls http://localhost/api/v0/new/oauth2/authorize --append (--expires-in 30) | ||
| ``` | ||
|
|
||
| ### Rotate client credentials | ||
|
|
||
| Use the `client-rotate` command to receive a new set of credentials (client ID and secret) for a client. The old credentials are NOT deactivated and must be deleted or expired separately (see [Delete Expired OAuth Clients](#delete-expired-oauth-clients) section). This allows for a rotation without downtime. | ||
|
|
||
| ```bash | ||
| fence-create client-rotate --client CLIENT_NAME (--expires-in 30) | ||
| ``` | ||
|
|
||
| Note that the `usersync` job must be run after rotating the credentials so that the new client ID is granted the same access as the old one. | ||
|
|
||
| ### Delete OAuth Client | ||
|
|
||
| ```bash | ||
| fence-create client-delete --client CLIENT_NAME | ||
| ``` | ||
| That command should output the result of the deletion attempt. | ||
|
|
||
| ### Delete Expired OAuth Clients | ||
|
|
||
| ```bash | ||
| fence-create client-delete-expired | ||
| ``` | ||
|
|
||
| To post a warning in Slack about any clients that expired or are about to expire: | ||
|
|
||
| ```bash | ||
| fence-create client-delete-expired --slack-webhook <url> --warning-days <default 7: only post about clients expiring in under 7 days> | ||
| ``` | ||
|
|
||
|
|
||
| ### List OAuth Clients | ||
|
|
||
| ```bash | ||
| fence-create client-list | ||
| ``` | ||
| That command should output the full records for any registered OAuth clients. | ||
|
|
||
| ### Set up for External Buckets on Google | ||
|
|
||
| ```bash | ||
| fence-create link-external-bucket --bucket-name demo-bucket | ||
| fence-create link-bucket-to-project --bucket_id demo-bucket --bucket_provider google --project_auth_id test-project | ||
| ``` | ||
|
|
||
| The link-external-bucket returns an email for a Google group which needs to be added to access to the bucket `demo-bucket`. | ||
|
|
||
| ### Notify users who are blocking service account registration | ||
|
|
||
| ```bash | ||
| fence-create notify-problem-users --emails ex1@gmail.com ex2@gmail.com --auth_ids test --google_project_id test-google | ||
| ``` | ||
|
|
||
| `notify-problem-users` emails users in the provided list (can be fence user email or linked google email) who do not have access to any of the auth_ids provided. Also accepts a `check_linking` flag to check that each user has linked their google account. |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.