Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F9340586
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
8 KB
Subscribers
None
View Options
diff --git a/docs/images/deposit-authentication-basic.uml b/docs/images/deposit-authentication-basic.uml
index f00644e2..80e03f80 100644
--- a/docs/images/deposit-authentication-basic.uml
+++ b/docs/images/deposit-authentication-basic.uml
@@ -1,23 +1,23 @@
@startuml
participant CLIENT as "SWORD client\n(eg. HAL)"
participant DEPOSIT as "swh-deposit"
-participant AUTH_BACKEND as "deposit storage"
+participant AUTH_BACKEND as "deposit database"
activate CLIENT
activate DEPOSIT
activate AUTH_BACKEND
CLIENT ->> DEPOSIT: GET /1/<service-document>/
DEPOSIT ->> AUTH_BACKEND: check authentication
alt credentials mismatch or inexistent user
AUTH_BACKEND ->> DEPOSIT: return ko
DEPOSIT -->> CLIENT: return 401, Unauthorized
else credentials ok
AUTH_BACKEND ->> DEPOSIT: return deposit_client
DEPOSIT -->> CLIENT: return 200, <service-document>
end
deactivate CLIENT
deactivate DEPOSIT
deactivate AUTH_BACKEND
@enduml
diff --git a/docs/images/deposit-create-chart.uml b/docs/images/deposit-create-chart.uml
index d7683029..85970851 100644
--- a/docs/images/deposit-create-chart.uml
+++ b/docs/images/deposit-create-chart.uml
@@ -1,26 +1,26 @@
@startuml
participant CLIENT as "SWORD client\n(eg. HAL)"
participant DEPOSIT as "swh-deposit"
- participant DEPOSIT_STORAGE as "deposit storage"
+ participant DEPOSIT_DATABASE as "deposit database"
activate CLIENT
activate DEPOSIT
- activate DEPOSIT_STORAGE
+ activate DEPOSIT_DATABASE
CLIENT ->> DEPOSIT: GET /1/<service-document>/
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok)
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok)
DEPOSIT -->> CLIENT: return 200, <service-document>
CLIENT ->> DEPOSIT: POST /1/<collection-name>/
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok)
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok)
- DEPOSIT ->> DEPOSIT_STORAGE: create new deposit
- DEPOSIT_STORAGE -->> DEPOSIT: return deposit_id
+ DEPOSIT ->> DEPOSIT_DATABASE: create new deposit
+ DEPOSIT_DATABASE -->> DEPOSIT: return deposit_id
DEPOSIT -->> CLIENT: return 201, <deposit receipt>
@enduml
diff --git a/docs/images/deposit-delete-chart.uml b/docs/images/deposit-delete-chart.uml
index 19727df1..0d5a8521 100644
--- a/docs/images/deposit-delete-chart.uml
+++ b/docs/images/deposit-delete-chart.uml
@@ -1,33 +1,33 @@
@startuml
participant CLIENT as "SWORD client\n(eg. HAL)"
participant DEPOSIT as "swh-deposit"
- participant DEPOSIT_STORAGE as "deposit storage"
+ participant DEPOSIT_DATABASE as "deposit database"
activate CLIENT
activate DEPOSIT
- activate DEPOSIT_STORAGE
+ activate DEPOSIT_DATABASE
CLIENT ->> DEPOSIT: POST /1/<collection-name>/\nHEADER In-Progress: true
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok)
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok)
DEPOSIT -->> CLIENT: return 201, <deposit receipt>
CLIENT -> DEPOSIT: DELETE /1/<collection-name>/<deposit-id>/media/\nDELETE /1/<collection-name>/<deposit-id>/metadata/
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
- DEPOSIT ->> DEPOSIT_STORAGE: check inputs()
+ DEPOSIT ->> DEPOSIT_DATABASE: check inputs()
alt status is 'partial'
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
- DEPOSIT ->> DEPOSIT_STORAGE: delete-deposit-or-deposit-archives()
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
+ DEPOSIT ->> DEPOSIT_DATABASE: delete-deposit-or-deposit-archives()
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
DEPOSIT -->> CLIENT: return 204
else status is not 'partial'
- DEPOSIT_STORAGE -->> DEPOSIT: return ko
+ DEPOSIT_DATABASE -->> DEPOSIT: return ko
DEPOSIT -->> CLIENT: return 400, "You can only act on deposit with status partial"
end
@enduml
diff --git a/docs/images/deposit-update-chart.uml b/docs/images/deposit-update-chart.uml
index e4f49ae7..097d4b57 100644
--- a/docs/images/deposit-update-chart.uml
+++ b/docs/images/deposit-update-chart.uml
@@ -1,39 +1,39 @@
@startuml
participant CLIENT as "SWORD client\n(eg. HAL)"
participant DEPOSIT as "swh-deposit"
- participant DEPOSIT_STORAGE as "deposit storage"
+ participant DEPOSIT_DATABASE as "deposit database"
activate CLIENT
activate DEPOSIT
- activate DEPOSIT_STORAGE
+ activate DEPOSIT_DATABASE
CLIENT ->> DEPOSIT: POST /1/<collection-name>/\nHEADER In-Progress: true
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok)
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok)
DEPOSIT -->> CLIENT: return 201, <deposit receipt>
CLIENT -> DEPOSIT: POST/PUT /1/<collection-name>/<deposit-id>/media/\nPOST/PUT /1/<collection-name>/<deposit-id>/metadata/
- DEPOSIT ->> DEPOSIT_STORAGE: check authentication
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
+ DEPOSIT ->> DEPOSIT_DATABASE: check authentication
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
- DEPOSIT ->> DEPOSIT_STORAGE: check inputs()
+ DEPOSIT ->> DEPOSIT_DATABASE: check inputs()
alt status is 'partial'
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
alt HEADER: In-Progress = true
- DEPOSIT ->> DEPOSIT_STORAGE: add-or-replace-data-and-update-status('partial')
+ DEPOSIT ->> DEPOSIT_DATABASE: add-or-replace-data-and-update-status('partial')
else HEADER: In-Progress = false
- DEPOSIT ->> DEPOSIT_STORAGE: add-or-replace-data-and-update-status('deposited')
+ DEPOSIT ->> DEPOSIT_DATABASE: add-or-replace-data-and-update-status('deposited')
end
- DEPOSIT_STORAGE -->> DEPOSIT: return ok
+ DEPOSIT_DATABASE -->> DEPOSIT: return ok
DEPOSIT -->> CLIENT: return 204
else status is not partial
- DEPOSIT_STORAGE -->> DEPOSIT: return ko
+ DEPOSIT_DATABASE -->> DEPOSIT: return ko
DEPOSIT -->> CLIENT: return 400, "You can only act on deposit with status partial"
end
@enduml
diff --git a/docs/internals/authentication.rst b/docs/internals/authentication.rst
index f50ae834..6d423cf4 100644
--- a/docs/internals/authentication.rst
+++ b/docs/internals/authentication.rst
@@ -1,44 +1,44 @@
.. _authentication:
Authentication
==============
This is a description of the authentication mechanism used in the deposit server. Both
`basic authentication <https://tools.ietf.org/html/rfc7617>`_ and `keycloak`_ schemes
are supported through configuration.
Basic
-----
The first implementation uses `basic authentication
-<https://tools.ietf.org/html/rfc7617>`_. The deposit storage backend has the
-responsibility to check the authentication credentials sent by the deposit client. If
+<https://tools.ietf.org/html/rfc7617>`_. The deposit server checks
+the authentication credentials sent by the deposit client using its own database. If
authorized, the deposit client is allowed to continue its deposit. Otherwise, a 401
response is returned to the client.
.. figure:: images/deposit-authentication-basic.svg
:alt: Basic Authentication
Keycloak
--------
Recent changes introduced `keycloak`_, an Open Source Identity and Access Management
tool which is already used in other parts of the swh stack.
The authentication is delegated to the `swh keycloak instance
<https://auth.softwareheritage.org/auth/>`_ using the `Resource Owner Password
Credentials <https://tools.ietf.org/html/rfc6749#section-1.3.3>`_ scheme.
Deposit clients still uses the deposit as before. Transparently for them, the deposit
server forwards their credentials to keycloak for validation. If `keycloak`_ authorizes
the deposit client, the deposit further checks that the deposit client has the proper
permission "swh.deposit.api". If they do, they can post their deposits.
If any issue arises during one of the authentication check, the client receives a 401
response (unauthorized).
.. figure:: images/deposit-authentication-keycloak.svg
:alt: Keycloak Authentication
.. _keycloak: https://www.keycloak.org/
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Fri, Jul 4, 10:51 AM (4 w, 7 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3254974
Attached To
rDDEP Push deposit
Event Timeline
Log In to Comment