Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forward HTTP-Header (e.g. user credentials) to stagein and stageout #17

Open
njunike opened this issue Oct 27, 2022 · 3 comments
Open

Forward HTTP-Header (e.g. user credentials) to stagein and stageout #17

njunike opened this issue Oct 27, 2022 · 3 comments

Comments

@njunike
Copy link

njunike commented Oct 27, 2022

We are running ADES in a OAuth protected environment, so the user need to provide a valid Bearer-Token to access ADES API. The token is transmitted in the "Authorization" HTTP-Header. That same token is required by stagein and stageout to read and write to our catalog and storage services on behalf of the user, so I'm looking for an option to forward the Authorization-header from ADES Rest API (POST //wps3/processes//jobs) to the stagein and stageout.

Is this already possible with ADES and how to configure this?
@njunike
Copy link
Author

njunike commented Mar 10, 2023

Hi @rconway, as discussed yesterday here a short description of our current workaround to overcome above issue:

We have implemented a small reverse proxy in front of ADES. Any API request to ADES is routed thru this proxy where

  • access rights are checked (similar to the PEP of EOEPCA)
  • user ID in URL and HTTP-Header is Base64-encoded (UUID format can not be handled by ADES)
    • this is a workaround to 31
  • encoded user ID is added as HTTP-Header 'X-User-Id' (for consistency with URL)
  • if the request is a "submit new job"-request:
    • user ID is added as a request parameter (used in target URL / path in stageout)
    • OAuth Bearer Token is added as a request parameter (to be used by stagein, stageout and optionally processors accessing our API)
    • a request creation timestamp is added as a request parameter (as a support to processor chains to have a consistent timestamp e.g. in metadata)
    • same timestamp in format yyyyMMdd'T'HHmmss is added as a request parameter (for stageout to create names containing the timestamp)
  • in response from ADES (header and body), the encoded user ID is re-translated to UUID format

@njunike njunike mentioned this issue Mar 10, 2023
Open
@rconway
Copy link
Contributor

rconway commented Mar 10, 2023

When you say forward the headers to stagein/out, what do you mean exactly?
Do you mean to e.g. set some environment variables based on the header values?

@njunike
Copy link
Author

njunike commented Mar 10, 2023

Yes, "forward" is referencing more to a generic concept than to an exact technical approach. Environment variables are one way to go (and probably the best), but there might be others too. My target requirement is, that stagein, stageout and (some) processors get access to the bearer token somehow without the user need to "help" by putting it twice in the request (header an body).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rconway @njunike