Skip to end of metadata
Go to start of metadata




  • Advance the integration of the LSST Science Platform components

Discussion items


Authentication integration

Status on:

  • Brian Van Klaveren 's demonstration of the integration of authentication with WebDAV
  • This week's work on integration of the Portal with the authentication proxy

Authentication integration
  • Issues with the proxy buffer size — tokens and cookies are > 4KB
  • Tried to configure per-location; Matt tried to do it at the ingress level but had problems; applying configuration at the server block level in Inginx works
  • Loi gets token from X-Auth-Request header
  • Loi modified ingress rules to add an auth URL in the K8s configuration to enable authentication
  • Two issues: timeout is set to 10 minutes and may not be working quite right; Loi can store X-Auth-Request for every request and would then always have a fresh token to pass to DAX services, or can get a refresh token but he needs CILogon OAuth2 client secret
  • Refresh token would have to be managed by Portal
  • Using tokens from web requests is not sufficient as Portal may issue DAX requests autonomously long after the last web request
  • Token re-issuer could be used to extend lifetime of tokens, but not quite done yet, and integrating into the authorizer is only a short-term solution
  • Custom code needed in notebook to manage tokens at all; could build in refresh token handling
  • Refresh token handling can use client secret or not (by using PKCE); long-term solution is using PKCE
  • Frossie: Do we have an enumeration of authentication interactions? Discuss offline with timelines; meeting set for 2019-01-25
  • Fritz: Do we need refresh functionality within DAX APIs? DAX will get a 24 hour or longer reissued token for every request
  • Loi can use the current functionality with 15 minute lifetime, accessing WebDAV and DAX services (via configured new ingress)
  • Perhaps use token reissuer for non-DAX clients? But token would leave our domain
WebDAV from clients
  • Need to set up a page to issue tokens
  • Token would have to be pasted into a client in the username or password field
  • But works today within a web browser
  • Authentication has only a 15 minute lifetime for now
  • Only pointing at /datasets for now
  • Do a public demo?

Insulation of lsst-lsp-stable from active development and integration experiments on lsst-lsp-int
Sharing between lsst-lsp-stable and lsst-lsp-int
  • Currently at least ingress controller
  • Physically separate lsst-lsp-stable cluster with external Internet access coming in ~1 week
  • Should we have multiple ingress controllers anyway? e.g. for internal vs. external traffic
  • Won't take any action for now until new cluster comes up

Working group for deployment proposal/tech note summarizing current practice coming soon (led by Frossie)

Action items