Configure Bindaas with Kong as Authentication Provider

Pradeeban Kathiravelu edited this page Sep 4, 2018 · 43 revisions

You may disable the authentication of Bindaas in favor of leveraging an authentication mechanism provided by an external authentication provider such as an API gateway. Configure bin/bindaas.config.json as below:

"enableAuthentication": false,

When using an API gateway such as Kong, the apikey in the below query will rather be validated by the API gateway external to Bindaas, and not be Bindaas itself.

curl http://localhost:9099/services/test/mongo/query/find?apikey=4n6UBle6Jx5EpvvbqbASzD93pgjEZ6AM

Please note that kong uses the parameter "apikey" unlike Bindaas which uses "api_key". This parameter can differ between the different API gateways and authentication providers. Be aware.

Here we will look into configuring Kong using its Docker container as the authentication provider for Bindaas. This document uses Kong version 0.14.0-alpine, which is the current latest version of Kong.

Configure Kong with Postgres

You have 2 choices.

1. You may download Kong

Download and install from the repository - https://docs.konghq.com/install/osx/?_ga=2.92884957.1927372678.1533053872-2008063826.1531747033

Configure with Postgres:

$ psql -U postgres

postgres=# CREATE USER kong; CREATE DATABASE kong OWNER kong;

Run the Kong migrations:

$ kong migrations up

Start Kong

$ kong start

You may choose to start with verbose logs:

$ kong start -vv

You may need to create a kong configuration file to load Kong with custom configurations:

$ sudo mkdir /etc/kong

$ sudo touch /etc/kong/kong.conf

Now your Kong is running. Confirm that by,

$ curl -i http://localhost:8001/

2. Use Docker images with the help of kong-ldap repository:

This will install and configure Kong with Postgres in a container.

$ git clone https://github.com/pradeeban/kong-ldap

$ cd kong-ldap

$ sh buildRun.sh

Configure Bindaas services with Kong

First, (optionally) start the Konga dashboard:

More information: https://github.com/pantsel/konga

Confirm your Bindaas service works just fine

$ curl http://localhost:9099/services/test/mongo/query/find

[{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0 , "nu" : 1.0}]

Please note the Kong Admin API consist of the HTTP port of 8001 where the user API consists of the port 8000.

To create something using the Admin API, we will use the port 8001, whereas we use the port 8000 to use something already created.

Here we use the base configuration of TCIA services: http://172.20.11.223:9099/services/v4

Add your Bindaas Service using the Kong Admin API

$ curl -i -X POST --url http://localhost:8001/services/ --data 'name=contentsByName' --data 'url=http://172.20.11.223:9099/services/v4/SharedList/query/ContentsByName/'

Add a Route for the Service

$ curl -i -X POST --url http://localhost:8001/services/contentsByName/routes --data 'paths=/radiology/getSharedList'

Repeat for all the services

$ curl -i -X POST --url http://localhost:8001/services/ --data 'name=radiology' --data 'url=http://172.20.11.223:9099/services/v4/TCIA/query/'

$ curl -i -X POST --url http://localhost:8001/services/radiology/routes --data 'paths=/radiology'

Forward your requests through Kong

Now, access your TCIA services directly,

$ curl http://172.20.11.223:9099/services/v4/SharedList/query/ContentsByName?name=test

as well as via Kong,

$ curl http://172.20.11.222:8000/radiology/getSharedList/?name=test

[{"SERIES_INSTANCE_UID":"1.3.6.1.4.1.9328.50.50.131638054339500252579667761647125855321"},{"SERIES_INSTANCE_UID":"1.3.6.1.4.1.14519.5.2.1.5099.8010.309478555369641943686270918660"}]

http://172.20.11.222:8000/radiology/getImagehttp://172.20.11.223:9099/services/v4/TCIA/query/getImage

Alternative Approach with Host headers

The below approach is the default approach followed in the Kong documentation, although it is not straightforward as using the paths as shown above.

Add your Bindaas Service using the Kong Admin API

$ curl -i -X POST --url http://localhost:8001/services/ --data 'name=find-service' --data 'url=http://localhost:9099/services/test/mongo/query/find'

or if you are using Kong in a Docker container:

$ curl -i -X POST --url http://localhost:8001/services/ --data 'name=find-service' --data 'url=http://docker.for.mac.host.internal:9099/services/test/mongo/query/find'

HTTP/1.1 201 Created Date: Wed, 01 Aug 2018 16:04:04 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.14.0 Content-Length: 309

{"host":"docker.for.mac.host.internal","created_at":1533139444,"connect_timeout":60000,"id":"a2678cff-b63a-4416-a4e4-1a60b1084a4c","protocol":"http","name":"find-service","read_timeout":60000,"port":9099,"path":"/services/test/mongo/query/find","updated_at":1533139444,"retries":5,"write_timeout":60000}

Note that above we are using docker.for.mac.host.internal since we are accessing localhost in the host (we are in using Docker for Mac), from the docker container of Kong.

Add a Route for the Service

$ curl -i -X POST --url http://localhost:8001/services/find-service/routes --data 'hosts[]=find-service.com'

HTTP/1.1 201 Created Date: Wed, 01 Aug 2018 16:04:22 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.14.0 Content-Length: 295

{"created_at":1533139462,"strip_path":true,"hosts":["find-service.com"],"preserve_host":false,"regex_priority":0,"updated_at":1533139462,"paths":null,"service":{"id":"a2678cff-b63a-4416-a4e4-1a60b1084a4c"},"methods":null,"protocols":["http","https"],"id":"6fb0a141-5a99-4329-b600-f29d0635f706"}

Forward your requests through Kong

$ curl -i -X GET --url http://localhost:8000/ --header 'Host: find-service.com'

HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Bindaas-version: 3.0.6 Date: Tue, 31 Jul 2018 20:00:37 GMT metadata: {} responseTime: 1 tags: [] Vendor: CCI Emory University Server: Jetty(8.1.7.v20120910) X-Kong-Upstream-Latency: 6 X-Kong-Proxy-Latency: 52 Via: kong/0.14.0

[{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0},{ "item" : "bulk" , "qty" : 1100.0 , "nu" : 1.0}]

Configure Authentication for the Service

You have two options.

  1. Use key-auth.
  2. Use ldap-auth.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.