Audit and Metrics issueshttps://community.opengroup.org/osdu/platform/deployment-and-operations/audit-and-metrics/-/issues2022-05-23T16:18:13Zhttps://community.opengroup.org/osdu/platform/deployment-and-operations/audit-and-metrics/-/issues/40GCP Endpoints Authentication/Authorization2022-05-23T16:18:13ZSiarhei Khaletski (EPAM)GCP Endpoints Authentication/Authorization# Context
GCP/EPAM team has finished onboarding of the service.
Now all endpoints of the service are open to the world. In our view, it is not secure to provide an access to the information about GCP environment/metrics.
We noticed `a...# Context
GCP/EPAM team has finished onboarding of the service.
Now all endpoints of the service are open to the world. In our view, it is not secure to provide an access to the information about GCP environment/metrics.
We noticed `auth.py` module but it seems like not completed. From security perspective it requires to pay additional attention to security concerns.
# Issue
The MR !14 has some drawbacks, namely there were used `username`, `password`, `secret` properties to manage token validation (look at URI on screenshot above).
![Screen_Shot_2022-03-09_at_2.21.43_PM](/uploads/7fa7900c9dac811e89ce6bbd3ac4bdaa/Screen_Shot_2022-03-09_at_2.21.43_PM.png)
For GPC we can't use external system to receive the `x-access-token`.
# Expected Behavior
All GCP endpoints require `access_token` (not `id_token`) for user authentication and authorization.
The token should be received from `https://oauth2.googleapis.com/token` Google Oauth Endpoint.
On the code level `google.oauth` package can be used for the token validation.
# Improvement Proposal
Potentially, all user access rights for `Audit & Metrics` service can be managed by `OSDU Entitlements service`.M11 - Release 0.14Srinivasan RamamoorthiSrinivasan Ramamoorthi