From 99ef0450e0e174861419e98aa1a68ceb42e1f935 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 12 Aug 2024 15:49:26 -0400 Subject: [PATCH 01/26] chore: rm proxy-controlled CORS from Katsu --- lib/gateway/services/katsu.conf.tpl | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/gateway/services/katsu.conf.tpl b/lib/gateway/services/katsu.conf.tpl index 81e47553..6e265483 100644 --- a/lib/gateway/services/katsu.conf.tpl +++ b/lib/gateway/services/katsu.conf.tpl @@ -11,9 +11,6 @@ location /api/metadata/ { return 400; proxy_pass http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT}$uri; - # CORS - include /usr/local/openresty/nginx/conf/cors.conf; - # Errors error_log /var/log/bentov2_metadata_errors.log; } From 17cdebc6daf9a47c4bc6e48cd8e3c9919af37bc5 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 12 Aug 2024 15:49:37 -0400 Subject: [PATCH 02/26] set katsu to pr-529 --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index 9c0f84ad..114ccb85 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -269,7 +269,7 @@ BENTOV2_KATSU_DB_CPUS=4 # Katsu BENTOV2_KATSU_IMAGE=ghcr.io/bento-platform/katsu -BENTOV2_KATSU_VERSION=8.0.1 +BENTOV2_KATSU_VERSION=pr-529 BENTOV2_KATSU_VERSION_DEV=${BENTOV2_KATSU_VERSION}-dev BENTOV2_KATSU_CONTAINER_NAME=${BENTOV2_PREFIX}-katsu BENTO_KATSU_NETWORK=${BENTOV2_PREFIX}-katsu-net From ee0a83d3ad5c9cdb0a2a5c1eda4988b602cf63c8 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 12 Aug 2024 15:50:34 -0400 Subject: [PATCH 03/26] configure Katsu for CORS + authz --- lib/katsu/docker-compose.katsu.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/katsu/docker-compose.katsu.yaml b/lib/katsu/docker-compose.katsu.yaml index e8da7e3f..9a5bfeca 100644 --- a/lib/katsu/docker-compose.katsu.yaml +++ b/lib/katsu/docker-compose.katsu.yaml @@ -27,8 +27,12 @@ services: - SERVICE_SECRET_KEY=${BENTOV2_KATSU_APP_SECRET} - DJANGO_SETTINGS_MODULE=chord_metadata_service.metadata.settings - BENTOV2_PORTAL_DOMAIN - # Allow access by container name or localhost for healthchecks: - - KATSU_ALLOWED_HOSTS=${BENTOV2_KATSU_CONTAINER_NAME},localhost + # Allow access by public, container name, or localhost for healthchecks: + - KATSU_ALLOWED_HOSTS=${BENTOV2_DOMAIN},${BENTOV2_KATSU_CONTAINER_NAME},localhost + # Authz + - BENTO_AUTHZ_ENABLED=True + - BENTO_AUTHZ_SERVICE_URL + - CORS_ORIGINS=${BENTO_CORS_ORIGINS} # configs: # - source: chord-metadata-settings # target: /katsu/metadata/settings.py From 062bcb586f4d26322f0884db9c90d0cfe0f48797 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Wed, 14 Aug 2024 15:44:37 -0400 Subject: [PATCH 04/26] set public to pr-173 --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index 114ccb85..5e12951f 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -371,7 +371,7 @@ BENTOV2_GOHAN_PRIVATE_AUTHZ_URL=http://${BENTOV2_GOHAN_AUTHZ_OPA_CONTAINER_NAME} # Bento-Public BENTO_PUBLIC_IMAGE=ghcr.io/bento-platform/bento_public -BENTO_PUBLIC_VERSION=0.19.1 +BENTO_PUBLIC_VERSION=pr-173 BENTO_PUBLIC_VERSION_DEV=${BENTO_PUBLIC_VERSION}-dev BENTO_PUBLIC_CONTAINER_NAME=${BENTOV2_PREFIX}-public BENTO_PUBLIC_NETWORK=${BENTOV2_PREFIX}-public-net From 0a45ee590f7928411441d5f6cb29c91089f1b4b3 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 15 Aug 2024 08:07:10 -0400 Subject: [PATCH 05/26] chore(deps): update requirements --- requirements.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index f6aec9b5..f58be5b4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ certifi==2024.7.4 -cffi==1.16.0 +cffi==1.17.0 charset-normalizer==3.3.2 cryptography==43.0.0 debugpy==1.8.5 @@ -8,7 +8,7 @@ flake8==7.1.1 idna==3.7 mccabe==0.7.0 packaging==24.1 -pycodestyle==2.12.0 +pycodestyle==2.12.1 pycparser==2.22 pyflakes==3.2.0 pyhumps==3.8.0 From 3f2f667d85267eb5369b96cdfcab1ba8a65dcfcc Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 15 Aug 2024 08:07:32 -0400 Subject: [PATCH 06/26] refact(bentoctl): factor out common client/secret creation code --- py_bentoctl/auth_helper.py | 154 ++++++++++++++----------------------- 1 file changed, 58 insertions(+), 96 deletions(-) diff --git a/py_bentoctl/auth_helper.py b/py_bentoctl/auth_helper.py index 90211a8e..857e63b6 100644 --- a/py_bentoctl/auth_helper.py +++ b/py_bentoctl/auth_helper.py @@ -160,6 +160,52 @@ def get_keycloak_client_secret(client_id: str, token: str): return keycloak_req(f"{KC_CLIENTS_ENDPOINT}/{client_id}/client-secret", bearer_token=token) +def create_client_and_secret_for_service( + client_id: str, + env_var_to_set: str, + private_url: str | None, + token: str, + is_service_account: bool = False, + to_restart: str = "the gateway", + token_lifespan: int = 900, # default access token lifespan: 15 minutes + use_refresh_tokens: bool = False, # by default, don't use refresh tokens! (they're less secure) +): + client_kc_id: Optional[str] = fetch_existing_client_id(token, client_id) + + if client_kc_id is None: + # Create the Bento WES client + create_keycloak_client_or_exit( + token, + client_id, + standard_flow_enabled=not is_service_account, + service_accounts_enabled=is_service_account, + public_client=False, + redirect_uris=[ + f"{private_url}/*" + ] if not is_service_account else [], # Not used for client credentials access + web_origins=[private_url] if not is_service_account else [], # " + access_token_lifespan=token_lifespan, + use_refresh_tokens=use_refresh_tokens, + ) + client_kc_id = fetch_existing_client_id(token, client_id) + + # Fetch and print secret + + client_secret_res = get_keycloak_client_secret(client_kc_id, token) + + client_secret_data = client_secret_res.json() + if not client_secret_res.ok: + err(f" Failed to get client secret for {client_id}; {client_secret_res.status_code} " + f"{client_secret_data}") + exit(1) + + client_secret = client_secret_data["value"] + cprint( + f" Please set {env_var_to_set} to {client_secret} in local.env and restart {to_restart}", + attrs=["bold"], + ) + + def init_auth(docker_client: docker.DockerClient): check_auth_admin_user() @@ -230,109 +276,25 @@ def create_web_client_if_needed(token: str) -> None: ) def create_grafana_client_if_needed(token: str) -> None: - grafana_client_kc_id: Optional[str] = fetch_existing_client_id(token, GRAFANA_CLIENT_ID) - - if grafana_client_kc_id is None: - # Create the Bento WES client - create_keycloak_client_or_exit( - token, - GRAFANA_CLIENT_ID, - standard_flow_enabled=True, - service_accounts_enabled=False, - public_client=False, # Use client secret for this one - redirect_uris=[ - f"{GRAFANA_PRIVATE_URL}/*" - ], - web_origins=[GRAFANA_PRIVATE_URL], - access_token_lifespan=900, # default access token lifespan: 15 minutes - use_refresh_tokens=False, - ) - grafana_client_kc_id = fetch_existing_client_id(token, GRAFANA_CLIENT_ID) - - # Fetch and print secret - - client_secret_res = get_keycloak_client_secret(grafana_client_kc_id, token) - - client_secret_data = client_secret_res.json() - if not client_secret_res.ok: - err(f" Failed to get client secret for {GRAFANA_CLIENT_ID}; {client_secret_res.status_code} " - f"{client_secret_data}") - exit(1) - - client_secret = client_secret_data["value"] - cprint( - f" Please set BENTO_GRAFANA_CLIENT_SECRET to {client_secret} in local.env and restart Grafana", - attrs=["bold"], + create_client_and_secret_for_service( + GRAFANA_CLIENT_ID, "BENTO_GRAFANA_CLIENT_SECRET", GRAFANA_PRIVATE_URL, token, to_restart="Grafana" ) # noinspection PyUnusedLocal def create_cbioportal_client_if_needed(token: str) -> None: - cbio_client_kc_id: Optional[str] = fetch_existing_client_id(token, CBIOPORTAL_CLIENT_ID) - - if cbio_client_kc_id is None: - # Create the cBioportal client - create_keycloak_client_or_exit( - token, - CBIOPORTAL_CLIENT_ID, - standard_flow_enabled=True, - service_accounts_enabled=False, - public_client=False, - redirect_uris=[f"{CBIOPORTAL_URL}{AUTH_LOGIN_REDIRECT_PATH}"], - web_origins=[CBIOPORTAL_URL], - access_token_lifespan=900, # 15 minutes - use_refresh_tokens=True, - ) - cbio_client_kc_id = fetch_existing_client_id(token, CBIOPORTAL_CLIENT_ID) - - # Fetch and print secret - - client_secret_res = get_keycloak_client_secret(cbio_client_kc_id, token) - - client_secret_data = client_secret_res.json() - if not client_secret_res.ok: - err(f" Failed to get client secret for {CBIOPORTAL_CLIENT_ID}; {client_secret_res.status_code} " - f"{client_secret_data}") - exit(1) - - client_secret = client_secret_data["value"] - cprint( - f" Please set BENTO_CBIOPORTAL_CLIENT_SECRET to {client_secret} in local.env and restart the " - f"gateway", - attrs=["bold"], + create_client_and_secret_for_service( + GRAFANA_CLIENT_ID, "BENTO_CBIOPORTAL_CLIENT_SECRET", CBIOPORTAL_URL, token, use_refresh_tokens=True ) def create_wes_client_if_needed(token: str) -> None: - wes_client_kc_id: Optional[str] = fetch_existing_client_id(token, WES_CLIENT_ID) - - if wes_client_kc_id is None: - # Create the Bento WES client - create_keycloak_client_or_exit( - token, - WES_CLIENT_ID, - standard_flow_enabled=False, - service_accounts_enabled=True, - public_client=False, # Use client secret for this one - redirect_uris=[], # Not used with a standard/web flow - just client credentials - web_origins=[], # " - access_token_lifespan=WES_WORKFLOW_TIMEOUT, # WES workflow lifespan - use_refresh_tokens=False, # No refreshing these allowed! - ) - wes_client_kc_id = fetch_existing_client_id(token, WES_CLIENT_ID) - - # Fetch and print secret - - client_secret_res = get_keycloak_client_secret(wes_client_kc_id, token) - - client_secret_data = client_secret_res.json() - if not client_secret_res.ok: - err(f" Failed to get client secret for {WES_CLIENT_ID}; {client_secret_res.status_code} " - f"{client_secret_data}") - exit(1) - - client_secret = client_secret_data["value"] - cprint( - f" Please set BENTO_WES_CLIENT_SECRET to {client_secret} in local.env and restart WES", - attrs=["bold"], + create_client_and_secret_for_service( + WES_CLIENT_ID, + "BENTO_WES_CLIENT_SECRET", + None, + token, + is_service_account=True, + to_restart="WES", + token_lifespan=WES_WORKFLOW_TIMEOUT, ) def create_test_user_if_needed(token: str) -> None: From 1f9e2aebf051b85169ba8ce43f0e5122c53da866 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 19 Aug 2024 15:30:49 -0400 Subject: [PATCH 07/26] set gateway to edge --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index 7a7dfd2d..babf9aa5 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -31,7 +31,7 @@ BENTOV2_GATEWAY_INTERNAL_CERTS_DIR=/usr/local/openresty/nginx/certs # Gateway BENTOV2_GATEWAY_IMAGE=ghcr.io/bento-platform/bento_gateway -BENTOV2_GATEWAY_VERSION=0.12.0 +BENTOV2_GATEWAY_VERSION=edge BENTOV2_GATEWAY_VERSION_DEV=${BENTOV2_GATEWAY_VERSION}-dev BENTOV2_GATEWAY_CONTAINER_NAME=${BENTOV2_PREFIX}-gateway From 8eed564ef10ebedbd99dc4f61cca5bedc22b7b63 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 26 Aug 2024 11:17:59 -0400 Subject: [PATCH 08/26] set public to pr-175 --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index babf9aa5..c2b2247e 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -371,7 +371,7 @@ BENTOV2_GOHAN_PRIVATE_AUTHZ_URL=http://${BENTOV2_GOHAN_AUTHZ_OPA_CONTAINER_NAME} # Bento-Public BENTO_PUBLIC_IMAGE=ghcr.io/bento-platform/bento_public -BENTO_PUBLIC_VERSION=pr-173 +BENTO_PUBLIC_VERSION=pr-175 BENTO_PUBLIC_VERSION_DEV=${BENTO_PUBLIC_VERSION}-dev BENTO_PUBLIC_CONTAINER_NAME=${BENTOV2_PREFIX}-public BENTO_PUBLIC_NETWORK=${BENTOV2_PREFIX}-public-net From 64d77735a70704d2da8f5772694f7bf44579d1a4 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:25:05 -0400 Subject: [PATCH 09/26] docs: link to v17 migration guide from README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2664dba9..78cd5b88 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ that make up the Bento platform. ### Migration documents +* [v16 to v17](./docs/migrating_to_17.md) * [v15.2 to v16](./docs/migrating_to_16.md) * [v15.1 to v15.2](./docs/migrating_to_15_2.md) * [v15 to v15.1](./docs/migrating_to_15_1.md) From eb20934025bacde3034b1387b550978d6dbe33e7 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:25:17 -0400 Subject: [PATCH 10/26] set Katsu to edge --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index fbf6e368..71816c07 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -269,7 +269,7 @@ BENTOV2_KATSU_DB_CPUS=4 # Katsu BENTOV2_KATSU_IMAGE=ghcr.io/bento-platform/katsu -BENTOV2_KATSU_VERSION=pr-529 +BENTOV2_KATSU_VERSION=edge BENTOV2_KATSU_VERSION_DEV=${BENTOV2_KATSU_VERSION}-dev BENTOV2_KATSU_CONTAINER_NAME=${BENTOV2_PREFIX}-katsu BENTO_KATSU_NETWORK=${BENTOV2_PREFIX}-katsu-net From 0dc03d0646e4cafb607d2a583385dad69290aa14 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:25:32 -0400 Subject: [PATCH 11/26] rm now-unused env var from public --- etc/bento.env | 1 - lib/public/docker-compose.public.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/etc/bento.env b/etc/bento.env index 71816c07..057e4c45 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -382,7 +382,6 @@ BENTO_PUBLIC_EXTERNAL_PORT=8090 BENTO_PUBLIC_DEBUG=false BENTO_PUBLIC_SERVICE_ID=${BENTOV2_PREFIX}-public BENTO_PUBLIC_CLIENT_NAME=BentoPublicDev -BENTO_PUBLIC_KATSU_URL=http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT} BENTO_PUBLIC_WES_URL=http://${BENTOV2_WES_CONTAINER_NAME}:${BENTOV2_WES_INTERNAL_PORT} BENTO_PUBLIC_GOHAN_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT} BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL} diff --git a/lib/public/docker-compose.public.yaml b/lib/public/docker-compose.public.yaml index 25ec8f7a..16a7f79f 100644 --- a/lib/public/docker-compose.public.yaml +++ b/lib/public/docker-compose.public.yaml @@ -11,7 +11,6 @@ services: - BENTO_UID - BENTO_PUBLIC_SERVICE_ID - BENTO_PUBLIC_CLIENT_NAME - - BENTO_PUBLIC_KATSU_URL - BENTO_PUBLIC_WES_URL - BENTO_PUBLIC_GOHAN_URL - BENTO_PUBLIC_PORTAL_URL From 90719de6fa8c25a94d51f8819331df3bfb680998 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:27:51 -0400 Subject: [PATCH 12/26] docs: WIP migration guide content for v17 --- docs/migrating_to_17.md | 44 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index f44426b4..0411fb67 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -1,6 +1,46 @@ # Migrating to Bento v17 Key points: -* Bento now has observability tools to help monitor the services (Grafana) - + +* Bento now has observability tools to help monitor the services (Grafana). Some setup is required for this feature to + work. +* Katsu discovery endpoints now have an authorization layer. Data that used to be completely public by default (i.e., + censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and + thus a grant in the authorization service. * ... + + +## 1. Stop Bento + +```bash +./bentoctl.bash stop +``` + + +## 2. Update images + +```bash +./bentoctl.bash pull +``` + + +## 3. *(Optional)* Set up Grafana + +TODO: environment + +```bash +./bentoctl.bash start auth +./bentoctl.bash init-auth +``` + + +## 4. Set up public data access grants + +TODO + + +## 5. Start Bento + +```bash +./bentoctl.bash start +``` From 28ed30170130d4067b99ec6444566048de0052cc Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:43:22 -0400 Subject: [PATCH 13/26] docs: add public data access configuration step for v17 migration --- docs/migrating_to_17.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index 0411fb67..cc6c31bc 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -36,7 +36,19 @@ TODO: environment ## 4. Set up public data access grants -TODO +Starting from Bento v17, anonymous visitors do not have access to see censored counts data by default, even if a +discovery configuration has been set up. For anonymous visitors to access data, a level (`bool`, `counts`, `full`) +must be chosen and passed to the `bento_authz` CLI command below. + +```bash +./bentoctl.bash shell authz +# The level below (counts) preserves previous functionality. Other possible options are: +# - none - will do nothing. +# - bool - for censored true/false discovery, but in effect right now forbids access. +# - counts - for censored count discovery. +# - full - allows full data access (record-level, including sensitive data such as IDs), uncensored counts, etc. +bento_authz public-data-access counts +``` ## 5. Start Bento From 65c9c1a8fb59846f6bd0b62ace84316aa31ab982 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 15:51:20 -0400 Subject: [PATCH 14/26] docs: instructions for public data access setup in installation guide --- docs/installation.md | 20 ++++++++++++++++++-- docs/migrating_to_17.md | 4 +++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index d70f84ce..f278c39a 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -297,7 +297,7 @@ utilize new variables generated during the OIDC configuration. ## 6. Configure permissions -### a. Create superuser permissions in the new Bento authorization service +### a. Create superuser permissions in the Bento authorization service First, run the authorization service and then open a shell into the container: @@ -334,7 +334,23 @@ bento_authz create grant \ 'query:data' 'ingest:data' 'ingest:reference_material' 'delete:reference_material' ``` -### c. *Optional step:* Assign portal access to all users in the instance realm +### c. Configure public data access for all users, including anonymous visitors (if desired): + +To configure public data access, run the following command in the authorization service container. Note that with the +`full` value, **THIS GIVES FULL DATA ACCESS TO EVERYONE WHO VISITS YOUR INSTANCE!** + +```bash +# Configure public data access +# ---------------------------- +# The level below ("counts") preserves previous functionality. Other possible options are: +# - none - will do nothing. +# - bool - for censored true/false discovery, but in effect right now forbids access. +# - counts - for censored count discovery. +# - full - allows full data access (record-level, including sensitive data such as IDs), uncensored counts, etc. +bento_authz public-data-access counts +``` + +### d. *Optional step:* Assign portal access to all users in the instance realm We added a special permission, `view:private_portal`, to Bento v12/v13 in order to carry forward the current 'legacy' authorization behaviour for one more major version. This permission currently behaves as a super-permission, diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index cc6c31bc..4e6e247b 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -42,7 +42,9 @@ must be chosen and passed to the `bento_authz` CLI command below. ```bash ./bentoctl.bash shell authz -# The level below (counts) preserves previous functionality. Other possible options are: +# Configure public data access +# ---------------------------- +# The level below ("counts") preserves previous functionality. Other possible options are: # - none - will do nothing. # - bool - for censored true/false discovery, but in effect right now forbids access. # - counts - for censored count discovery. From 249012d59a980dc4305e80f08cb05e5125454f37 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 9 Sep 2024 16:05:44 -0400 Subject: [PATCH 15/26] set authz to edge --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index 057e4c45..1858a8a7 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -77,7 +77,7 @@ BENTO_AUTH_DB_NETWORK="${BENTOV2_PREFIX}-auth-db-net" # - Authz service BENTO_AUTHZ_IMAGE=ghcr.io/bento-platform/bento_authorization_service -BENTO_AUTHZ_VERSION=0.9.2 +BENTO_AUTHZ_VERSION=edge BENTO_AUTHZ_VERSION_DEV=${BENTO_AUTHZ_VERSION}-dev BENTO_AUTHZ_CONTAINER_NAME=${BENTOV2_PREFIX}-authz BENTO_AUTHZ_NETWORK=${BENTOV2_PREFIX}-authz-net From 50fec773fa5afbea909ad2520c1b917befde5c91 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Tue, 10 Sep 2024 11:35:43 -0400 Subject: [PATCH 16/26] set public to edge --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index 1858a8a7..f178e04e 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -371,7 +371,7 @@ BENTOV2_GOHAN_PRIVATE_AUTHZ_URL=http://${BENTOV2_GOHAN_AUTHZ_OPA_CONTAINER_NAME} # Bento-Public BENTO_PUBLIC_IMAGE=ghcr.io/bento-platform/bento_public -BENTO_PUBLIC_VERSION=pr-175 +BENTO_PUBLIC_VERSION=edge BENTO_PUBLIC_VERSION_DEV=${BENTO_PUBLIC_VERSION}-dev BENTO_PUBLIC_CONTAINER_NAME=${BENTOV2_PREFIX}-public BENTO_PUBLIC_NETWORK=${BENTOV2_PREFIX}-public-net From 2c634bf96c73ab246ad11e866ae9454b281b9b8e Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 11:15:51 -0400 Subject: [PATCH 17/26] work on configuring beacon OIDC for data access --- etc/bento.env | 3 +-- etc/bento_deploy.env | 6 +++++- etc/bento_dev.env | 4 ++++ etc/default_config.env | 3 +++ lib/beacon/docker-compose.beacon.yaml | 8 +++++--- py_bentoctl/auth_helper.py | 16 ++++++++++++++++ 6 files changed, 34 insertions(+), 6 deletions(-) diff --git a/etc/bento.env b/etc/bento.env index f178e04e..ace283fe 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -391,7 +391,7 @@ BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL} BENTO_BEACON_CONTAINER_NAME=${BENTOV2_PREFIX}-beacon BENTO_BEACON_NETWORK=${BENTOV2_PREFIX}-beacon-net BENTO_BEACON_IMAGE=ghcr.io/bento-platform/bento_beacon -BENTO_BEACON_VERSION=0.15.2 +BENTO_BEACON_VERSION=pr-107 BENTO_BEACON_VERSION_DEV=${BENTO_BEACON_VERSION}-dev BENTO_BEACON_INTERNAL_PORT=${BENTO_STD_SERVICE_INTERNAL_PORT} BENTO_BEACON_EXTERNAL_PORT=5000 @@ -404,7 +404,6 @@ BENTO_BEACON_CONFIG_DIR=${PWD}/lib/beacon/config BENTO_BEACON_GOHAN_BASE_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT} BENTO_BEACON_KATSU_TIMEOUT=60 BENTO_BEACON_GOHAN_TIMEOUT=60 -BENTO_BEACON_OIDC_ISSUER=${BENTOV2_AUTH_PUBLIC_URL}/auth/realms/${BENTOV2_AUTH_REALM} # cBioPortal diff --git a/etc/bento_deploy.env b/etc/bento_deploy.env index 8d0be71d..3f2f9e25 100644 --- a/etc/bento_deploy.env +++ b/etc/bento_deploy.env @@ -51,13 +51,17 @@ BENTOV2_AUTH_TEST_PASSWORD= BENTO_AUTH_DB_PASSWORD= # TODO: SET ME WHEN DEPLOYING! BENTO_AUTHZ_DB_PASSWORD= # TODO: SET ME WHEN DEPLOYING! +# - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM +BENTO_AGGREGATION_CLIENT_ID=aggregation +BENTO_AGGREGATION_CLIENT_SECRET= # TODO: SET ME WHEN DEPLOYING! + # - WES Client ID/secret; client within BENTOV2_AUTH_REALM BENTO_WES_CLIENT_ID=wes BENTO_WES_CLIENT_SECRET= # TODO: SET ME WHEN DEPLOYING! # - Grafana Client ID/secret; client within BENTOV2_AUTH_REALM BENTO_GRAFANA_CLIENT_ID=grafana -BENTO_GRAFANA_CLIENT_SECRET= +BENTO_GRAFANA_CLIENT_SECRET= # TODO: SET ME WHEN DEPLOYING IF GRAFANA IS ENABLED! # --------------------------------------------------------------------- BENTO_WEB_CUSTOM_HEADER= diff --git a/etc/bento_dev.env b/etc/bento_dev.env index 9e471dc2..941f4ed1 100644 --- a/etc/bento_dev.env +++ b/etc/bento_dev.env @@ -51,6 +51,10 @@ BENTOV2_AUTH_ADMIN_PASSWORD= BENTOV2_AUTH_TEST_USER= BENTOV2_AUTH_TEST_PASSWORD= +# - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM +BENTO_AGGREGATION_CLIENT_ID=aggregation +BENTO_AGGREGATION_CLIENT_SECRET= + # - WES Client ID/secret; client within BENTOV2_AUTH_REALM BENTO_WES_CLIENT_ID=wes BENTO_WES_CLIENT_SECRET= diff --git a/etc/default_config.env b/etc/default_config.env index 3ff8966f..d7356946 100644 --- a/etc/default_config.env +++ b/etc/default_config.env @@ -78,6 +78,9 @@ BENTOV2_AUTH_TEST_PASSWORD= # - Auth (Keycloak) DB credentials BENTO_AUTH_DB_PASSWORD= BENTO_AUTHZ_DB_PASSWORD= +# - Aggregation/Beacon client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM +BENTO_AGGREGATION_CLIENT_ID=aggregation +BENTO_AGGREGATION_CLIENT_SECRET= # - cBioPortal Client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM BENTO_CBIOPORTAL_CLIENT_ID=cbioportal BENTO_CBIOPORTAL_CLIENT_SECRET= diff --git a/lib/beacon/docker-compose.beacon.yaml b/lib/beacon/docker-compose.beacon.yaml index 3a512284..37ee9e92 100644 --- a/lib/beacon/docker-compose.beacon.yaml +++ b/lib/beacon/docker-compose.beacon.yaml @@ -15,16 +15,18 @@ services: - BENTO_BEACON_DEBUGGER_INTERNAL_PORT - BENTO_BEACON_DEBUGGER_EXTERNAL_PORT - CONFIG_ABSOLUTE_PATH=/config/ - - OIDC_ISSUER=${BENTO_BEACON_OIDC_ISSUER} - - CLIENT_ID=${BENTOV2_AUTH_CLIENT_ID} - BEACON_BASE_URL=${BENTOV2_PUBLIC_URL}/api/beacon - BENTO_BEACON_VERSION=${BENTO_BEACON_VERSION} - BENTO_PUBLIC_CLIENT_NAME - BENTOV2_DOMAIN - BENTOV2_PUBLIC_URL - BENTO_BEACON_UI_ENABLED - - BENTO_AUTHZ_SERVICE_URL - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs + # Authorization + - BENTO_AUTHZ_SERVICE_URL + - BENTO_OPENID_CONFIG_URL + - BEACON_CLIENT_ID=BENTO_AGGREGATION_CLIENT_ID + - BEACON_CLIENT_SECRET=BENTO_AGGREGATION_CLIENT_SECRET volumes: - ${BENTO_BEACON_CONFIG_DIR}:/config:ro networks: diff --git a/py_bentoctl/auth_helper.py b/py_bentoctl/auth_helper.py index 3d4d2b6f..b8667e7f 100644 --- a/py_bentoctl/auth_helper.py +++ b/py_bentoctl/auth_helper.py @@ -37,6 +37,8 @@ AUTH_TEST_PASSWORD = os.getenv("BENTOV2_AUTH_TEST_PASSWORD") AUTH_CONTAINER_NAME = os.getenv("BENTOV2_AUTH_CONTAINER_NAME") +AGGREGATION_CLIENT_ID = os.getenv("BENTO_AGGREGATION_CLIENT_ID") + CBIOPORTAL_CLIENT_ID = os.getenv("BENTO_CBIOPORTAL_CLIENT_ID") WES_CLIENT_ID = os.getenv("BENTO_WES_CLIENT_ID") @@ -459,6 +461,16 @@ def set_include_client_roles_in_id_tokens(token: str): elif roles_mapper["config"]["id.token.claim"] == "true": warn(" The 'client roles' scope mapper already includes roles in the ID token.") + def create_aggregation_client_if_needed(token: str) -> None: + create_client_and_secret_for_service( + AGGREGATION_CLIENT_ID, + "BENTO_AGGREGATION_CLIENT_SECRET", + None, + token, + is_service_account=True, + to_restart="Aggregation and Beacon", + ) + # noinspection PyUnusedLocal def create_cbioportal_client_if_needed(token: str) -> None: create_client_and_secret_for_service( @@ -544,6 +556,10 @@ def success(): create_web_client_if_needed(access_token) success() + info(f" Creating aggregation/Beacon client: {AGGREGATION_CLIENT_ID}") + create_aggregation_client_if_needed(access_token) + success() + # TODO: if cBioPortal ever needs auth implemented, re-enable this and set up Bento Gateway to handle cBioPortal # client authorization. # - David L, 2024-03-25 From 5971afd90f8e3d40a683c3a7f25249801f328a4f Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 11:39:38 -0400 Subject: [PATCH 18/26] fix missing BENTO_MONITORING_ENABLED from default_config + reorder --- etc/bento_deploy.env | 2 +- etc/bento_dev.env | 2 +- etc/default_config.env | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/bento_deploy.env b/etc/bento_deploy.env index 3f2f9e25..b120f6ff 100644 --- a/etc/bento_deploy.env +++ b/etc/bento_deploy.env @@ -11,8 +11,8 @@ BENTO_GATEWAY_USE_TLS='true' BENTO_BEACON_ENABLED='false' # Set to true if using Beacon! BENTO_BEACON_UI_ENABLED='false' BENTO_CBIOPORTAL_ENABLED='false' -BENTO_MONITORING_ENABLED='false' BENTO_GOHAN_ENABLED='true' +BENTO_MONITORING_ENABLED='false' # - Switch to enable French translation in Bento Public BENTO_PUBLIC_TRANSLATED='true' diff --git a/etc/bento_dev.env b/etc/bento_dev.env index 941f4ed1..895618df 100644 --- a/etc/bento_dev.env +++ b/etc/bento_dev.env @@ -11,8 +11,8 @@ BENTO_GATEWAY_USE_TLS='true' BENTO_BEACON_ENABLED='true' BENTO_BEACON_UI_ENABLED='true' BENTO_CBIOPORTAL_ENABLED='false' -BENTO_MONITORING_ENABLED='false' BENTO_GOHAN_ENABLED='true' +BENTO_MONITORING_ENABLED='false' # - Switch to enable French translation in Bento Public BENTO_PUBLIC_TRANSLATED='true' diff --git a/etc/default_config.env b/etc/default_config.env index d7356946..21c9175c 100644 --- a/etc/default_config.env +++ b/etc/default_config.env @@ -17,6 +17,7 @@ BENTO_BEACON_ENABLED='true' BENTO_BEACON_UI_ENABLED='true' BENTO_CBIOPORTAL_ENABLED='false' BENTO_GOHAN_ENABLED='true' +BENTO_MONITORING_ENABLED='false' # - Switch to enable French translation in Bento Public BENTO_PUBLIC_TRANSLATED='true' From 269d1b655289938fedeaffc9f60b548fd78b1b4f Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 11:52:48 -0400 Subject: [PATCH 19/26] configure external URLs for Beacon Katsu/Gohan connection also factors out repeated URL vars for services into bento.env vars --- etc/bento.env | 15 ++++++++++++++- lib/aggregation/docker-compose.aggregation.yaml | 4 ++-- lib/beacon/docker-compose.beacon.yaml | 6 +++--- lib/drs/docker-compose.drs.yaml | 2 +- lib/wes/docker-compose.wes.yaml | 8 ++++---- 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/etc/bento.env b/etc/bento.env index ace283fe..bd9dcb3d 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -133,6 +133,8 @@ BENTOV2_SERVICE_REGISTRY_EXTERNAL_PORT=5010 BENTOV2_SERVICE_REGISTRY_MEM_LIM=1G BENTOV2_SERVICE_REGISTRY_CPUS=1 +BENTO_SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry + # Notification BENTOV2_NOTIFICATION_IMAGE=ghcr.io/bento-platform/bento_notification_service BENTOV2_NOTIFICATION_VERSION=3.1.4 @@ -249,6 +251,10 @@ BENTOV2_DRS_DEBUGGER_EXTERNAL_PORT=5682 BENTOV2_DRS_MEM_LIM=2G BENTOV2_DRS_CPUS=2 +# Canonical/world-resolvable URL for DRS +# TODO: services should use the service registry instead +BENTO_DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs + # Katsu-DB BENTOV2_KATSU_DB_IMAGE=postgres BENTOV2_KATSU_DB_VERSION=13 @@ -290,6 +296,10 @@ BENTOV2_KATSU_CPUS=4 # urls in templates. CHORD_METADATA_SUB_PATH=/api/metadata +# Canonical/world-resolvable URL for Katsu +# TODO: services should use the service registry instead +BENTO_KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}${CHORD_METADATA_SUB_PATH} + # Redis BENTOV2_REDIS_BASE_IMAGE=redis BENTOV2_REDIS_BASE_IMAGE_VERSION=7.0.15-alpine @@ -336,6 +346,10 @@ BENTOV2_GOHAN_API_AUTHZ_ENABLED=false #BENTOV2_GOHAN_API_AUTHZ_AGREED_DISABLED_RISK=false BENTOV2_GOHAN_API_AUTHZ_REQHEADS=X-CUSTOM-1,X-CUSTOM-2 +# Canonical/world-resolvable URL for Gohan +# - TODO: services should use the service registry instead +BENTO_GOHAN_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/gohan + # -- Elasticsearch BENTOV2_GOHAN_ES_USERNAME=elastic # BENTOV2_GOHAN_ES_PASSWORD comes from default_config @@ -401,7 +415,6 @@ BENTO_BEACON_MEM_LIM=2G BENTO_BEACON_CPUS=2 BENTO_BEACON_CONFIG_DIR=${PWD}/lib/beacon/config -BENTO_BEACON_GOHAN_BASE_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT} BENTO_BEACON_KATSU_TIMEOUT=60 BENTO_BEACON_GOHAN_TIMEOUT=60 diff --git a/lib/aggregation/docker-compose.aggregation.yaml b/lib/aggregation/docker-compose.aggregation.yaml index 3b673e88..3a90e025 100644 --- a/lib/aggregation/docker-compose.aggregation.yaml +++ b/lib/aggregation/docker-compose.aggregation.yaml @@ -8,8 +8,8 @@ services: - BENTO_DEBUG=False - USE_GOHAN=true - CORS_ORIGINS=${BENTO_CORS_ORIGINS} - - KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/metadata/ - - SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry/ + - KATSU_URL=${BENTO_KATSU_URL}/ + - SERVICE_REGISTRY_URL=${BENTO_SERVICE_REGISTRY_URL}/ - BENTO_AUTHZ_SERVICE_URL networks: - aggregation-net diff --git a/lib/beacon/docker-compose.beacon.yaml b/lib/beacon/docker-compose.beacon.yaml index 37ee9e92..46cdb249 100644 --- a/lib/beacon/docker-compose.beacon.yaml +++ b/lib/beacon/docker-compose.beacon.yaml @@ -5,9 +5,9 @@ services: container_name: ${BENTO_BEACON_CONTAINER_NAME} environment: - BENTO_UID - - GOHAN_BASE_URL=${BENTO_BEACON_GOHAN_BASE_URL} + - GOHAN_BASE_URL=${BENTO_GOHAN_URL} - KATSU_TIMEOUT=${BENTO_BEACON_KATSU_TIMEOUT} - - KATSU_BASE_URL=http://${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT} + - KATSU_BASE_URL=${BENTO_KATSU_URL} - GOHAN_TIMEOUT=${BENTO_BEACON_GOHAN_TIMEOUT} - BENTO_BEACON_INTERNAL_PORT - INTERNAL_PORT=${BENTO_BEACON_INTERNAL_PORT} @@ -21,7 +21,7 @@ services: - BENTOV2_DOMAIN - BENTOV2_PUBLIC_URL - BENTO_BEACON_UI_ENABLED - - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs + - DRS_URL=${BENTO_DRS_URL} # Authorization - BENTO_AUTHZ_SERVICE_URL - BENTO_OPENID_CONFIG_URL diff --git a/lib/drs/docker-compose.drs.yaml b/lib/drs/docker-compose.drs.yaml index 09c56b9d..7d131a41 100644 --- a/lib/drs/docker-compose.drs.yaml +++ b/lib/drs/docker-compose.drs.yaml @@ -8,7 +8,7 @@ services: - BENTO_DRS_CONTAINER_DATA_VOLUME_DIR # Special container-only variable to specify where the volume is mounted - DATABASE=${BENTO_DRS_CONTAINER_DATA_VOLUME_DIR}/db/ # slightly confused naming, folder for database to go in - DATA=${BENTO_DRS_CONTAINER_DATA_VOLUME_DIR}/obj/ # DRS file objects, vs. the database - - SERVICE_BASE_URL=${BENTOV2_PUBLIC_URL}/api/drs + - SERVICE_BASE_URL=${BENTO_DRS_URL} - INTERNAL_PORT=${BENTOV2_DRS_INTERNAL_PORT} - DRS_INGEST_TMP_DIR=${BENTO_DRS_CONTAINER_TMP_VOLUME_DIR} # Volume for writing possibly large temporary files to - CORS_ORIGINS=${BENTO_CORS_ORIGINS} diff --git a/lib/wes/docker-compose.wes.yaml b/lib/wes/docker-compose.wes.yaml index 8699ec57..73556ddf 100644 --- a/lib/wes/docker-compose.wes.yaml +++ b/lib/wes/docker-compose.wes.yaml @@ -24,11 +24,11 @@ services: - WORKFLOW_HOST_ALLOW_LIST=${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT},${BENTOV2_DOMAIN},${BENTOV2_PORTAL_DOMAIN},${BENTOV2_KATSU_CONTAINER_NAME}:${BENTOV2_KATSU_INTERNAL_PORT} # Service URLS - - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs - - GOHAN_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/gohan - - KATSU_URL=${BENTOV2_PORTAL_PUBLIC_URL}/api/metadata + - DRS_URL=${BENTO_DRS_URL} + - GOHAN_URL=${BENTO_GOHAN_URL} + - KATSU_URL=${BENTO_KATSU_URL} - BENTO_AUTHZ_SERVICE_URL - - SERVICE_REGISTRY_URL=${BENTOV2_PUBLIC_URL}/api/service-registry + - SERVICE_REGISTRY_URL=${BENTO_SERVICE_REGISTRY_URL} - INTERNAL_PORT=${BENTOV2_WES_INTERNAL_PORT} - WORKFLOW_TIMEOUT=${BENTOV2_WES_WORKFLOW_TIMEOUT} From 9d01c0574bec972c6075e5568b58675be0f0d2f9 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 12:46:10 -0400 Subject: [PATCH 20/26] docs: v17 migration and install guides for agg/Beacon, Grafana --- docs/installation.md | 32 +++++++++++++++++++++-------- docs/migrating_to_17.md | 45 ++++++++++++++++++++++++++++++++--------- 2 files changed, 60 insertions(+), 17 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index f278c39a..93cd05a4 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -276,8 +276,10 @@ specified in the step above. ./bentoctl.bash init-auth ``` -**If using an external identity provider**, only start the cluster's gateway -after setting `CLIENT_SECRET` in your local environment file: +After running `init-auth`, be sure to put all client secrets into your `local.env` file! + +**If using an external identity provider**, only start the cluster's gateway after setting various `*_CLIENT_SECRET` +variables in your local environment file: ```bash ./bentoctl.bash run gateway @@ -317,24 +319,38 @@ which in Keycloak should be a UUID. ### b. Create grants for the Workflow Execution Service (WES) OAuth2 client -Run the following commands to set up authorization for the WES client. Don't forget to replace `ISSUER_HERE` by the -issuer URL! +Run the following commands to set up authorization for the WES client. +**Don't forget to replace `` with the issuer URL!** ```bash # This grant is a temporary hack to get permissions working for v12/v13. In the future, it should be removed. bento_authz create grant \ - '{"iss": "ISSUER_HERE", "client": "wes"}' \ + '{"iss": "", "client": "wes"}' \ '{"everything": true}' \ 'view:private_portal' # This grant gives permission to access and ingest data into all projects and the reference genome service bento_authz create grant \ - '{"iss": "ISSUER_HERE", "client": "wes"}' \ + '{"iss": "", "client": "wes"}' \ '{"everything": true}' \ 'query:data' 'ingest:data' 'ingest:reference_material' 'delete:reference_material' ``` -### c. Configure public data access for all users, including anonymous visitors (if desired): +### c. Create a grant for the aggregation and Beacon services + +Run the following commands to set up authorization for the aggregation/Beacon client. +**Don't forget to replace `` with the issuer URL!** + +```bash +# In the future, view:private_portal will need to be removed from this grant. +bento_authz create grant \ + '{"iss": "", "client": "aggregation"}' \ + '{"everything": true}' \ + 'query:data' 'view:private_portal' +``` + + +### d. Configure public data access for all users, including anonymous visitors (if desired): To configure public data access, run the following command in the authorization service container. Note that with the `full` value, **THIS GIVES FULL DATA ACCESS TO EVERYONE WHO VISITS YOUR INSTANCE!** @@ -350,7 +366,7 @@ To configure public data access, run the following command in the authorization bento_authz public-data-access counts ``` -### d. *Optional step:* Assign portal access to all users in the instance realm +### e. Assign portal access to all users in the instance realm We added a special permission, `view:private_portal`, to Bento v12/v13 in order to carry forward the current 'legacy' authorization behaviour for one more major version. This permission currently behaves as a super-permission, diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index 4e6e247b..4ae9d5b8 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -4,9 +4,11 @@ Key points: * Bento now has observability tools to help monitor the services (Grafana). Some setup is required for this feature to work. -* Katsu discovery endpoints now have an authorization layer. Data that used to be completely public by default (i.e., - censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and - thus a grant in the authorization service. +* Katsu discovery endpoints now have an authorization layer. + * Data that used to be completely public by default (i.e., + censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and + thus a grant in the authorization service. + * Beacon now requires a client ID/secret and an authorization service grant to access uncesored data. * ... @@ -24,24 +26,49 @@ Key points: ``` -## 3. *(Optional)* Set up Grafana +## 3. Set up credentials for aggregation/Beacon and, optionally, set up Grafana -TODO: environment +If you wish to enable Grafana, you first must enable the monitoring feature in your `local.env` file: + +```bash +BENTO_MONITORING_ENABLED='true' +``` + +To create the client secrets for aggregation/Beacon and Grafana (if the latter is enabled), run the following commands: ```bash ./bentoctl.bash start auth ./bentoctl.bash init-auth ``` +Aggregation/Beacon data access authorization will not work until an authorization service grant is configured; +see step 4 below. -## 4. Set up public data access grants -Starting from Bento v17, anonymous visitors do not have access to see censored counts data by default, even if a -discovery configuration has been set up. For anonymous visitors to access data, a level (`bool`, `counts`, `full`) -must be chosen and passed to the `bento_authz` CLI command below. +## 4. Set up aggregation/Beacon permissions and public data access grants + +Now that Beacon uses a client ID/secret to get authorized, uncensored data access for discovery, a grant must be +configured to give the aggregation/Beacon client data access. + +Another change to permissions: starting from Bento v17, anonymous visitors do not have access to see censored counts +data by default, even if a discovery configuration has been set up. For anonymous visitors to access data, a level +(`bool`, `counts`, `full`) must be chosen and passed to the `bento_authz` CLI command below. ```bash ./bentoctl.bash shell authz + +# Configure aggregation/Beacon permissions +# ---------------------------------------- +# This assumes the aggregation/Beacon client ID is "aggregation". +# MUST be replaced with your actual issuer value. +# - The query:data permission gives access to Katsu endpoints which are properly authz-enabled. +# - The view:private_portal permission gives access to Katsu and Gohan endpoints where the proxy still manages access. +# This permission will be removed in an uncoming version. +bento_authz create grant \ + '{"iss": "", "client": "aggregation"}' \ + '{"everything": true}' \ + 'query:data' 'view:private_portal' + # Configure public data access # ---------------------------- # The level below ("counts") preserves previous functionality. Other possible options are: From 64588d6b8f3e1ef4057cd5e78c9fb956a34eb57e Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 14:37:32 -0400 Subject: [PATCH 21/26] fix env vars passing to beacon --- lib/beacon/docker-compose.beacon.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/beacon/docker-compose.beacon.yaml b/lib/beacon/docker-compose.beacon.yaml index 46cdb249..bd4ad00b 100644 --- a/lib/beacon/docker-compose.beacon.yaml +++ b/lib/beacon/docker-compose.beacon.yaml @@ -25,8 +25,8 @@ services: # Authorization - BENTO_AUTHZ_SERVICE_URL - BENTO_OPENID_CONFIG_URL - - BEACON_CLIENT_ID=BENTO_AGGREGATION_CLIENT_ID - - BEACON_CLIENT_SECRET=BENTO_AGGREGATION_CLIENT_SECRET + - BEACON_CLIENT_ID=${BENTO_AGGREGATION_CLIENT_ID} + - BEACON_CLIENT_SECRET=${BENTO_AGGREGATION_CLIENT_SECRET} volumes: - ${BENTO_BEACON_CONFIG_DIR}:/config:ro networks: From c552d3e18c2faaa5f89fba8fe03b3dcbe352e059 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 12 Sep 2024 14:46:26 -0400 Subject: [PATCH 22/26] whitespace --- docs/installation.md | 2 +- docs/migrating_to_17.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index 93cd05a4..07f0c8e8 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -346,7 +346,7 @@ Run the following commands to set up authorization for the aggregation/Beacon cl bento_authz create grant \ '{"iss": "", "client": "aggregation"}' \ '{"everything": true}' \ - 'query:data' 'view:private_portal' + 'query:data' 'view:private_portal' ``` diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index 4ae9d5b8..f8195192 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -67,7 +67,7 @@ data by default, even if a discovery configuration has been set up. For anonymou bento_authz create grant \ '{"iss": "", "client": "aggregation"}' \ '{"everything": true}' \ - 'query:data' 'view:private_portal' + 'query:data' 'view:private_portal' # Configure public data access # ---------------------------- From 0b957e2b6d800d4d1cdfac6308346e20e4e3e8dc Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 16 Sep 2024 13:48:07 -0400 Subject: [PATCH 23/26] set beacon to edge --- etc/bento.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bento.env b/etc/bento.env index bd9dcb3d..a7bb490b 100644 --- a/etc/bento.env +++ b/etc/bento.env @@ -405,7 +405,7 @@ BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL} BENTO_BEACON_CONTAINER_NAME=${BENTOV2_PREFIX}-beacon BENTO_BEACON_NETWORK=${BENTOV2_PREFIX}-beacon-net BENTO_BEACON_IMAGE=ghcr.io/bento-platform/bento_beacon -BENTO_BEACON_VERSION=pr-107 +BENTO_BEACON_VERSION=edge BENTO_BEACON_VERSION_DEV=${BENTO_BEACON_VERSION}-dev BENTO_BEACON_INTERNAL_PORT=${BENTO_STD_SERVICE_INTERNAL_PORT} BENTO_BEACON_EXTERNAL_PORT=5000 From 9b964d0db458803df9f7031d943c89c6ddf0133a Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 16 Sep 2024 15:57:54 -0400 Subject: [PATCH 24/26] docs: fix issues with issuer template values --- docs/installation.md | 2 +- docs/migrating_to_17.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/installation.md b/docs/installation.md index 07f0c8e8..81ffe181 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -344,7 +344,7 @@ Run the following commands to set up authorization for the aggregation/Beacon cl ```bash # In the future, view:private_portal will need to be removed from this grant. bento_authz create grant \ - '{"iss": "", "client": "aggregation"}' \ + '{"iss": "", "client": "aggregation"}' \ '{"everything": true}' \ 'query:data' 'view:private_portal' ``` diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index f8195192..2f4e64bf 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -60,12 +60,12 @@ data by default, even if a discovery configuration has been set up. For anonymou # Configure aggregation/Beacon permissions # ---------------------------------------- # This assumes the aggregation/Beacon client ID is "aggregation". -# MUST be replaced with your actual issuer value. +# MUST be replaced with your actual issuer value. # - The query:data permission gives access to Katsu endpoints which are properly authz-enabled. # - The view:private_portal permission gives access to Katsu and Gohan endpoints where the proxy still manages access. # This permission will be removed in an uncoming version. bento_authz create grant \ - '{"iss": "", "client": "aggregation"}' \ + '{"iss": "", "client": "aggregation"}' \ '{"everything": true}' \ 'query:data' 'view:private_portal' From 3a1f559e2c8039e037009645edf130c915842087 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 16 Sep 2024 15:59:43 -0400 Subject: [PATCH 25/26] docs: reminder to put client secret(s) in local.env --- docs/migrating_to_17.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index 2f4e64bf..e1025079 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -41,6 +41,8 @@ To create the client secrets for aggregation/Beacon and Grafana (if the latter i ./bentoctl.bash init-auth ``` +**Reminder:** Make sure to put the client secret(s) generated by `init-auth` into your `local.env` file! + Aggregation/Beacon data access authorization will not work until an authorization service grant is configured; see step 4 below. From b2bb0b4f3deeb6c7259cd52b7e5cfd876b4a11bd Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Mon, 16 Sep 2024 16:04:32 -0400 Subject: [PATCH 26/26] docs: note granular discovery + fix typo --- docs/migrating_to_17.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/migrating_to_17.md b/docs/migrating_to_17.md index e1025079..77774981 100644 --- a/docs/migrating_to_17.md +++ b/docs/migrating_to_17.md @@ -8,7 +8,9 @@ Key points: * Data that used to be completely public by default (i.e., censored counts) now requires a permission (`query:project_level_counts` and/or `query:dataset_level_counts`), and thus a grant in the authorization service. - * Beacon now requires a client ID/secret and an authorization service grant to access uncesored data. + * Beacon now requires a client ID/secret and an authorization service grant to access uncensored data. +* Katsu discovery is now more granular, and can be configured to the project or dataset level, in addition to the + instance level. See the [Public data discovery configuration](./public_discovery.md) document for more information. * ...