| <!doctype html> |
| <html lang="zh-cn" dir="ltr" class="docs-wrapper docs-doc-page docs-version-0.8.0 plugin-docs plugin-id-default docs-doc-id-designDocs/wip-designs/security-implementation"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="viewport" content="width=device-width,initial-scale=1"> |
| <meta name="generator" content="Docusaurus v2.0.0-beta.18"> |
| <title data-rh="true">Security Implementation | Apache Submarine</title><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://submarine.apache.org//zh-cn/docs/designDocs/wip-designs/security-implementation"><meta data-rh="true" name="docusaurus_locale" content="zh-cn"><meta data-rh="true" name="docsearch:language" content="zh-cn"><meta data-rh="true" name="docusaurus_version" content="0.8.0"><meta data-rh="true" name="docusaurus_tag" content="docs-default-0.8.0"><meta data-rh="true" name="docsearch:version" content="0.8.0"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-0.8.0"><meta data-rh="true" property="og:title" content="Security Implementation | Apache Submarine"><meta data-rh="true" name="description" content="<!--"><meta data-rh="true" property="og:description" content="<!--"><link data-rh="true" rel="icon" href="/zh-cn/img/submarine.ico"><link data-rh="true" rel="canonical" href="https://submarine.apache.org//zh-cn/docs/designDocs/wip-designs/security-implementation"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//docs/designDocs/wip-designs/security-implementation" hreflang="en"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//zh-cn/docs/designDocs/wip-designs/security-implementation" hreflang="zh-cn"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//docs/designDocs/wip-designs/security-implementation" hreflang="x-default"><link rel="stylesheet" href="/zh-cn/assets/css/styles.80258812.css"> |
| <link rel="preload" href="/zh-cn/assets/js/runtime~main.aaa6cb63.js" as="script"> |
| <link rel="preload" href="/zh-cn/assets/js/main.54762d30.js" as="script"> |
| </head> |
| <body class="navigation-with-keyboard"> |
| <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus"> |
| <div role="region"><a href="#" class="skipToContent_ZgBM">Skip to main content</a></div><nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/zh-cn/"><div class="navbar__logo"><img src="/zh-cn/img/icons/128.png" alt="Apache Submarine Site Logo" class="themedImage_W2Cr themedImage--light_TfLj"><img src="/zh-cn/img/icons/128.png" alt="Apache Submarine Site Logo" class="themedImage_W2Cr themedImage--dark_oUvU"></div><b class="navbar__title">Apache Submarine</b></a><a class="navbar__item navbar__link navbar__link--active" href="/zh-cn/docs/gettingStarted/quickstart">文档</a><a class="navbar__item navbar__link" href="/zh-cn/docs/api/environment">API</a><a class="navbar__item navbar__link" href="/zh-cn/docs/download">下载</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link"><span><svg viewBox="0 0 24 24" width="20" height="20" aria-hidden="true" class="iconLanguage_dNtB"><path fill="currentColor" d="M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"></path></svg><span>中文</span></span></a><ul class="dropdown__menu"><li><a href="/docs/designDocs/wip-designs/security-implementation" target="_self" rel="noopener noreferrer" class="dropdown__link">English</a></li><li><a href="/zh-cn/docs/designDocs/wip-designs/security-implementation" target="_self" rel="noopener noreferrer" class="dropdown__link dropdown__link--active">中文</a></li></ul></div><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/zh-cn/docs/gettingStarted/quickstart">0.8.0</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/zh-cn/docs/next/designDocs/wip-designs/security-implementation">master 🏃</a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/zh-cn/docs/designDocs/wip-designs/security-implementation">0.8.0</a></li><li><a class="dropdown__link" href="/zh-cn/docs/0.7.0/designDocs/wip-designs/security-implementation">0.7.0</a></li><li><a class="dropdown__link" href="/zh-cn/docs/0.6.0/designDocs/wip-designs/security-implementation">0.6.0</a></li><li><a class="dropdown__link" href="/zh-cn/versions">All versions</a></li></ul></div><a href="https://github.com/apache/submarine" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/foundation/how-it-works.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Apache 软件基金会<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/events/current-event" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Apache 授权<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">感谢<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">安全<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">赞助<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="toggle_S7eR colorModeToggle_vKtC"><button class="clean-btn toggleButton_rCf9 toggleButtonDisabled_Pu9x" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_v35p"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_nQuB"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></button></div><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Search" aria-label="Search" class="navbar__search-input search-bar"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div class="main-wrapper"><div class="docPage_P2Lg"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_RiI4" type="button"></button><aside class="theme-doc-sidebar-container docSidebarContainer_rKC_"><div class="sidebar_RiAD"><nav class="menu thin-scrollbar menu_izAj"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/gettingStarted/quickstart">Getting Started</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/userDocs/submarine-sdk/submarine-cli">User Docs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/devDocs/">Developer Docs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/community/">Community</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/zh-cn/docs/designDocs/architecture-and-requirements">Design Docs</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/architecture-and-requirements">Architecture and Requirment</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/implementation-notes">Implementation Notes</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/environments-implementation">Environments Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/experiment-implementation">Experiment Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/notebook-implementation">Notebook Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/storage-implementation">Storage Implementation</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/zh-cn/docs/designDocs/submarine-server/architecture">Submarine Server</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" tabindex="0" href="/zh-cn/docs/designDocs/wip-designs/submarine-launcher">WIP Design Docs</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/designDocs/wip-designs/submarine-launcher">Submarine Launcher</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/zh-cn/docs/designDocs/wip-designs/security-implementation">Security Implementation</a></li></ul></li></ul></li></ul></nav></div></aside><main class="docMainContainer_TCnq"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_DM6M"><div class="docItemContainer_vinB"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Xlws" aria-label="breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a class="breadcrumbs__link" href="/zh-cn/">🏠</a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><span class="breadcrumbs__link" itemprop="item name">Design Docs</span><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><span class="breadcrumbs__link" itemprop="item name">WIP Design Docs</span><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="item name">Security Implementation</span><meta itemprop="position" content="3"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: 0.8.0</span><div class="tocCollapsible_jdIR theme-doc-toc-mobile tocMobile_TmEX"><button type="button" class="clean-btn tocCollapsibleButton_Fzxq">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Security Implementation</h1></header><h2 class="anchor anchorWithStickyNavbar_mojV" id="handle-users-credential">Handle User's Credential<a class="hash-link" href="#handle-users-credential" title="Direct link to heading"></a></h2><p>Users credential includes Kerberoes Keytabs, Docker registry credentials, Github ssh-keys, etc.</p><p>User's credential must be stored securitely, for example, via KeyCloak or K8s Secrets.</p><p>(More details TODO)</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="authentication">Authentication<a class="hash-link" href="#authentication" title="Direct link to heading"></a></h2><p>We use <a href="https://www.pac4j.org/" target="_blank" rel="noopener noreferrer">pac4j</a> as the secure authentication component of <code>submarine-server</code>. |
| Based on <code>pac4j</code>, we plan to support popular authentication services such as OAuth2/OpenID Connect (OIDC), LDAP, SAML, CAS, etc. |
| and use a token-based method to handle external request services and internal message communication. |
| In the initial version we will first integrate OAuth2/OIDC, LDAP, |
| and a simple login mode that does not rely on other authentication services. |
| There are already some PRs in the community to try to integrate some authentication services into <code>submarine</code> |
| ( <a href="https://github.com/apache/submarine/pull/833" target="_blank" rel="noopener noreferrer">New SSO function based on OIDC</a> and <a href="https://github.com/apache/submarine/pull/419" target="_blank" rel="noopener noreferrer">Create rest api to authenticate user from LDAP</a> ), |
| We will try to do combines on the basis of these PRs together.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="supported-authentication-types">Supported authentication types<a class="hash-link" href="#supported-authentication-types" title="Direct link to heading"></a></h3><h4 class="anchor anchorWithStickyNavbar_mojV" id="none">None<a class="hash-link" href="#none" title="Direct link to heading"></a></h4><p>When supported authentication, we will also support a way to turn off authentication and call the service directly, |
| so that previous versions of submarine that not support authentication can call the service. |
| Authentication is provided by default in submarine, but we can also turn off authentication by manually setting <code>submarine.auth.type</code> to <code>none</code>.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="simple">Simple<a class="hash-link" href="#simple" title="Direct link to heading"></a></h4><p>Provides a simple way for authentication. |
| When users log in to the system, the username and password entered will be matched against the <code>sys_user</code> table within the system, |
| and if the form is met a <code>token</code> will be generated and returned to the frontend. |
| All services will need to carry the <code>token</code> in the request header to confirm the user's identity.</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">Authorization: Bearer <token></span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><h4 class="anchor anchorWithStickyNavbar_mojV" id="oauth2">OAuth2<a class="hash-link" href="#oauth2" title="Direct link to heading"></a></h4><p>Supports OAuth2 as a user authentication service, requiring a jump to a third-party authentication platform for single sign-on services when logging into <code>submarine</code>. |
| <code>Submarine</code> requires an OAuth2 token as an authentication credential, including the refresh token. |
| If the logged-in user is not in <code>submarine</code>, the user data will be created automatically.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="oidc">OIDC<a class="hash-link" href="#oidc" title="Direct link to heading"></a></h4><p>OIDC is similar to OAuth2, except that <code>submarine.auth.oidc.discover.uri</code> is required to support <a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a>, |
| where an OpenID server publishes its metadata at a well-known URL, typically</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">https://server.com/.well-known/openid-configuration</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><p>This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. |
| The <code>pac4j</code> can use this information to construct a request to the OpenID server. |
| The field names and values are defined in the OpenID Connect Discovery Specification. Here is an example of data returned:</p><div class="codeBlockContainer_I0IT language-json theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-json codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"issuer"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"https://example.com/"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"authorization_endpoint"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"https://example.com/authorize"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"token_endpoint"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"https://example.com/token"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"userinfo_endpoint"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"https://example.com/userinfo"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"jwks_uri"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"https://example.com/.well-known/jwks.json"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"scopes_supported"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"pets_read"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"pets_write"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"admin"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"response_types_supported"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"code"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"id_token"</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"token id_token"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">"token_endpoint_auth_methods_supported"</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">"client_secret_basic"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> ...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><h4 class="anchor anchorWithStickyNavbar_mojV" id="ldap">LDAP<a class="hash-link" href="#ldap" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="saml">SAML<a class="hash-link" href="#saml" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="cas">CAS<a class="hash-link" href="#cas" title="Direct link to heading"></a></h4><p>[TODO]</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="configuration">Configuration<a class="hash-link" href="#configuration" title="Direct link to heading"></a></h3><table><thead><tr><th>Attribute</th><th>Description</th><th>Type</th><th>Default</th><th>Comment</th></tr></thead><tbody><tr><td>submarine.auth.type</td><td>Supported authentication types, currently available are: none, simple, oauth2/oidc, ldap, kerberos, saml, cas</td><td>string</td><td>none</td><td>Only one authentication method can be supported at any one time</td></tr><tr><td>submarine.auth.token.maxAge</td><td>Expiry time of the token (minute)</td><td>int</td><td>1 day</td><td></td></tr><tr><td>submarine.auth.refreshToken.maxAge</td><td>Expiry time of the refresh token (minute)</td><td>int</td><td>1 hour</td><td></td></tr><tr><td>submarine.cookie.http.only</td><td>HttpOnly Cookie</td><td>boolean</td><td>false</td><td></td></tr><tr><td>submarine.cookie.secure</td><td>Secure Cookie</td><td>boolean</td><td>false</td><td></td></tr><tr><td>submarine.cookie.samesite</td><td>SameSite Cookie, can be Lax, Strict, None(or empty)</td><td>string</td><td></td><td><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite" target="_blank" rel="noopener noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a></td></tr><tr><td>submarine.auth.oauth2.client.id</td><td>OAuth2 client id</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.client.secret</td><td>OAuth2 client secret</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.client.flows</td><td>OAuth2 flows, can be: authorizationCode, implicit, password or clientCredentials</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.scopes</td><td>The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it.</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.token.uri</td><td>OAuth2 access token uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.refresh.uri</td><td>OAuth2 refresh token uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.authorization.uri</td><td>OAuth2 authorization uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.logout.uri</td><td>OAuth2 logout uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.client.id</td><td>OIDC client id</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.client.secret</td><td>OIDC client Secret</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.discover.uri</td><td>OIDC discovery uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.ladp.provider.uri</td><td>LDAP provider uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.ladp.baseDn</td><td>LDAP base DN</td><td>string</td><td></td><td>base DN is the base LDAP distinguished name for your LDAP server. For example, ou=dev,dc=xyz,dc=com</td></tr><tr><td>submarine.auth.ladp.domain</td><td>LDAP AD domain</td><td>string</td><td></td><td>AD domain is the domain name of the AD server. For example, corp.domain.com</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_mojV" id="design-and-implementation">Design and implementation<a class="hash-link" href="#design-and-implementation" title="Direct link to heading"></a></h3><p>We use <code>javax.servlet.Filter</code> in the server to determine if authentication information exists for a user. |
| The <code>Filter</code> is implemented for each authentication type and is configured according to the implementation of the type specified by <code>pac4j</code>. |
| Also, a <code>SecurityFactory</code> class is provided that instantiates the specified <code>Filter</code> class into Jetty's filter based on <code>submarine.auth.type</code>.</p><p>Except in the case of <code>submarine.auth.type</code> being <code>none</code>, and some APIs necessary for authentication (login requests, etc.), we will require the token to be included in the header. |
| The token is generated and verified based on <code>pac4j</code> and processed inside the <code>Filter</code> class, incorrect token or no token will return a 401 HTTP code.</p><p>When a token expires, it can be regenerated by calling the refresh token method. The default token expiry time is now set to 1 day (by modifying <code>submarine.auth.token.maxAge</code>) and the refresh token expiry time is 1 hour.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="users">Users<a class="hash-link" href="#users" title="Direct link to heading"></a></h3><p>Describe the design of relevant user tables, user registration/modification/deletion processes, |
| and the processing logic associated with authenticated login |
| (including the mapping of attributes for automatically registered users when integrating with other authentication platforms, etc.).</p><p>We use <code>sys_user</code> table to store user information for submarines. |
| When <code>submarine.auth.type</code> is <code>simple</code>, the user's login operation will match <code>user_name</code> and <code>password</code> (encrypted) in <code>sys_user</code>. Only when the user name and password match will the login succeed. |
| When <code>submarine.auth.type</code> is <code>ldap</code>, the user's login will operation request the LDAP and verify that the username and password are correct. A new record will be added to the <code>sys_user</code> table if the logged-in user does not exist. |
| When logging in using other third-party authentication (OAuth2/OpenID Connect (OIDC), SAML, CAS etc.), the login page will automatically jump to the third-party service and revert back to the submarine after a successful login. A new record will be added to the <code>sys_user</code> table if the logged-in user does not exist.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="department">Department<a class="hash-link" href="#department" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="role">Role<a class="hash-link" href="#role" title="Direct link to heading"></a></h4><p>[TODO]</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="rbac">RBAC<a class="hash-link" href="#rbac" title="Direct link to heading"></a></h3><p>[TODO]</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/apache/submarine/edit/master/website/versioned_docs/version-0.8.0/designDocs/wip-designs/security-implementation.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_dcUD" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_foO9"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/zh-cn/docs/designDocs/wip-designs/submarine-launcher"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Submarine Launcher</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div><div class="col col--3"><div class="tableOfContents_cNA8 thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#handle-users-credential" class="table-of-contents__link toc-highlight">Handle User's Credential</a></li><li><a href="#authentication" class="table-of-contents__link toc-highlight">Authentication</a><ul><li><a href="#supported-authentication-types" class="table-of-contents__link toc-highlight">Supported authentication types</a></li><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a></li><li><a href="#design-and-implementation" class="table-of-contents__link toc-highlight">Design and implementation</a></li><li><a href="#users" class="table-of-contents__link toc-highlight">Users</a></li><li><a href="#rbac" class="table-of-contents__link toc-highlight">RBAC</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="row footer__links"><div class="col footer__col"><div class="footer__title">文档</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/zh-cn/docs/gettingStarted/quickstart">入门教程</a></li><li class="footer__item"><a class="footer__link-item" href="/zh-cn/docs/api/environment">API 文档</a></li></ul></div><div class="col footer__col"><div class="footer__title">社区</div><ul class="footer__items"><li class="footer__item"><a href="https://stackoverflow.com/questions/tagged/apache-submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">Stack Overflow<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a href="https://s.apache.org/slack-invite" target="_blank" rel="noopener noreferrer" class="footer__link-item">Slack<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="col footer__col"><div class="footer__title">更多</div><ul class="footer__items"><li class="footer__item"><a href="https://medium.com/@apache.submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">博客</a></li><li class="footer__item"><a href="https://github.com/apache/submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div></div><div class="footer__bottom text--center"><div class="margin-bottom--sm"><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="footerLogoLink_gHmE"><img src="https://hadoop.apache.org/asf_logo_wide.png" alt="Apache Open Source Logo" class="themedImage_W2Cr themedImage--light_TfLj footer__logo"><img src="https://hadoop.apache.org/asf_logo_wide.png" alt="Apache Open Source Logo" class="themedImage_W2Cr themedImage--dark_oUvU footer__logo"></a></div><div class="footer__copyright">Apache Submarine, Submarine, Apache, the Apache feather logo, and the Apache Submarine project logo are |
| either registered trademarks or trademarks of the Apache Software Foundation in the United States and other |
| countries.<br> Copyright © 2023 Apache Submarine is Apache2 Licensed software.</div></div></div></footer></div> |
| <script src="/zh-cn/assets/js/runtime~main.aaa6cb63.js"></script> |
| <script src="/zh-cn/assets/js/main.54762d30.js"></script> |
| </body> |
| </html> |