Fabric凭证管理器API
项目描述
CredentialManager
目录
概述
Fabric使用CILogon 2.0和COmanage进行身份认证和授权管理。Fabric凭证管理器为Fabric用户生成和刷新凭证。此包包括
- Swagger生成的REST服务器,支持创建/刷新/吊销令牌的API
- 使用 Vouch-Proxy(配合 Nginx)以 CILogon 实现认证。
凭据管理器可以直接从 CoManage 通过 ldap 查询或通过项目注册表进行角色分配。这是一个可配置的选项。目前默认配置为使用 LDAP 查询。
要求
- Python 3.7+
API
API 文档可在此处找到
版本
Credmgr API 的版本基于 GitHub 中找到的发布版本。
API version
| 资源 | 操作 | 输入 | 输出 |
|---|---|---|---|
/version |
GET: 当前 API 版本 | NA | 版本格式 |
示例:版本格式
{
"size": 1,
"status": 200,
"type": "string",
"data": [
{
"reference": "https: //github.com/fabric-testbed/CredentialManager",
"version": "1.3"
}
]
}
证书
API certs
| 资源 | 操作 | 输入 | 输出 |
|---|---|---|---|
/certs |
GET: 用于验证令牌签名的公钥 | NA | 密钥格式 |
示例:密钥格式
{
"keys": [
{
"kty": "Key Type",
"e": "Exponent Parameter",
"n": "Modulus Parameter",
"use": "Public Key Use Parameter",
"alg": "Algorithm Parameter",
"kid": "Key Id Header Parameter"
}
]
}
示例:输出:https://dev-2.fabric-testbed.net/certs
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "b415167211191e2e05b22b54b1d3b7667e764a747722185e722e52e146fe43aa",
"kty": "RSA",
"n": "wSvi-VG4z_Yxr0I6b0vYaKq1lyEb8c71efhsQ3mwO4WsV7f9gwbcEbCF9CihJSFUJ2z25-nk_oM11DAzQolSgZDO9y2SR7YlqZJm0Q4v-m0CwWjVpJg4Ce_Emxu4P-X82wt7UO4VgXXEmVBfYF-q28FM8apF0RFSoFtH_pwg4G6hXIwSVmBa-i5YS6rx2h_TyavwQ8k2IOOLDMvBLRz6lOr0XxPJmFpkqXnKGeUqJnu_nvdfeDKtDjtH4097rrPBn0H8XuzMvCHfH6ZRcMWrHzFZf9JCu4gs7q_Rq1mEPIjiQMuMM9DlDQcwgt8ZL8AVsatVq5JqvJV6AWA3YBI8Fw",
"use": "sig"
}
]
}
令牌
通过以下 API 可以创建、刷新或撤销 Fabric 令牌。这些令牌用作进入 CF API 的入口。令牌包含信息,以便各种组件在 PDP 中做出决策,以授权用户。
API /tokens
| 资源 | 操作 | 输入 | 输出 |
|---|---|---|---|
/create |
POST: 为用户创建令牌 | projectId 查询参数,scope 查询参数 |
令牌格式 |
/refresh |
POST: 为用户刷新令牌 | projectId 查询参数,scope 查询参数,refresh_token 主体 |
令牌格式 |
/revoke |
POST: 为用户撤销令牌 | refresh_token 主体 |
示例:令牌格式
{
"id_token": "id_token",
"refresh_token": "refresh_token",
"created_at": "timestamp at which tokens were created"
}
Swagger 服务器
Swagger 服务器是由 swagger-codegen 项目生成的。通过使用来自远程服务器的 OpenAPI-Spec,您可以轻松生成服务器存根。
Credmgr 在 Flask 的基础上使用 Connexion 库。
生成新的服务器存根
在浏览器中,访问 Swagger 定义
从生成代码图标(向下箭头),选择下载 API > JSON 解析
应该下载一个名为 kthare10-credmgr-1.0.2-resolved.json 的文件。将其重命名为 openapi.json 并将其复制到 CredentialManager/fabric/credmgr。运行以下命令以生成基于 Flask 的服务器。
$ cd fabric/credmgr/
$ cp kthare10-credmgr-1.0.2-resolved.json openapi.json
$ ./update_swagger_stub.sh
在确认所有更改均如预期后,删除现有的 swagger_server 目录并将 my_server/swagger_server 移动到 swagger_server。
使用方法
配置
Nginx 配置
开发部署不需要更改,对于生产,如果有证书,请启用密码。
server {
listen 443 ssl http2;
server_name $host;
#ssl_password_file /etc/keys/fifo;
ssl_certificate /etc/ssl/public.pem;
ssl_certificate_key /etc/ssl/private.pem;
CILogon 客户端注册
- 要开始,请在 https://cilogon.org/oauth2/register 注册您的客户端并等待批准通知。请仔细在该页面上注册您的回调 URL。除非您稍后联系 help@cilogon.org 并请求更改您的注册,否则您的客户端只能使用这些回调 URL。
- 完成后,用户将获得
CILOGON_CLIENT_ID和CILOGON_CLIENT_SECRET。注意:回调 URL 应与 Vouch Proxy 配置中指定的 URL 匹配。
Vouch 配置
将 vouch/config_template 复制为 vouch/config 调整设置以适应您的部署环境
jwt.secret:- 必须更改 - 如果在生产中使用,它可能需要与其他所有服务相同,例如项目注册表cookie.domain:- 您的域名(默认127.0.0.1)cookie.name:- 您的 cookie 名称(默认fabric-service)oauth.client_id:- CILogon 客户端 ID(默认CILOGON_CLIENT_ID)oauth.client_secret:- CILogon 客户端密钥(默认CILOGON_CLIENT_SECRET)oauth.callback_url:- OIDC 回调 URL(默认https://127.0.0.1:8443/auth)
jwt:
# secret - VOUCH_JWT_SECRET
# a random string used to cryptographically sign the jwt
# Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)
# if the secret is not set here then Vouch Proxy will..
# - look for the secret in `./config/secret`
# - if `./config/secret` doesn't exist then randomly generate a secret and store it there
# in order to run multiple instances of vouch on multiple servers (perhaps purely for validating the jwt),
# you'll want them all to have the same secret
secret: kmDDgMLGThapDV1QnhWPJd0oARzjLa5Zy3bQ8WfOIYk=
cookie:
# allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com)
secure: false
# vouch.cookie.domain must be set when enabling allowAllUsers
domain: 127.0.0.1
name: fabric-service
oauth:
# Generic OpenID Connect
# including okta
provider: oidc
client_id: CILOGON_CLIENT_ID
client_secret: CILOGON_CLIENT_SECRET
auth_url: https://cilogon.org/authorize
token_url: https://cilogon.org/oauth2/token
user_info_url: https://cilogon.org/oauth2/userinfo
scopes:
- openid
- email
- profile
callback_url: https://127.0.0.1:8443/auth
Credmgr 配置
将 config_template 文件复制为 config。调整设置以适应您的部署环境
[oauth]
oauth-client-id =
oauth-client-secret =
[vouch]
secret =
cookie-name = fabric-service
cookie-domain-name = cookie_domain
[core-api]
core-api-url = https://core-api.fabric-testbed.net/
部署
一旦配置文件已更新,启动容器。默认情况下,使用保存在 ssl 目录中的自签名证书,并在 docker-compose.yml 中引用。对于生产,必须使用签名证书。
# bring using via docker-compose
docker-compose up -d
验证凭证管理器签发的令牌
使用凭证管理器签发的 Fabric 令牌的 FABRIC 应用程序可以验证令牌与凭证管理器 Json Web 密钥。以下是验证令牌的示例 Python 代码片段
from fss_utils.jwt_validate import JWTValidator
# Credential Manager JWKS Url
CREDMGR_CERTS = "https://dev-2.fabric-testbed.net/certs"
# Uses HH:MM:SS (less than 24 hours)
CREDMGR_KEY_REFRESH = "00:10:00"
t = datetime.strptime(CREDMGR_KEY_REFRESH, "%H:%M:%S")
jwt_validator = JWTValidator(CREDMGR_CERTS, timedelta(hours=t.hour, minutes=t.minute, seconds=t.second))
# Assumption that encoded_token variable contains the Fabric Token
code, e = jwt_validator.validate_jwt(encoded_token)
if code is not ValidateCode.VALID:
print(f"Unable to validate provided token: {code}/{e}")
raise e
decoded_token = jwt.decode(encoded_token, verify=False)
日志记录
凭证管理器日志可以通过 filebeat 和 logstash 发送到 ELK,可以直接发送或通过 Kafka 发送。
Filebeat 配置
对于凭证管理器,Filebeat 输入应按以下方式配置。路径应根据运行凭证管理器的系统上的位置进行更新。
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /opt/CredentialManager/log/credmgr/*.log
Filebeat 输出到 logstash
output.logstash:
# The Logstash hosts
hosts: ["logstash:5044"]
username: "<username>"
password: "<password>"
ssl.certificate_authorities: ["/etc/pki/root/ca.crt"]
Filebeat 输出到 kafka
output.kafka:
hosts: ["kafka:9092"]
topic: "credmgr"
codec.json:
pretty: false
Logstash 过滤器
凭证管理器需要在 logstash 中配置以下过滤器。
filter {
grok {
pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*"
"SYSTIME" => "%{SYSLOGTIMESTAMP}%{SPACE}%{YEAR}" }
match => {
"message" => [
"%{TIMESTAMP_ISO8601:credmgr_log_timestamp}%{SPACE}-%{SPACE}%{NOTSPACE:credmgr_component}%{SPACE}-%{SPACE}%{NOTSPACE:credmgr_location}%{SPACE}-%{SPACE}%{NOTSPACE:credmgr_log_level}%{SPACE}-%{SPACE}%{GREEDYMULTILINE:credmgr_log_message}",
]
}
}
}
Logstash 输入
beats {
port => 5000
}
kafka {
bootstrap_servers => "kafka:9092"
topics => ["credmgr"]
codec => json
}
度量
凭证管理器已集成到 Prometheus 收集的以下度量中。用户可以在容器运行后通过 'https://127.0.0.1:8443/metrics' 查看度量。
- Requests_Received : 收到的 HTTP 请求
- Requests_Success : 成功处理的 HTTP 请求
- Requests_Failed : 失败的 HTTP 请求
MVP 部署的示例输出: https://dev-2.fabric-testbed.net/metrics
示例输出
# HELP Requests_Received_total HTTP Requests
# TYPE Requests_Received_total counter
Requests_Received_total{endpoint="/certs",method="get"} 1.0
Requests_Received_total{endpoint="/tokens/create",method="post"} 4.0
# HELP Requests_Received_created HTTP Requests
# TYPE Requests_Received_created gauge
Requests_Received_created{endpoint="/certs",method="get"} 1.6105784650048048e+09
Requests_Received_created{endpoint="/tokens/create",method="post"} 1.6105784819597633e+09
# HELP Requests_Success_total HTTP Success
# TYPE Requests_Success_total counter
Requests_Success_total{endpoint="/certs",method="get"} 1.0
# HELP Requests_Success_created HTTP Success
# TYPE Requests_Success_created gauge
Requests_Success_created{endpoint="/certs",method="get"} 1.6105784650058455e+09
# HELP Requests_Failed_total HTTP Failures
# TYPE Requests_Failed_total counter
Requests_Failed_total{endpoint="/tokens/create",method="post"} 2.0
# HELP Requests_Failed_created HTTP Failures
# TYPE Requests_Failed_created gauge
Requests_Failed_created{endpoint="/tokens/create",method="post"} 1.6105784821310477e+09
API 示例
为 projectId=RENCI-TEST 和 scope=mf 创建令牌
curl -X POST -i "localhost:8443/tokens/create?projectId=RENCI-TEST&scope=mf" -H "accept: application/json"
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 340
Server: Werkzeug/1.0.0 Python/3.6.8
Date: Thu, 19 Mar 2020 02:06:43 GMT
{
"id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiIyNDRCMjM1RjZCMjhFMzQxMDhEMTAxRUFDNzM2MkM0RSIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJodHRwczovL2NpbG9nb24ub3JnIiwic3ViIjoiaHR0cDovL2NpbG9nb24ub3JnL3NlcnZlckEvdXNlcnMvMTE5MDQxMDEiLCJhdWQiOiJjaWxvZ29uOi9jbGllbnRfaWQvNzdlMWFlYTAyMGE0Njc2OTM3ZWFhMjJkZjFkNDMyZDgiLCJhdXRoX3RpbWUiOiIxNTg0MzgzMzg3IiwiZXhwIjoxNTg0Mzg0Mjg3LCJpYXQiOjE1ODQzODMzODcsImVtYWlsIjoia3RoYXJlMTBAZW1haWwudW5jLmVkdSIsImdpdmVuX25hbWUiOiJLb21hbCIsImZhbWlseV9uYW1lIjoiVGhhcmVqYSIsImNlcnRfc3ViamVjdF9kbiI6Ii9EQz1vcmcvREM9Y2lsb2dvbi9DPVVTL089VW5pdmVyc2l0eSBvZiBOb3J0aCBDYXJvbGluYSBhdCBDaGFwZWwgSGlsbC9DTj1Lb21hbCBUaGFyZWphIEExMTkwNDEwNiIsImlkcCI6InVybjptYWNlOmluY29tbW9uOnVuYy5lZHUiLCJpZHBfbmFtZSI6IlVuaXZlcnNpdHkgb2YgTm9ydGggQ2Fyb2xpbmEgYXQgQ2hhcGVsIEhpbGwiLCJlcHBuIjoia3RoYXJlMTBAdW5jLmVkdSIsImFmZmlsaWF0aW9uIjoiZW1wbG95ZWVAdW5jLmVkdTtzdGFmZkB1bmMuZWR1O21lbWJlckB1bmMuZWR1IiwibmFtZSI6IktvbWFsIFRoYXJlamEiLCJhY3IiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImVudGl0bGVtZW50IjoidXJuOm1hY2U6ZGlyOmVudGl0bGVtZW50OmNvbW1vbi1saWItdGVybXMifQ.d18gtV85V0ik4jfKyalguSgnmlszz--cNrQ4fWY2c29POQf1LgaMKpDlLrR_eQ1sz1TOMMtrqhgJ764CsJIVTqVtWEqL7vQsPFffRcO5rT80OdeOyKH5jQirbWEgGomEOzZg1GCtW9KFh88aVQtV6nnxhGD0Lua7tUJMzAfMm7_2exTw3EehqOt0thPVzKsOPlGCQ_iuc3FRDI2vMNbzpTsSXfgqpTAwwD9DXcSf9QfmuvwFaKIjOQAywR-HJBZ1TwFAZVIAeGzyR-2XuofX8TaAWZDfDyppe8q8-bf-_3-XhjBHtMJ8Z87SaiIfHyDdk4sG7SJoxx7Ry3DS5VPO6Q",
"refresh_token": "https://cilogon.org/oauth2/refreshToken/46438248f4b7691a851f88b0849d9687/1584383387474"
}
吊销令牌
curl -X POST -i "localhost:8443/tokens/revoke" -H "accept: application/json" -H "Content-Type: application/json" -d '{"refresh_token": "https://cilogon.org/oauth2/refreshToken/46438248f4b7691a851f88b0849d9687/1584383387474"}'
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 106
Server: Werkzeug/1.0.0 Python/3.6.8
Date: Mon, 16 Mar 2020 18:32:38 GMT
身份令牌示例
为 projectId=RENCI-Test 和 scope=all 返回的解码 Id 令牌
{
"email": "kthare10@email.unc.edu",
"given_name": "Komal",
"family_name": "Thareja",
"name": "Komal Thareja",
"iss": "https://cilogon.org",
"sub": "http://cilogon.org/serverA/users/11904101",
"aud": "cilogon:/client_id/1253defc60a323fcaa3b449326476099",
"token_id": "https://cilogon.org/oauth2/idToken/6fc1a62669fa4598911265824981e8d8/1606658617708",
"auth_time": "1606658617",
"exp": 1606662223,
"iat": 1606658623,
"roles": [
"project-leads"
],
"projects": {
"RENCI-TEST": [
"tag 1",
"tag 2"
]
},
"scope": "all"
}
为 projectId=RENCI-TEST 和 scope=mf 的解码令牌
{
"email": "kthare10@email.unc.edu",
"given_name": "Komal",
"family_name": "Thareja",
"name": "Komal Thareja",
"iss": "https://cilogon.org",
"sub": "http://cilogon.org/serverA/users/11904101",
"aud": "cilogon:/client_id/1253defc60a323fcaa3b449326476099",
"token_id": "https://cilogon.org/oauth2/idToken/6fc1a62669fa4598911265824981e8d8/1606658617708",
"auth_time": "1606658617",
"exp": 1606662223,
"iat": 1606658623,
"roles": [
"project-leads"
],
"projects": {
"RENCI-TEST": [
"tag 1",
"tag 2"
]
},
"scope": "mf"
}
下载文件
下载您平台上的文件。如果您不确定选择哪个,请了解有关 安装软件包 的更多信息。
源分布
fabric-credmgr-1.6.2.tar.gz (1.9 MB 查看哈希值)
构建分布
fabric_credmgr-1.6.2-py3-none-any.whl (94.0 kB 查看哈希值)
关闭
fabric-credmgr-1.6.2.tar.gz 的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | 3fcb251ea32b5c3e12c170acadebddea1e3d32cd75ebd4559be9b62891d272bb |
|
| MD5 | 9911a687917e175f49c2463718f83e80 |
|
| BLAKE2b-256 | 4f89667dafa9faebadbe540bfd80da73824b4b9b41b570674862060cadd691bb |