From 1505b9c1157b3db0579c6374a09a81f983287642 Mon Sep 17 00:00:00 2001 From: Stefan Verhoeven Date: Mon, 21 Aug 2023 13:23:49 +0200 Subject: [PATCH] Move allowed_roles to admin app + Add bind example for private key --- .dockerignore | 2 ++ deploy/docker-compose.yml | 5 +++++ docs/configuration.md | 14 +++++++++----- docs/deploy.md | 9 +++++---- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/.dockerignore b/.dockerignore index d7a291e..2547251 100644 --- a/.dockerignore +++ b/.dockerignore @@ -145,3 +145,5 @@ cython_debug/ # The app config /config.yaml +/private_key.pem +/public_key.pem diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 5df4261..9507f00 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -29,6 +29,11 @@ services: - type: bind source: ../public_key.pem target: /app/src/public_key.pem + # If you want to generate a token for testing purposes with the `bartender generate-token` command + # also mount private key by uncommenting the following lines + # - type: bind + # source: ../private_key.pem + # target: /app/src/private_key.pem - type: volume source: bartender-jobs target: /tmp/jobs diff --git a/docs/configuration.md b/docs/configuration.md index 5351256..bcadd50 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -42,7 +42,7 @@ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:204 openssl rsa -pubout -in private_key.pem -out public_key.pem ``` -The private key of the RSA key pair is used to generate a token in +The private key of the RSA key pair is used to sign a token in an another web application or with the `bartender generate-token` command. The public key of the RSA key pair is used to verify that the token comes @@ -55,7 +55,7 @@ The token payload should contain the following claims: * `sub`: The user id. Used to identifiy who submitted a job. * `exp`: The expiration time of the token. * `iss`: The issuer of the token. Used to track from where jobs are submitted. -* `roles`: The roles of the user. +* `roles`: Optionally. The roles of the user. See [Applications](#applications) how roles are used. ## Configuration file @@ -87,8 +87,11 @@ applications: haddock3: command: haddock3 $config config: workflow.cfg + adminapp: + command: some-admin-application $config + config: config.yaml allowed_roles: - - easy + - admin # Only users with admin role can submit jobs for this application ``` * The key is the name of the application @@ -97,8 +100,9 @@ applications: * The `command` key is the command executed in the directory of the unpacked archive that the consumer uploaded. The `$config` in command string will be replaced with value of the config key. -* The `allowed_roles` key holds an array of role names, one of which a submitter - should have. When key is not set or list is empty then any authorized user +* Optionally, the `allowed_roles` key holds an array of role names, + one of which a submitter should have. + When key is not set or list is empty then any authorized user is allowed. See [Authentication](#authentication) how to set roles on users. * The application command should not overwrite files uploaded during submission as these might not be downloaded from location where application is run. diff --git a/docs/deploy.md b/docs/deploy.md index 1b9fc9c..051d0bb 100644 --- a/docs/deploy.md +++ b/docs/deploy.md @@ -14,8 +14,9 @@ docker compose -f deploy/docker-compose.yml up Web service will running on . -To login to web service you need to generate token with -the private counterpart of the public key. +To login to web service you need to generate token and sign it with +the private counterpart of the public key.g +If you want to generate a token with the +`docker compose -f deploy/docker-compose.yml exec api bartender generate-token` command +you should uncomment the private key volume bind in `deploy/docker-compose.yml`. See [configuration.md#authentication](configuration.md#authentication). -To use `bartender generate-token` command inside container you need make -the private key available in the container.