Topics

[SECURITY] EdgeX Auth Service in Go

Drasko DRASKOVIC
 

Hi all,
I have advanced with my Auth service: https://github.com/drasko/edgex-auth

Currently:
- HTTPS (TLS v1.2) is working
- NginX is forwarding all requests to Auth service via standard
feature `auth_request`:
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

In progress:
- Consul auto-discovery support (NginX can read Consul)
- Traefik support (Traefik also has `auth_request` forwarding feature)

At this point I think that code has basic functionality and can be
contributed to EdgeX official codebase.

It will bring:
- User creation and management
- User login via JWT token
- Authorization (access control) to all API endpoints if user is not logged in
- TLS encryption

If you are interested I can present the service on one of the
following TSC meetings.

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

White2, James
 

Dell - Internal Use - Confidential

Drasko,
Thanks for this work!
Because this is a security feature, if you don't mind, let's work it through the security working group first. This WG has been working on the reverse proxy as well as AA and data protection (through Vault). I'd like to make sure their work and yours is merged appropriately. I can send a note to Doug Gardner (WG chair) tomorrow and ask that he get it on the schedule. After that conversation, we can move the work into the temp repo and work it through the new contribution process.

Thanks again Drasko.
Jim

-----Original Message-----
From: Drasko DRASKOVIC [mailto:drasko@...]
Sent: Sunday, March 18, 2018 9:26 PM
To: edgex-golang@...; edgex-tsc@...; edgex-devel@...; edgex-tsc-security@...; Janko Isidorovic <janko@...>; dejan.mjc <dejan@...>; Nikola Marcetic <nikola@...>; manuel@...; White2, James <James_White2@...>
Subject: [SECURITY] EdgeX Auth Service in Go

Hi all,
I have advanced with my Auth service: https://github.com/drasko/edgex-auth

Currently:
- HTTPS (TLS v1.2) is working
- NginX is forwarding all requests to Auth service via standard feature `auth_request`:
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

In progress:
- Consul auto-discovery support (NginX can read Consul)
- Traefik support (Traefik also has `auth_request` forwarding feature)

At this point I think that code has basic functionality and can be contributed to EdgeX official codebase.

It will bring:
- User creation and management
- User login via JWT token
- Authorization (access control) to all API endpoints if user is not logged in
- TLS encryption

If you are interested I can present the service on one of the following TSC meetings.

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

Drasko DRASKOVIC
 

Hi Jim,

On Mon, Mar 19, 2018 at 4:27 AM, <James.White2@...> wrote:
Dell - Internal Use - Confidential

Drasko,
Thanks for this work!
Because this is a security feature, if you don't mind, let's work it through the security working group first.
Sure - this is why mail was sent to TSC Security ML.

This WG has been working on the reverse proxy as well as AA and data protection (through Vault). I'd like to make sure their work and yours is merged appropriately. I can send a note to Doug Gardner (WG chair) tomorrow and ask that he get it on the schedule. After that conversation, we can move the work into the temp repo and work it through the new contribution process.
It should be noted that my work is in PoC phase. It implements a
service behind the reverse proxy to which proxy sends each request for
auth. This service is practically a "replacement" for "config file"
approach - the philosophy is the same, just that NginX does not read
config file, but consults Auth service instead.

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic