No description, website, or topics provided.
Clone or download
jpwhitemn Merge pull request #46 from tingyuz/issue-37-40-41-42
Fixes for Issue 37 40 41 42. Port changes from Delhi to master.
Latest commit a5840be Jan 4, 2019

EdgeX Foundry Security API-Gateway Service Implemented with Go


Go implementation of EdgeX security API-Gateway service.


  • Reverse proxy for the existing edgex microservices
  • Account creation with optional either OAuth2 or JWT authentication for existing services
  • Account creation with arbitrary ACL gourp list

How to Start the service

The service can be started with 2 different methods listed below:

  • start with docker-compose file like other normal EdgeX services do.
  • build from source code & start with single docker container.

Method 1. Run the Security Service with Docker-compose file. Make sure other EdgeX services start as usual (especially volume), then

docker-compose up -d vault
docker-compose up -d vault-worker
docker-compose up -d kong-db
docker-compose up -d kong-migrations
docker-compose up -d kong
docker-compose up -d edgex-proxy

Method 2. Build Docker image and Run Api-gateway Security Service

The repo includes a Dockerfile to dockerize the security service. Run the docker-componse commands same as in method one except the last step, then

Build an image of the security service

go get
cd security-api-gateway
make build
make docker

Run the security service

docker run -v vault-config:/vault/config --network=edgex-network edgexfoundry/docker-edgex-proxy-go

Notice here vault-file is the name of the volume that keeps the root_token for Vault service, which can be checked with

docker volume ls
docker volume inspect <volume_name>

And edgex-network is the name of the private network that edgex containers create, which can be check with

docker network ls
docker network inspect <network_name>

Other options for security service, E,g, reset the proxy to initial status, create account, delete account

docker run --network=edgex-network edgex/proxy -h
docker run --network=edgex-network edgex/proxy --reset=true
docker run --network=edgex-network edgex/proxy --useradd=<account> --group=<groupname>
docker run --network=edgex-network edgex/proxy --userdel=<account>

Access existing microservice APIs like ping service of command microservice

use JWT as query string 
curl -k -v -H "host: edgex" https://kong-container:8443/command/api/v1/ping?jwt= <JWT from account creation>
or use JWT in HEADER
curl -k -v -H "host: edgex" https://kong-container:8443/command/api/v1/ping -H "Authorization: Bearer <JWT from account creation>"