Documentation related to 

Background

We currently support a simple local authentication process.  User accounts are stored in etcd with apr1 hashed passwords with associated per-namespace secrets. The apr1 format was used to support the NGINX ingress controller, which uses htpasswd files to enable basic authentication into services running in Kubernetes.  The current authentication approach is undesirable for a variety of reasons, including double sign-in (custom login screen and basic auth) and lack of support for SSO.  We've long discussed supporting Oauth, but didn't have a driving use case (until now). This documentation supersedes any other Oauth2 discussions  (e.g., WSO2, etc).

We have three (or four) basic requirements for authentication/authorization going forward:

  1. Oauth: We've been asked to support InCommon authentication and no longer store usernames and passwords. This is primarily for the public beta system, but would also be useful for hosted systems.
  2. Local: We still need the ability to quickly provision accounts in demo and hackathon systems.  Ideally we can eliminate the "basic auth" scenario
  3. LDAP: The TERRA-REF use case is driving the need for tighter integration with local LDAP systems, specifically using common UID/GID for shared filesystems.  
  4. External: Not a clear priority, but the ability to integrate with other external authentication systems (e.g., Clowder) 

Use cases

Oauth2 authentication (Globus auth)

User accesses www.workbench.nationaldataservice.org and selects "Sign-in" using Oauth (Globus). If user is not authenticated, user is redirected via Oauth.  Once authenticated, if user has no account, an account record is created. No email verification is required.  If approval is enabled, account goes though approval workflow. User starts Jupyter notebook. When user accesses Jupyter endpoint, if already authenticated they are not prompted to authenticate again.  If they have not authenticated, user is prompted to authenticate using their Workbench credentials. If another user tries to access this user's Jupyter notebook, they are not permitted.

Local authentication ("cauth")

User accesses www.workbench.nationaldataservice.org and selects "Sign-up". User enters registration information and submits. User is required to verify email address. Once verified, account goes through approval process (if enabled). Once approved, user can login to Workbench to start services.  User starts Jupyter notebook. When user accesses Jupyter endpoint, if already authenticated they are not prompted to authenticate again.  If they have not authenticated, user is prompted to authenticate using their Workbench credentials. If another user tries to access this user's Jupyter notebook, they are not permitted.

Notes:

NCSA LDAP

User accesses www.workbench.nationaldataservice.org and selects "Sign in". They are prompted to enter their NCSA LDAP credentials. If they do not have an account, they can sign up via NCSA identity.  When they sign in (similar to oauth), they will go through the approval workflow, if configured.  The story is otherwise the same (single sign-on for Workbench services and containers, unable to access resources in another namespace/account).

Admin user

An admin user can login and access grafana/kibana/dashboards.  

CLI user

User – particularly admin user – can login via CLI. Will likely require API token or spoofing oauth workflow via CLI.

Possible implementation

Notes about oauth2_proxy


Other considerations/questions:


Overview


Authentication/authorization component

The wbauth component handles the nginx auth_request and simply returns 2xx, 401 or 403. It can set and check for the presence of a cookie (e.g., wb_auth) and delegate to another configured authentication module.


LDAP provider

The LDAP provider would support authentication using an existing LDAP server, such as NCSA LDAP.