Uploaded image for project: 'SAFe Program'
  1. SAFe Program
  2. SP-3880

Prototype AAI Infrastructure Component Token Flows in OpenCADC Services (CADC-12760 #5)

Change Owns to Parent OfsSet start and due date...
    XporterXMLWordPrintable

Details

    • SRCnet
    • Hide

      The Feature will:

      1. develop a common understanding of how service-to-service token flows should be used in the SRCNet ecosystem.
      2. develop automated flows for authentication where services need to interoperate without user interaction
      3. demonstrate the use of infrastructure component tokens as documented in SP-3952. It will be the first implementation and therefore a test of some of these recommendations.
      4. make it possible for the MSND to protect global services and synchronize proprietary data.
      5. inform A&A Architecture choices based on lessons learned.
      Show
      The Feature will: develop a common understanding of how service-to-service token flows should be used in the SRCNet ecosystem. develop automated flows for authentication where services need to interoperate without user interaction demonstrate the use of infrastructure component tokens as documented in  SP-3952 . It will be the first implementation and therefore a test of some of these recommendations. make it possible for the MSND to protect global services and synchronize proprietary data. inform A&A Architecture choices based on lessons learned.
    • Hide

      AC1: Service-to Service Token Flow Use cases and implementation choices are documented

      AC2: opencadc software configured to use a Token Flow are released and installed at deployment sites.

      AC3: Demonstrate that critwall authenticates and synchronizes proprietary data (RACS collection) at a node that has been granted permission to do so

      AC4: Demonstrate that global services can be protected from abuse using auth;  fenwick and ratik authenticate to global services to synchronize and validate artifacts; icewind authenticates to global CAOM repository to synchronize observations.

      Show
      AC1: Service-to Service Token Flow Use cases and implementation choices are documented AC2: opencadc software configured to use a Token Flow are released and installed at deployment sites. AC3: Demonstrate that critwall authenticates and synchronizes proprietary data (RACS collection) at a node that has been granted permission to do so AC4: Demonstrate that global services can be protected from abuse using auth;  fenwick and ratik authenticate to global services to synchronize and validate artifacts; icewind authenticates to global CAOM repository to synchronize observations.
    • 1
    • 1
    • 0

    • PI24 - UNCOVERED

    • AAI PI21-PB service-integration

    Description

      Token flow use cases include scenarios where infrastructure software (services and other background processes) need to make authenticated calls to other service API. This is part of the operation of the infrastructure, not in response to a user interaction or request to an API.

      The miniSRCNet Demonstrator can be used to provide some concrete examples of infrastructure components that will rely on correct token flows. We anticipate two flavours of use case:

      • authenticated access so that proprietary assets (files, observations, s/w images) can be synchronized to SRCNet nodes by authenticating and enforcing permissions
      • protect some global services from use/abuse by users when they are intended for use by infrastructure running at the SRCNet nodes only

      The Purple team will provide the implementation recommendations for token flows as part of https://jira.skatelescope.org/browse/SP-3952

      This Feature will deliver a prototype of the recommended approach for operational tokens in the A&A library, and will document the approach and the lessons learned during the prototyping.

      As part of the prototyping, token use will be made configurable in affected MSND software. New versions will be released for use in the MSND deployments.

      Architectural aspects:

      • data access API
      • every node will synchronize data with its own identity

      Attachments

        Issue Links

          depends on

          Spike - A time limited investigation to get some knowledge SP-4105 Describe the Auth flows currently used for OpenCADC software

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done
          relates to

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3952 IAM Token Cookbook

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done
          mentioned in

          Page Loading...

          Page Loading...

          Structure

            Activity

              People

                r.bolton Bolton, Rosie
                s.gaudet Gaudet, Séverin
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Feature Progress

                  Story Point Burn-up: (0%)

                  Feature Estimate: 1.0

                  IssuesStory Points
                  To Do46.0
                  In Progress   00.0
                  Complete00.0
                  Total46.0

                  Dates

                    Created:
                    Updated:

                    Structure Helper Panel