Google Git
Sign in
apache / submarine-site / refs/heads/asf-site / . / zh-cn / docs / next / designDocs / wip-designs / security-implementation / index.html
blob: def9e83ecead892d910798152c093617a0954fa5 [file] [log] [blame]
<!doctype html>
<html lang="zh-cn" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-designDocs/wip-designs/security-implementation">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="generator" content="Docusaurus v2.0.0-beta.18">
<title data-rh="true">Security Implementation | Apache Submarine</title><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://submarine.apache.org//zh-cn/docs/next/designDocs/wip-designs/security-implementation"><meta data-rh="true" name="docusaurus_locale" content="zh-cn"><meta data-rh="true" name="docsearch:language" content="zh-cn"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Security Implementation | Apache Submarine"><meta data-rh="true" name="description" content="&lt;!--"><meta data-rh="true" property="og:description" content="&lt;!--"><link data-rh="true" rel="icon" href="/zh-cn/img/submarine.ico"><link data-rh="true" rel="canonical" href="https://submarine.apache.org//zh-cn/docs/next/designDocs/wip-designs/security-implementation"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//docs/next/designDocs/wip-designs/security-implementation" hreflang="en"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//zh-cn/docs/next/designDocs/wip-designs/security-implementation" hreflang="zh-cn"><link data-rh="true" rel="alternate" href="https://submarine.apache.org//docs/next/designDocs/wip-designs/security-implementation" hreflang="x-default"><link rel="stylesheet" href="/zh-cn/assets/css/styles.80258812.css">
<link rel="preload" href="/zh-cn/assets/js/runtime~main.aaa6cb63.js" as="script">
<link rel="preload" href="/zh-cn/assets/js/main.54762d30.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region"><a href="#" class="skipToContent_ZgBM">Skip to main content</a></div><nav class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/zh-cn/"><div class="navbar__logo"><img src="/zh-cn/img/icons/128.png" alt="Apache Submarine Site Logo" class="themedImage_W2Cr themedImage--light_TfLj"><img src="/zh-cn/img/icons/128.png" alt="Apache Submarine Site Logo" class="themedImage_W2Cr themedImage--dark_oUvU"></div><b class="navbar__title">Apache Submarine</b></a><a class="navbar__item navbar__link navbar__link--active" href="/zh-cn/docs/next/gettingStarted/quickstart">文档</a><a class="navbar__item navbar__link" href="/zh-cn/docs/next/api/environment">API</a><a class="navbar__item navbar__link" href="/zh-cn/docs/next/download">下载</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link"><span><svg viewBox="0 0 24 24" width="20" height="20" aria-hidden="true" class="iconLanguage_dNtB"><path fill="currentColor" d="M12.87 15.07l-2.54-2.51.03-.03c1.74-1.94 2.98-4.17 3.71-6.53H17V4h-7V2H8v2H1v1.99h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04zM18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12zm-2.62 7l1.62-4.33L19.12 17h-3.24z"></path></svg><span>中文</span></span></a><ul class="dropdown__menu"><li><a href="/docs/next/designDocs/wip-designs/security-implementation" target="_self" rel="noopener noreferrer" class="dropdown__link">English</a></li><li><a href="/zh-cn/docs/next/designDocs/wip-designs/security-implementation" target="_self" rel="noopener noreferrer" class="dropdown__link dropdown__link--active">中文</a></li></ul></div><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/zh-cn/docs/next/gettingStarted/quickstart">master 🏃</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/zh-cn/docs/next/designDocs/wip-designs/security-implementation">master 🏃</a></li><li><a class="dropdown__link" href="/zh-cn/docs/designDocs/wip-designs/security-implementation">0.8.0</a></li><li><a class="dropdown__link" href="/zh-cn/docs/0.7.0/designDocs/wip-designs/security-implementation">0.7.0</a></li><li><a class="dropdown__link" href="/zh-cn/docs/0.6.0/designDocs/wip-designs/security-implementation">0.6.0</a></li><li><a class="dropdown__link" href="/zh-cn/versions">All versions</a></li></ul></div><a href="https://github.com/apache/submarine" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/foundation/how-it-works.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Apache 软件基金会<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/events/current-event" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Apache 授权<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">感谢<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">安全<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">赞助<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="toggle_S7eR colorModeToggle_vKtC"><button class="clean-btn toggleButton_rCf9 toggleButtonDisabled_Pu9x" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_v35p"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_nQuB"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.86,0-7-3.14-7-7C5,9.07,6.81,6.55,9.37,5.51z M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36 c-0.98,1.37-2.58,2.26-4.4,2.26c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"></path></svg></button></div><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Search" aria-label="Search" class="navbar__search-input search-bar"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div class="main-wrapper"><div class="docPage_P2Lg"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_RiI4" type="button"></button><aside class="theme-doc-sidebar-container docSidebarContainer_rKC_"><div class="sidebar_RiAD"><nav class="menu thin-scrollbar menu_izAj"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/next/gettingStarted/quickstart">Getting Started</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/next/userDocs/submarine-sdk/submarine-cli">User Docs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/next/devDocs/">Developer Docs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/zh-cn/docs/next/community/">Community</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/zh-cn/docs/next/designDocs/architecture-and-requirements">Design Docs</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/architecture-and-requirements">Architecture and Requirment</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/implementation-notes">Implementation Notes</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/environments-implementation">Environments Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/experiment-implementation">Experiment Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/notebook-implementation">Notebook Implementation</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/storage-implementation">Storage Implementation</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/zh-cn/docs/next/designDocs/submarine-server/architecture">Submarine Server</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" tabindex="0" href="/zh-cn/docs/next/designDocs/wip-designs/submarine-launcher">WIP Design Docs</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/zh-cn/docs/next/designDocs/wip-designs/submarine-launcher">Submarine Launcher</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/zh-cn/docs/next/designDocs/wip-designs/security-implementation">Security Implementation</a></li></ul></li></ul></li></ul></nav></div></aside><main class="docMainContainer_TCnq"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_DM6M"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->Apache Submarine<!-- --> <b>master 🏃</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/zh-cn/docs/designDocs/wip-designs/security-implementation">latest version</a></b> (<!-- -->0.8.0<!-- -->).</div></div><div class="docItemContainer_vinB"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Xlws" aria-label="breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a class="breadcrumbs__link" href="/zh-cn/">🏠</a></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><span class="breadcrumbs__link" itemprop="item name">Design Docs</span><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item"><span class="breadcrumbs__link" itemprop="item name">WIP Design Docs</span><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="item name">Security Implementation</span><meta itemprop="position" content="3"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: master 🏃</span><div class="tocCollapsible_jdIR theme-doc-toc-mobile tocMobile_TmEX"><button type="button" class="clean-btn tocCollapsibleButton_Fzxq">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Security Implementation</h1></header><h2 class="anchor anchorWithStickyNavbar_mojV" id="handle-users-credential">Handle User&#x27;s Credential<a class="hash-link" href="#handle-users-credential" title="Direct link to heading"></a></h2><p>Users credential includes Kerberoes Keytabs, Docker registry credentials, Github ssh-keys, etc.</p><p>User&#x27;s credential must be stored securitely, for example, via KeyCloak or K8s Secrets.</p><p>(More details TODO)</p><h2 class="anchor anchorWithStickyNavbar_mojV" id="authentication">Authentication<a class="hash-link" href="#authentication" title="Direct link to heading"></a></h2><p>We use <a href="https://www.pac4j.org/" target="_blank" rel="noopener noreferrer">pac4j</a> as the secure authentication component of <code>submarine-server</code>.
Based on <code>pac4j</code>, we plan to support popular authentication services such as OAuth2/OpenID Connect (OIDC), LDAP, SAML, CAS, etc.
and use a token-based method to handle external request services and internal message communication.
In the initial version we will first integrate OAuth2/OIDC, LDAP,
and a simple login mode that does not rely on other authentication services.
There are already some PRs in the community to try to integrate some authentication services into <code>submarine</code>
( <a href="https://github.com/apache/submarine/pull/833" target="_blank" rel="noopener noreferrer">New SSO function based on OIDC</a> and <a href="https://github.com/apache/submarine/pull/419" target="_blank" rel="noopener noreferrer">Create rest api to authenticate user from LDAP</a> ),
We will try to do combines on the basis of these PRs together.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="supported-authentication-types">Supported authentication types<a class="hash-link" href="#supported-authentication-types" title="Direct link to heading"></a></h3><h4 class="anchor anchorWithStickyNavbar_mojV" id="none">None<a class="hash-link" href="#none" title="Direct link to heading"></a></h4><p>When supported authentication, we will also support a way to turn off authentication and call the service directly,
so that previous versions of submarine that not support authentication can call the service.
Authentication is provided by default in submarine, but we can also turn off authentication by manually setting <code>submarine.auth.type</code> to <code>none</code>.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="simple">Simple<a class="hash-link" href="#simple" title="Direct link to heading"></a></h4><p>Provides a simple way for authentication.
When users log in to the system, the username and password entered will be matched against the <code>sys_user</code> table within the system,
and if the form is met a <code>token</code> will be generated and returned to the frontend.
All services will need to carry the <code>token</code> in the request header to confirm the user&#x27;s identity.</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">Authorization: Bearer &lt;token&gt;</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><h4 class="anchor anchorWithStickyNavbar_mojV" id="oauth2">OAuth2<a class="hash-link" href="#oauth2" title="Direct link to heading"></a></h4><p>Supports OAuth2 as a user authentication service, requiring a jump to a third-party authentication platform for single sign-on services when logging into <code>submarine</code>.
<code>Submarine</code> requires an OAuth2 token as an authentication credential, including the refresh token.
If the logged-in user is not in <code>submarine</code>, the user data will be created automatically.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="oidc">OIDC<a class="hash-link" href="#oidc" title="Direct link to heading"></a></h4><p>OIDC is similar to OAuth2, except that <code>submarine.auth.oidc.discover.uri</code> is required to support <a href="https://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">OpenID Connect Discovery</a>,
where an OpenID server publishes its metadata at a well-known URL, typically</p><div class="codeBlockContainer_I0IT theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-text codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token plain">https://server.com/.well-known/openid-configuration</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><p>This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details.
The <code>pac4j</code> can use this information to construct a request to the OpenID server.
The field names and values are defined in the OpenID Connect Discovery Specification. Here is an example of data returned:</p><div class="codeBlockContainer_I0IT language-json theme-code-block"><div class="codeBlockContent_wNvx" style="color:#bfc7d5;background-color:#292d3e"><pre tabindex="0" class="prism-code language-json codeBlock_jd64 thin-scrollbar"><code class="codeBlockLines_mRuA"><span class="token-line" style="color:#bfc7d5"><span class="token punctuation" style="color:rgb(199, 146, 234)">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;issuer&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;https://example.com/&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;authorization_endpoint&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;https://example.com/authorize&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;token_endpoint&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;https://example.com/token&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;userinfo_endpoint&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;https://example.com/userinfo&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;jwks_uri&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;https://example.com/.well-known/jwks.json&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;scopes_supported&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;pets_read&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;pets_write&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;admin&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;response_types_supported&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;code&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;id_token&quot;</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;token id_token&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token property">&quot;token_endpoint_auth_methods_supported&quot;</span><span class="token operator" style="color:rgb(137, 221, 255)">:</span><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token string" style="color:rgb(195, 232, 141)">&quot;client_secret_basic&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(199, 146, 234)">]</span><span class="token punctuation" style="color:rgb(199, 146, 234)">,</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> ...</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token punctuation" style="color:rgb(199, 146, 234)">}</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" title="Copy" class="copyButton_eDfN clean-btn"><span class="copyButtonIcons_W9eQ" aria-hidden="true"><svg class="copyButtonIcon_XEyF" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_i9w9" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div><h4 class="anchor anchorWithStickyNavbar_mojV" id="ldap">LDAP<a class="hash-link" href="#ldap" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="saml">SAML<a class="hash-link" href="#saml" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="cas">CAS<a class="hash-link" href="#cas" title="Direct link to heading"></a></h4><p>[TODO]</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="configuration">Configuration<a class="hash-link" href="#configuration" title="Direct link to heading"></a></h3><table><thead><tr><th>Attribute</th><th>Description</th><th>Type</th><th>Default</th><th>Comment</th></tr></thead><tbody><tr><td>submarine.auth.type</td><td>Supported authentication types, currently available are: none, simple, oauth2/oidc, ldap, kerberos, saml, cas</td><td>string</td><td>none</td><td>Only one authentication method can be supported at any one time</td></tr><tr><td>submarine.auth.token.maxAge</td><td>Expiry time of the token (minute)</td><td>int</td><td>1 day</td><td></td></tr><tr><td>submarine.auth.refreshToken.maxAge</td><td>Expiry time of the refresh token (minute)</td><td>int</td><td>1 hour</td><td></td></tr><tr><td>submarine.cookie.http.only</td><td>HttpOnly Cookie</td><td>boolean</td><td>false</td><td></td></tr><tr><td>submarine.cookie.secure</td><td>Secure Cookie</td><td>boolean</td><td>false</td><td></td></tr><tr><td>submarine.cookie.samesite</td><td>SameSite Cookie, can be Lax, Strict, None(or empty)</td><td>string</td><td></td><td><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite" target="_blank" rel="noopener noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a></td></tr><tr><td>submarine.auth.oauth2.client.id</td><td>OAuth2 client id</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.client.secret</td><td>OAuth2 client secret</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.client.flows</td><td>OAuth2 flows, can be: authorizationCode, implicit, password or clientCredentials</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.scopes</td><td>The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it.</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.token.uri</td><td>OAuth2 access token uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.refresh.uri</td><td>OAuth2 refresh token uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.authorization.uri</td><td>OAuth2 authorization uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oauth2.logout.uri</td><td>OAuth2 logout uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.client.id</td><td>OIDC client id</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.client.secret</td><td>OIDC client Secret</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.oidc.discover.uri</td><td>OIDC discovery uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.ladp.provider.uri</td><td>LDAP provider uri</td><td>string</td><td></td><td></td></tr><tr><td>submarine.auth.ladp.baseDn</td><td>LDAP base DN</td><td>string</td><td></td><td>base DN is the base LDAP distinguished name for your LDAP server. For example, ou=dev,dc=xyz,dc=com</td></tr><tr><td>submarine.auth.ladp.domain</td><td>LDAP AD domain</td><td>string</td><td></td><td>AD domain is the domain name of the AD server. For example, corp.domain.com</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_mojV" id="design-and-implementation">Design and implementation<a class="hash-link" href="#design-and-implementation" title="Direct link to heading"></a></h3><p>We use <code>javax.servlet.Filter</code> in the server to determine if authentication information exists for a user.
The <code>Filter</code> is implemented for each authentication type and is configured according to the implementation of the type specified by <code>pac4j</code>.
Also, a <code>SecurityFactory</code> class is provided that instantiates the specified <code>Filter</code> class into Jetty&#x27;s filter based on <code>submarine.auth.type</code>.</p><p>Except in the case of <code>submarine.auth.type</code> being <code>none</code>, and some APIs necessary for authentication (login requests, etc.), we will require the token to be included in the header.
The token is generated and verified based on <code>pac4j</code> and processed inside the <code>Filter</code> class, incorrect token or no token will return a 401 HTTP code.</p><p>When a token expires, it can be regenerated by calling the refresh token method. The default token expiry time is now set to 1 day (by modifying <code>submarine.auth.token.maxAge</code>) and the refresh token expiry time is 1 hour.</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="users">Users<a class="hash-link" href="#users" title="Direct link to heading"></a></h3><p>Describe the design of relevant user tables, user registration/modification/deletion processes,
and the processing logic associated with authenticated login
(including the mapping of attributes for automatically registered users when integrating with other authentication platforms, etc.).</p><p>We use <code>sys_user</code> table to store user information for submarines.
When <code>submarine.auth.type</code> is <code>simple</code>, the user&#x27;s login operation will match <code>user_name</code> and <code>password</code> (encrypted) in <code>sys_user</code>. Only when the user name and password match will the login succeed.
When <code>submarine.auth.type</code> is <code>ldap</code>, the user&#x27;s login will operation request the LDAP and verify that the username and password are correct. A new record will be added to the <code>sys_user</code> table if the logged-in user does not exist.
When logging in using other third-party authentication (OAuth2/OpenID Connect (OIDC), SAML, CAS etc.), the login page will automatically jump to the third-party service and revert back to the submarine after a successful login. A new record will be added to the <code>sys_user</code> table if the logged-in user does not exist.</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="department">Department<a class="hash-link" href="#department" title="Direct link to heading"></a></h4><p>[TODO]</p><h4 class="anchor anchorWithStickyNavbar_mojV" id="role">Role<a class="hash-link" href="#role" title="Direct link to heading"></a></h4><p>[TODO]</p><h3 class="anchor anchorWithStickyNavbar_mojV" id="rbac">RBAC<a class="hash-link" href="#rbac" title="Direct link to heading"></a></h3><p>[TODO]</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/apache/submarine/edit/master/website/docs/designDocs/wip-designs/security-implementation.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_dcUD" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_foO9"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/zh-cn/docs/next/designDocs/wip-designs/submarine-launcher"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Submarine Launcher</div></a></div><div class="pagination-nav__item pagination-nav__item--next"></div></nav></div></div><div class="col col--3"><div class="tableOfContents_cNA8 thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#handle-users-credential" class="table-of-contents__link toc-highlight">Handle User&#39;s Credential</a></li><li><a href="#authentication" class="table-of-contents__link toc-highlight">Authentication</a><ul><li><a href="#supported-authentication-types" class="table-of-contents__link toc-highlight">Supported authentication types</a></li><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a></li><li><a href="#design-and-implementation" class="table-of-contents__link toc-highlight">Design and implementation</a></li><li><a href="#users" class="table-of-contents__link toc-highlight">Users</a></li><li><a href="#rbac" class="table-of-contents__link toc-highlight">RBAC</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="row footer__links"><div class="col footer__col"><div class="footer__title">文档</div><ul class="footer__items"><li class="footer__item"><a class="footer__link-item" href="/zh-cn/docs/gettingStarted/quickstart">入门教程</a></li><li class="footer__item"><a class="footer__link-item" href="/zh-cn/docs/api/environment">API 文档</a></li></ul></div><div class="col footer__col"><div class="footer__title">社区</div><ul class="footer__items"><li class="footer__item"><a href="https://stackoverflow.com/questions/tagged/apache-submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">Stack Overflow<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a href="https://s.apache.org/slack-invite" target="_blank" rel="noopener noreferrer" class="footer__link-item">Slack<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="col footer__col"><div class="footer__title">更多</div><ul class="footer__items"><li class="footer__item"><a href="https://medium.com/@apache.submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">博客</a></li><li class="footer__item"><a href="https://github.com/apache/submarine" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_I5OW"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div></div><div class="footer__bottom text--center"><div class="margin-bottom--sm"><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="footerLogoLink_gHmE"><img src="https://hadoop.apache.org/asf_logo_wide.png" alt="Apache Open Source Logo" class="themedImage_W2Cr themedImage--light_TfLj footer__logo"><img src="https://hadoop.apache.org/asf_logo_wide.png" alt="Apache Open Source Logo" class="themedImage_W2Cr themedImage--dark_oUvU footer__logo"></a></div><div class="footer__copyright">Apache Submarine, Submarine, Apache, the Apache feather logo, and the Apache Submarine project logo are
either registered trademarks or trademarks of the Apache Software Foundation in the United States and other
countries.<br> Copyright © 2023 Apache Submarine is Apache2 Licensed software.</div></div></div></footer></div>
<script src="/zh-cn/assets/js/runtime~main.aaa6cb63.js"></script>
<script src="/zh-cn/assets/js/main.54762d30.js"></script>
</body>
</html>