Skip to content

feat: public authorization #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
v-rocheleau wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: public authorization #314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ba0f798
chore: feature pr tags and config
v-rocheleau Apr 1, 2025
f2b5648
chore: use beacon projects authz pr
v-rocheleau Apr 2, 2025
3babcbb
docs: public authz migration
v-rocheleau Apr 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion docs/migrating_to_19.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,47 @@
# Migrating to Bento v19

TODO
## Bento public authorization

Starting with v19, Bento can be configured to only show the data catalogue to authorized users.

Follow the steps in this section to make the data catalogue of an instance private.

First turn on the feature flag in your `local.env`:

```bash
# local.env
BENTO_KATSU_PROJECTS_LIST_AUTHZ=true
```

Then, you must create authorization grants that give the `view:project` permission to the users.
This can be done in the "access management" section of the private portal, or directly in the `authz` service using
its CLI:

```bash
# In bento dir
./bentoctl.bash shell authz

# In authz shell
# Create grant for users
bento_authz create grant \
'{"iss": "<ISSUER_HERE>", "sub": <USER_UUID_HERE>}' \
'{"everything": true}' \
'view:project'
```

Keep in mind that the `view:project` permission needs to be given to the users of the private portal as well, since
Katsu performs the authorization checks for all its clients.
Otherwise, private portal users will not be able to use the data manager.

If a user only has the `view:project` permission, they will be able to see the data catalogue, but they need additional
read permissions to use the search and beacon sections:

```bash
# In authz shell
bento_authz create grant \
'{"iss": "<ISSUER_HERE>", "sub": <USER_UUID_HERE>}' \
'{"everything": true}' \
'query:project_level_boolean' 'query:project_level_counts' 'query:data'
```

For users that will only interact with bento-public, the permissions can be bundled in a single grant.
13 changes: 8 additions & 5 deletions etc/bento.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ BENTO_AUTH_DB_NETWORK="${BENTOV2_PREFIX}-auth-db-net"

# - Authz service
BENTO_AUTHZ_IMAGE=ghcr.io/bento-platform/bento_authorization_service
BENTO_AUTHZ_VERSION=0.10.3
BENTO_AUTHZ_VERSION=pr-60
BENTO_AUTHZ_VERSION_DEV=${BENTO_AUTHZ_VERSION}-dev
BENTO_AUTHZ_CONTAINER_NAME=${BENTOV2_PREFIX}-authz
BENTO_AUTHZ_NETWORK=${BENTOV2_PREFIX}-authz-net
Expand All @@ -100,7 +100,7 @@ BENTO_AUTHZ_DB_MEM_LIM=1G
# Web
BENTO_WEB_CUSTOM_HEADER=
BENTOV2_WEB_IMAGE=ghcr.io/bento-platform/bento_web
BENTOV2_WEB_VERSION=edge
BENTOV2_WEB_VERSION=pr-483
BENTOV2_WEB_VERSION_DEV=${BENTOV2_WEB_VERSION}-dev
BENTOV2_WEB_CONTAINER_NAME=${BENTOV2_PREFIX}-web
BENTO_WEB_NETWORK=${BENTOV2_PREFIX}-web-net
Expand Down Expand Up @@ -278,7 +278,7 @@ BENTOV2_KATSU_DB_CPUS=4

# Katsu
BENTOV2_KATSU_IMAGE=ghcr.io/bento-platform/katsu
BENTOV2_KATSU_VERSION=edge
BENTOV2_KATSU_VERSION=pr-573
BENTOV2_KATSU_VERSION_DEV=${BENTOV2_KATSU_VERSION}-dev
BENTOV2_KATSU_CONTAINER_NAME=${BENTOV2_PREFIX}-katsu
BENTO_KATSU_NETWORK=${BENTOV2_PREFIX}-katsu-net
Expand All @@ -295,6 +295,9 @@ BENTOV2_KATSU_PROD_WES_VOL_TMP_DIR=${BENTOV2_WES_VOL_TMP_DIR}
BENTOV2_KATSU_MEM_LIM=4G
BENTOV2_KATSU_CPUS=4

BENTO_KATSU_PROJECTS_LIST_AUTHZ="false"
BENTO_KATSU_DATASETS_LIST_AUTHZ="false"

# sub path where Katsu can be reached from Bento portal. Used by Django for building
# urls in templates.
CHORD_METADATA_SUB_PATH=/api/metadata
Expand Down Expand Up @@ -387,7 +390,7 @@ BENTOV2_GOHAN_PRIVATE_AUTHZ_URL=http://${BENTOV2_GOHAN_AUTHZ_OPA_CONTAINER_NAME}
# Bento-Public

BENTO_PUBLIC_IMAGE=ghcr.io/bento-platform/bento_public
BENTO_PUBLIC_VERSION=edge
BENTO_PUBLIC_VERSION=pr-263
BENTO_PUBLIC_VERSION_DEV=${BENTO_PUBLIC_VERSION}-dev
BENTO_PUBLIC_CONTAINER_NAME=${BENTOV2_PREFIX}-public
BENTO_PUBLIC_NETWORK=${BENTOV2_PREFIX}-public-net
Expand All @@ -407,7 +410,7 @@ BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL}
BENTO_BEACON_CONTAINER_NAME=${BENTOV2_PREFIX}-beacon
BENTO_BEACON_NETWORK=${BENTOV2_PREFIX}-beacon-net
BENTO_BEACON_IMAGE=ghcr.io/bento-platform/bento_beacon
BENTO_BEACON_VERSION=0.19.0
BENTO_BEACON_VERSION=pr-127
BENTO_BEACON_VERSION_DEV=${BENTO_BEACON_VERSION}-dev
BENTO_BEACON_INTERNAL_PORT=${BENTO_STD_SERVICE_INTERNAL_PORT}
BENTO_BEACON_EXTERNAL_PORT=5000
Expand Down
2 changes: 2 additions & 0 deletions lib/katsu/docker-compose.katsu.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ services:
# Authz
- BENTO_AUTHZ_ENABLED=True
- BENTO_AUTHZ_SERVICE_URL
- KATSU_PROJECTS_LIST_AUTHZ=${BENTO_KATSU_PROJECTS_LIST_AUTHZ}
- KATSU_DATASETS_LIST_AUTHZ=${BENTO_KATSU_DATASETS_LIST_AUTHZ}
- CORS_ORIGINS=${BENTO_CORS_ORIGINS}
# configs:
# - source: chord-metadata-settings
Expand Down