Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature][Manager] OpenAPI authentication support #5167

Closed
2 tasks done
woofyzhao opened this issue Jul 21, 2022 · 0 comments · Fixed by #5173
Closed
2 tasks done

[Feature][Manager] OpenAPI authentication support #5167

woofyzhao opened this issue Jul 21, 2022 · 0 comments · Fixed by #5173
Assignees
@woofyzhao
Labels
component/manager type/feature
Milestone
1.3.0

Comments

@woofyzhao
Copy link
Contributor

woofyzhao commented Jul 21, 2022
edited
Loading

Description

Currently the manager's open APIs are free to call from anywhere anonymously, which is not secure.
Goal: Add some sort of authentication support to very the identity of the clients (i.e. authorized agent/dataproxy/sdk etc)

Mechanisms

There are several ways to provide web api authentication, with the typical two described below:

1. Basic Access Authentication
https://en.wikipedia.org/wiki/Basic_access_authentication

image

The auth process is simple:
A) The api server side generates a secretID & secretKey pair for each client who wants access.
B) The client encode the id & key pair (base64) in the http header.
C) The server's interceptor / filter retrieves the secretID and compares the secretKey param with the true secretKey stored at some database (usually encrypted)

Pros:

  • Light and easy to understand
  • little extra work to use

Cons:

  • Since base64 is used, it is not secure in non-encrypted channel.
  • So it must be used along with HTTPS.

2. API Secure Signature
This is commonly used in public cloud apis, like the one described in this Tencent cloud approach.

image

The auth process is roughly like this:
A) The api server side generates a secretID & secretKey pair for each client who want access.
B) The client organize some of the request context info (URI、domain、sorted params、body data etc) into a basic string.
C) Then client use RSA or hashing to encrypt this string to a signature with the secretKey
D) The client request the API with the signature and secretID
E) The server retrieves the secretID, find its corresponding secretKey, and uses the same encoding process as B) and C) to calculate the signature.
F) The server compares its calculated signature and the one from the request to determine the final authenticating result.

Pros:

  • More secure, since the secretKey is not transported across the network but merely as part of the signature. Thus can also be used in unencrypted channels like HTTP.

Cons:

  • The process is more sophisticated and thus error prone. Steps like B) has no standards to follow. Often need more debugging time for the user.

Suggest choosing the basic auth approach for the following reasons:

  1. We should always use HTTPs as a modern web application. Thus we enforce it and basic auth is easy and sufficiently secure.
  2. The open APIs exposed by manager are quite limited and are usually read only (Most important of which includes configuration query for agency and dataproxy

InLong Component

InLong Manager

Are you willing to submit PR?

  • Yes, I am willing to submit a PR!

Code of Conduct
@woofyzhao woofyzhao mentioned this issue Jul 21, 2022
Merged
@healchow healchow added this to the 1.3.0 milestone Jul 25, 2022
@healchow healchow changed the title [Improve][Manager] OpenAPI authentication support [Feature][Manager] OpenAPI authentication support Jul 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woofyzhao woofyzhao

Labels
component/manager type/feature
Projects
None yet
Milestone
1.3.0
2 participants
@woofyzhao @healchow