Commit aef604d6 authored by Mayank Saggar [Microsoft]'s avatar Mayank Saggar [Microsoft]
Browse files

Merge branch 'master' of...

Merge branch 'master' of https://community.opengroup.org/osdu/platform/data-flow/ingestion/ingestion-workflow into new-apis-ms
parents 6d4810c9 7da6bf1f
Pipeline #13877 passed with stages
in 32 minutes and 8 seconds
......@@ -16,6 +16,10 @@ analyze:
type: mvn
target: workflow-core/pom.xml
path: .
- name: workflow-aws
type: mvn
target: provider/workflow-aws/pom.xml
path: .
- name: workflow-azure
type: mvn
target: provider/workflow-azure/pom.xml
......@@ -24,11 +28,11 @@ analyze:
type: mvn
target: provider/workflow-gcp/pom.xml
path: .
- name: workflow-gcp-datastore
- name: workflow-ibm
type: mvn
target: provider/workflow-gcp-datastore/pom.xml
target: provider/workflow-ibm/pom.xml
path: .
- name: workflow-test-core
- name: workflow-gcp-datastore
type: mvn
target: testing/workflow-test-core/pom.xml
target: provider/workflow-gcp-datastore/pom.xml
path: .
......@@ -18,6 +18,7 @@ variables:
AWS_TEST_SUBDIR: testing/workflow-test-aws
AWS_SERVICE: ingestion-workflow
AWS_ENVIRONMENT: dev
AWS_SKIP_DEPLOY: 'true'
include:
......
This diff is collapsed.
......@@ -52,13 +52,9 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
| `AZURE_CLIENT_ID` | `********` | Identity to run the service locally. This enables access to Azure resources. You only need this if running locally | yes |
| `AZURE_TENANT_ID` | `********` | AD tenant to authenticate users from | yes |
| `AZURE_CLIENT_SECRET` | `********` | Secret for `$AZURE_CLIENT_ID` | yes |
| `azure.activedirectory.session-stateless` | `true` | Flag run in stateless mode (needed by AAD dependency) | no |
| `azure.activedirectory.AppIdUri` | `api://${azure.activedirectory.client-id}` | URI for AAD Application | no |
| `azure.activedirectory.client-id` | ******** | AAD client application ID | yes |
| `azure.application-insights.instrumentation-key` | ******** | API Key for App Insights | yes |
| `KEYVAULT_URI` | ex https://foo-keyvault.vault.azure.net/ | URI of KeyVault that holds application secrets | no |
| `cosmosdb_database` | ex `dev-osdu-r2-db` | Cosmos database for storage documents | no | output of infrastructure deployment |
| `cosmosdb_key` | `********` | Key for CosmosDB | yes | output of infrastructure deployments |
| `OSDU_ENTITLEMENTS_URL` | ex `https://foo-entitlements.azurewebsites.net` | Entitlements API endpoint | no | output of infrastructure deployment |
| `OSDU_ENTITLEMENTS_APPKEY` | `********` | The API key clients will need to use when calling the entitlements | yes | -- |
| `airflow_url` | ex `http://foo.org/test/airflow` | Airflow API endpoint | no |
......@@ -70,6 +66,22 @@ az keyvault secret show --vault-name $KEY_VAULT_NAME --name $KEY_VAULT_SECRET_NA
| `LOG_PREFIX` | `workflow` | Logging prefix | no | - |
| `server_port` | `8082` | Port of application. | no | -- |
In Order to run service with AAD authentication add below environment variables, which will enable Authentication in workflow service using AAD filter.
| name | value | description | sensitive? | source |
| --- | --- | --- | --- | --- |
| `azure_istioauth_enabled` | `false` | Flag to Disable AAD auth | no | -- |
| `azure.activedirectory.session-stateless` | `true` | Flag run in stateless mode (needed by AAD dependency) | no | -- |
| `azure.activedirectory.client-id` | `********` | AAD client application ID | yes | output of infrastructure deployment | output of infrastructure deployment |
| `azure.activedirectory.AppIdUri` | `api://${azure.activedirectory.client-id}` | URI for AAD Application | no | -- |
In Order to run service without authentication add below environment variables, which will disable authentication in workflow service.
name | value | description | sensitive? | source |
| --- | --- | --- | --- | --- |
| `azure_istioauth_enabled` | `true` | Flag to Disable AAD auth | no | -- |
**Required to run integration tests**
| name | value | description | sensitive? | source |
......
......@@ -16,6 +16,7 @@ package org.opengroup.osdu.workflow.provider.azure.security;
import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
......@@ -23,27 +24,29 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "false", matchIfMissing = false)
public class AADSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
@Autowired
private AADAppRoleStatelessAuthenticationFilter appRoleAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.authorizeRequests()
.antMatchers("/",
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html",
"/webjars/**")
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html",
"/webjars/**")
.permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(appRoleAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
}
}
// Copyright © Microsoft Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package org.opengroup.osdu.workflow.provider.azure.security;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ConditionalOnProperty(value = "azure.istio.auth.enabled", havingValue = "true", matchIfMissing = true)
public class AzureIstioSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable()
.csrf().disable(); //AuthN is disabled. AuthN is handled by sidecar proxy
}
}
......@@ -12,19 +12,25 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Application name
spring.application.name=workflow
LOG_PREFIX=workflow
# Server Path Configuration
server.servlet.contextPath=/api/workflow/v1/
# Istio Auth Config Toggle
azure.istio.auth.enabled=${azure_istioauth_enabled}
# Partition service
PARTITION_API=${partition_service_endpoint}
azure.activedirectory.app-resource-id=${aad_client_id}
# Azure AD configuration for OpenIDConnect
azure.activedirectory.session-stateless=true
azure.activedirectory.client-id=${aad_client_id}
azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
# azure.activedirectory.session-stateless=true
# azure.activedirectory.client-id=${aad_client_id}
# azure.activedirectory.AppIdUri=api://${azure.activedirectory.client-id}
# Azure CosmosDB configuration
osdu.azure.cosmosdb.database=${cosmosdb_database}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment