Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing OIDC tokens from Pulsar #15526

Open
SergeyYakubov opened this issue Feb 7, 2023 · 2 comments
Open

Accessing OIDC tokens from Pulsar #15526

SergeyYakubov opened this issue Feb 7, 2023 · 2 comments
Labels
area/jobs area/security planning

Comments

@SergeyYakubov
Copy link
Contributor

Now that we have OIDC tokens available and refreshed in Galaxy (after PR #15300 is merged), we want to make them accessible in Pulsar so that we can use them to authenticate users and access resources on a remote machine.

The problem is that we cannot just send an ID token with job metadata since it might expire before it is needed. So, we've discussed this internally and see two options here:

  1. Pulsar refreshes the token. For this, we'd need to send identity provider secrets to Pulsar. We'd have to do that for each job, similar to how Galaxy sends object store config with each job, because we cannot make it Pulsar settings since this does not scale and is not secure. Additionally, Pulsar would need to know how to refresh.
  2. Create a new API endpoint in Galaxy to send a fresh ID token to Pulsar on request (see a diagram below). Galaxy would verify the job key similar to what happens when Pulsar sends files to Galaxy (https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/webapps/galaxy/api/job_files.py#L117).

We want to implement option 2, but we would like to discuss it here first.

tokens
@hexylena
Copy link
Member

second option makes a lot of sense to me

@mvdbeek
Copy link
Member

mvdbeek commented Feb 10, 2023

Agreed, @jmchilton do you have any reservations here ?

SergeyYakubov added a commit to SergeyYakubov/galaxy that referenced this issue Mar 27, 2023
@SergeyYakubov
Add an API endpoint to access OIDC tokens from Pulsar as discussed in g…
8e4cd3c 
…alaxyproject#15526
SergeyYakubov added a commit to SergeyYakubov/pulsar that referenced this issue Apr 10, 2023
@SergeyYakubov
add user authentication/authorization methods
8d75c68 
allows to configure plugins for user authentication/authorization. Includes methods to authenticate
based on OIDC token (see issue galaxyproject/galaxy#15526)
SergeyYakubov added a commit to SergeyYakubov/pulsar that referenced this issue Apr 10, 2023
@SergeyYakubov
add token endpoint
63332c6 
as job launch parameter so that it is sent to Pulsar from Galaxy. See corresponding PR (galaxyproject/galaxy#15300) and issue (galaxyproject/galaxy#15526) for Galaxy
SergeyYakubov added a commit to SergeyYakubov/pulsar that referenced this issue Apr 10, 2023
@SergeyYakubov
allows to configure plugins for user authentication/authorization.
f2d42ac 
Includes methods to authenticate based on OIDC token (see issue galaxyproject/galaxy#15526)
This was referenced Apr 10, 2023
Closed
Closed
Merged
SergeyYakubov added a commit to SergeyYakubov/pulsar that referenced this issue May 3, 2023
@SergeyYakubov
add token endpoint
39697ad 
as job launch parameter so that it is sent to Pulsar from Galaxy. See corresponding PR (galaxyproject/galaxy#15300) and issue (galaxyproject/galaxy#15526) for Galaxy
SergeyYakubov added a commit to SergeyYakubov/pulsar that referenced this issue May 3, 2023
@SergeyYakubov
allows to configure plugins for user authentication/authorization.
4609eca 
Includes methods to authenticate based on OIDC token (see issue galaxyproject/galaxy#15526)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jobs area/security planning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hexylena @mvdbeek @SergeyYakubov