diff --git a/docs/images/deposit-authentication-basic.uml b/docs/images/deposit-authentication-basic.uml index f00644e2..80e03f80 100644 --- a/docs/images/deposit-authentication-basic.uml +++ b/docs/images/deposit-authentication-basic.uml @@ -1,23 +1,23 @@ @startuml participant CLIENT as "SWORD client\n(eg. HAL)" participant DEPOSIT as "swh-deposit" -participant AUTH_BACKEND as "deposit storage" +participant AUTH_BACKEND as "deposit database" activate CLIENT activate DEPOSIT activate AUTH_BACKEND CLIENT ->> DEPOSIT: GET /1// DEPOSIT ->> AUTH_BACKEND: check authentication alt credentials mismatch or inexistent user AUTH_BACKEND ->> DEPOSIT: return ko DEPOSIT -->> CLIENT: return 401, Unauthorized else credentials ok AUTH_BACKEND ->> DEPOSIT: return deposit_client DEPOSIT -->> CLIENT: return 200, end deactivate CLIENT deactivate DEPOSIT deactivate AUTH_BACKEND @enduml diff --git a/docs/images/deposit-create-chart.uml b/docs/images/deposit-create-chart.uml index d7683029..85970851 100644 --- a/docs/images/deposit-create-chart.uml +++ b/docs/images/deposit-create-chart.uml @@ -1,26 +1,26 @@ @startuml participant CLIENT as "SWORD client\n(eg. HAL)" participant DEPOSIT as "swh-deposit" - participant DEPOSIT_STORAGE as "deposit storage" + participant DEPOSIT_DATABASE as "deposit database" activate CLIENT activate DEPOSIT - activate DEPOSIT_STORAGE + activate DEPOSIT_DATABASE CLIENT ->> DEPOSIT: GET /1// - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok) + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok) DEPOSIT -->> CLIENT: return 200, CLIENT ->> DEPOSIT: POST /1// - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok) + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok) - DEPOSIT ->> DEPOSIT_STORAGE: create new deposit - DEPOSIT_STORAGE -->> DEPOSIT: return deposit_id + DEPOSIT ->> DEPOSIT_DATABASE: create new deposit + DEPOSIT_DATABASE -->> DEPOSIT: return deposit_id DEPOSIT -->> CLIENT: return 201, @enduml diff --git a/docs/images/deposit-delete-chart.uml b/docs/images/deposit-delete-chart.uml index 19727df1..0d5a8521 100644 --- a/docs/images/deposit-delete-chart.uml +++ b/docs/images/deposit-delete-chart.uml @@ -1,33 +1,33 @@ @startuml participant CLIENT as "SWORD client\n(eg. HAL)" participant DEPOSIT as "swh-deposit" - participant DEPOSIT_STORAGE as "deposit storage" + participant DEPOSIT_DATABASE as "deposit database" activate CLIENT activate DEPOSIT - activate DEPOSIT_STORAGE + activate DEPOSIT_DATABASE CLIENT ->> DEPOSIT: POST /1//\nHEADER In-Progress: true - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok) + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok) DEPOSIT -->> CLIENT: return 201, CLIENT -> DEPOSIT: DELETE /1///media/\nDELETE /1///metadata/ - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok - DEPOSIT ->> DEPOSIT_STORAGE: check inputs() + DEPOSIT ->> DEPOSIT_DATABASE: check inputs() alt status is 'partial' - DEPOSIT_STORAGE -->> DEPOSIT: return ok - DEPOSIT ->> DEPOSIT_STORAGE: delete-deposit-or-deposit-archives() - DEPOSIT_STORAGE -->> DEPOSIT: return ok + DEPOSIT_DATABASE -->> DEPOSIT: return ok + DEPOSIT ->> DEPOSIT_DATABASE: delete-deposit-or-deposit-archives() + DEPOSIT_DATABASE -->> DEPOSIT: return ok DEPOSIT -->> CLIENT: return 204 else status is not 'partial' - DEPOSIT_STORAGE -->> DEPOSIT: return ko + DEPOSIT_DATABASE -->> DEPOSIT: return ko DEPOSIT -->> CLIENT: return 400, "You can only act on deposit with status partial" end @enduml diff --git a/docs/images/deposit-update-chart.uml b/docs/images/deposit-update-chart.uml index e4f49ae7..097d4b57 100644 --- a/docs/images/deposit-update-chart.uml +++ b/docs/images/deposit-update-chart.uml @@ -1,39 +1,39 @@ @startuml participant CLIENT as "SWORD client\n(eg. HAL)" participant DEPOSIT as "swh-deposit" - participant DEPOSIT_STORAGE as "deposit storage" + participant DEPOSIT_DATABASE as "deposit database" activate CLIENT activate DEPOSIT - activate DEPOSIT_STORAGE + activate DEPOSIT_DATABASE CLIENT ->> DEPOSIT: POST /1//\nHEADER In-Progress: true - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok (if client exists and credentials ok) + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok (if client exists and credentials ok) DEPOSIT -->> CLIENT: return 201, CLIENT -> DEPOSIT: POST/PUT /1///media/\nPOST/PUT /1///metadata/ - DEPOSIT ->> DEPOSIT_STORAGE: check authentication - DEPOSIT_STORAGE -->> DEPOSIT: return ok + DEPOSIT ->> DEPOSIT_DATABASE: check authentication + DEPOSIT_DATABASE -->> DEPOSIT: return ok - DEPOSIT ->> DEPOSIT_STORAGE: check inputs() + DEPOSIT ->> DEPOSIT_DATABASE: check inputs() alt status is 'partial' - DEPOSIT_STORAGE -->> DEPOSIT: return ok + DEPOSIT_DATABASE -->> DEPOSIT: return ok alt HEADER: In-Progress = true - DEPOSIT ->> DEPOSIT_STORAGE: add-or-replace-data-and-update-status('partial') + DEPOSIT ->> DEPOSIT_DATABASE: add-or-replace-data-and-update-status('partial') else HEADER: In-Progress = false - DEPOSIT ->> DEPOSIT_STORAGE: add-or-replace-data-and-update-status('deposited') + DEPOSIT ->> DEPOSIT_DATABASE: add-or-replace-data-and-update-status('deposited') end - DEPOSIT_STORAGE -->> DEPOSIT: return ok + DEPOSIT_DATABASE -->> DEPOSIT: return ok DEPOSIT -->> CLIENT: return 204 else status is not partial - DEPOSIT_STORAGE -->> DEPOSIT: return ko + DEPOSIT_DATABASE -->> DEPOSIT: return ko DEPOSIT -->> CLIENT: return 400, "You can only act on deposit with status partial" end @enduml diff --git a/docs/internals/authentication.rst b/docs/internals/authentication.rst index f50ae834..6d423cf4 100644 --- a/docs/internals/authentication.rst +++ b/docs/internals/authentication.rst @@ -1,44 +1,44 @@ .. _authentication: Authentication ============== This is a description of the authentication mechanism used in the deposit server. Both `basic authentication `_ and `keycloak`_ schemes are supported through configuration. Basic ----- The first implementation uses `basic authentication -`_. The deposit storage backend has the -responsibility to check the authentication credentials sent by the deposit client. If +`_. The deposit server checks +the authentication credentials sent by the deposit client using its own database. If authorized, the deposit client is allowed to continue its deposit. Otherwise, a 401 response is returned to the client. .. figure:: images/deposit-authentication-basic.svg :alt: Basic Authentication Keycloak -------- Recent changes introduced `keycloak`_, an Open Source Identity and Access Management tool which is already used in other parts of the swh stack. The authentication is delegated to the `swh keycloak instance `_ using the `Resource Owner Password Credentials `_ scheme. Deposit clients still uses the deposit as before. Transparently for them, the deposit server forwards their credentials to keycloak for validation. If `keycloak`_ authorizes the deposit client, the deposit further checks that the deposit client has the proper permission "swh.deposit.api". If they do, they can post their deposits. If any issue arises during one of the authentication check, the client receives a 401 response (unauthorized). .. figure:: images/deposit-authentication-keycloak.svg :alt: Keycloak Authentication .. _keycloak: https://www.keycloak.org/