Skip to content

R0.2 - Integrate WPS-T endpoint with Unity Authentication #67

New issue
New issue
Open
Open
R0.2 - Integrate WPS-T endpoint with Unity Authentication#67
Assignees
ramesh-maddegoda
Labels
Epiccontainer for issues
Milestone
Rel-0.2
@galenatjpl

Description

@galenatjpl
galenatjpl
opened on Apr 21, 2022

  1. CRITICAL WPS-T endpoint (multiple REST APIs that exist) is accessible to logged in members of the Unity System. Unity SSO, in other words. Only authentication is needed here, to prove WPS-T access, not authorization in R0.2.
    Acceptance Criteria: At least one working example of locking down a REST API.

  2. CRITICAL Sounder SIPS + U-SPS Team (Luca, Dustin, Namrata, Drew) + UI Team (Anil Natha, Rob Tapella) + U-CS Team members have been on-boarded into the appropriate Authentication Realm.

  • (Cognito User Pool).

Acceptance Criteria: At least two Sounder SIPS members in the user pool, and able to use authentication via Cognito A&A.

  1. CRITICAL Jupyter Notebook Users can access WPS-T endpoint by API (e.g. command Line or machine to machine (app2app), non-interactive authentication)
    • Use Case for app2app would be Jupyter Notebooks. The Sounder SIPS operator will use the JNB to execute a job. They would authenticate beforehand?
    • Question: Can we use the same token for multiple calls? Can the token be intercepted, and made available to the JNB environment?
  • Comment from M20 experience: token should be re-used as much as possible.
  • For JNB use cases, it's preferable to use an actual User's account, rather than a service account scenario, for purposes of auditing, etc..
  • Question: do JNBs have access to get a user/browser token, and turn around and use it in a call. Is this even needed? Jupyter Hub accesses Jupyter Lab.
  • @ramesh-maddegoda to investigate possible options for passing / storing tokens.
    Acceptance Criteria: A working example of using JNB to authenticate, and use subsequent calls that leverage a User's auth token to interact with another service / endpoint.
  1. Users who are not authenticated are redirected to login mechanism (or a HTTP 403).
  • Initial login to get to JupyterHub first
  • ALSO (and most likely) another need for JupyterHub user to authenticate again (e.g. credss) in the Jupyter terminal.

  1. Users can access WPS-T endpoint by Browser (Human based, interactive Auth)

  2. Command-line app/tool to get credentials

NOTE: machine to machine is the most probably/important use case here.
NOTE: for R0.2 we only need authentication support (authorization would be extra credit here)

NOTE:
M20’s design for token management is in these docs
https://github.jpl.nasa.gov/pages/M2020-CS3/CSSO_DOCS/csso/docs/quick_start_guide.html

NOTE: integration point repo is https://github.com/unity-sds/ades_wpst

NOTE: command-line tool to get credentials, as well as libraries to interact.

Metadata

Metadata

Assignees

Labels

Epiccontainer for issues

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions