Authorization Service

Apache License Build Status

The Authorization service provides basic authorization for all other datawave microservices. Authorization is a single endpoint that returns a signed JSON Web Token (JWT) that represents a list of DatawaveUser objects. Authorization may be performed by a trusted entity (i.e., a server) on behalf of another user or chain of servers leading to a user.

The Authorization service caches authorized users and also provides an administrative rest API to query and manage the cache.

When the fields 'email' and 'login' were added to DatawaveUser, we created V2 of the authorization and oauth API methods to ensure that microservices using the pre-change authorization-api could still deserialize the JSON or JWT serialized DatawaveUser when they call the V1 methods.

Authorization API V1

https://host:port/authorization/v1/

Method Operation Description Request Body
GET authorize Authorizes the calling user N/A
GET whoami Returns details about the calling user N/A

Authorization API V2

https://host:port/authorization/v2/

Method Operation Description Request Body
GET authorize Authorizes the calling user N/A
GET whoami Returns details about the calling user N/A

OAuth API V2

https://host:port/authorization/v2/oauth/

Method Operation Description Request Body
GET authorize For registered client_id and authorized user, return a short-lived code that can be used by the client to retrieve a user's JWT N/A
POST token Using either a code from 'authorize' or a refresh_token, a registered can fetch the corresponding user's JWT N/A
GET user Returns details about primary current (by token or PKI) user N/A
GET users Returns details about all current (by token or PKI) proxied users N/A

Admin API

Users must possess the Administrator role to access any of the admin methods.

Method Operation Description Request Body
DELETE admin/evictAll Deletes all users from the cache N/A
DELETE admin/evictUser Deletes the named user from the cache N/A
DELETE admin/evictUsersMatching Deletes users with names containing the supplied string from the authorization cache N/A
GET admin/listUsers Shows all users in the cache N/A
GET admin/listUser Retrieves the named user from the cache N/A
GET admin/listUsersMatching Retrieves users with names containing the supplied string from the authorization cache N/A

Getting Started

  1. First, refer to services/README for launching the config service.

  2. Launch this service as follows, with the mock profile to leverage test PKI materials and associated user configuration (see authorization-mock.yml).

    java -jar service/target/authorization-service*-exec.jar --spring.profiles.active=dev,mock
    
  3. Ensure that the testUser.p12 (password: ChangeIt) cert is imported into your browser, and then visit any of the following:

    See sample_configuration/authorization-dev.yml and configure as desired