-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: make rafiki admin auth optional (#2883)
* feat: make rafiki admin auth optional * docs: README updates
- Loading branch information
1 parent
1f11f57
commit 94c9140
Showing
45 changed files
with
443 additions
and
167 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -255,11 +255,9 @@ Note that you have to go through an interaction flow by clicking on the `redirec | |
|
|
||
| #### Admin UI | ||
|
|
||
| In order to manage, and view information about the Rafiki instance(s) you can use the [Rafiki Admin](../packages/frontend/README.md) UI. We have secured access to Rafiki Admin using [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro). Since access to the UI is on an invitation-only basis the registration flow is not publicly available. As such, in order to access Rafiki Admin you can click the registration link provided in the logs during `localenv` startup or you can manually add a new user with the invite-user script. Run `docker exec -it <admin-container-name> npm run invite-user -- [email protected]` and it will output a link to the terminal. Copy and paste this link in your browser and you will automatically be logged in and directed to the account settings page. The next step is changing your password. We're using a simple email and password authentication method. | ||
| In order to manage and view information about the Rafiki instance(s) you can use the [Rafiki Admin](https://rafiki.dev/rafikiadmin/overview/) UI. We have secured access to Rafiki Admin using [Ory Kratos](https://www.ory.sh/docs/kratos/ory-kratos-intro); however, in our local playground setup we've chosen to disable authorization for easier development and testing interactions. | ||
|
|
||
| Note that a separate registration is required for Cloud Nine Wallet's Rafiki Admin and Happy Life Bank's Rafiki Admin, since they are each designed to run as separate mock account servicing entities. Once you've registered, you can always come back to your Rafiki Admin account by navigating to [`localhost:3010`](http://localhost:3010) (Cloud Nine Wallet) or [`localhost:4010`](http://localhost:4010) (Happy Life Bank) and logging in. | ||
|
|
||
| You can test the account recovery flow by clicking "Forgot pasword?" on the login page and by navigating to [`localhost:4436`](http://localhost:4436) (Mailslurper interface). | ||
| If you'd like to enable authorization locally you can run `pnpm localenv:compose:adminauth up` and check out the setup in the [`admin-auth`](./admin-auth/) subdirectory. Note that, if authorization is enabled, you must register separately for Cloud Nine Wallet's Rafiki Admin and Happy Life Bank's Rafiki Admin, as they are intended to operate as distinct mock account servicing entities. Once you've registered, you can always come back to your Rafiki Admin account by navigating to [`localhost:3010`](http://localhost:3010) (Cloud Nine Wallet) or [`localhost:4010`](http://localhost:4010) (Happy Life Bank) and logging in. Since access to the UI is on an invitation-only basis the registration flow is not publicly available. As such, in order to access Rafiki Admin you can manually add a new user with the invite-user script. Run `docker exec -it <admin-container-name> npm run invite-user -- [email protected]`, and it will output a link to the terminal. Copy and paste this link in your browser and you will automatically be logged in and directed to the account settings page. The next step is changing your password. We are using a simple email and password authentication method. | ||
|
|
||
| #### Admin APIs | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| version: v0.13.0 | ||
|
|
||
| dsn: postgres://cloud_nine_kratos:kratos_password@shared-database:5432/cloud_nine_kratos?sslmode=disable&max_conns=20&max_idle_conns=4 | ||
|
|
||
| serve: | ||
| public: | ||
| base_url: http://localhost:4433/ | ||
| cors: | ||
| enabled: true | ||
| admin: | ||
| base_url: http://cloud-nine-kratos:4434/ | ||
|
|
||
| selfservice: | ||
| default_browser_return_url: http://localhost:3010/ | ||
| allowed_return_urls: | ||
| - http://localhost:3010 | ||
|
|
||
| methods: | ||
| link: | ||
| config: | ||
| lifespan: 1h | ||
| base_url: http://localhost:4433 | ||
| enabled: true | ||
| password: | ||
| enabled: true | ||
|
|
||
| flows: | ||
| error: | ||
| ui_url: http://localhost:3010/error | ||
|
|
||
| settings: | ||
| ui_url: http://localhost:3010/settings | ||
| privileged_session_max_age: 15m | ||
| required_aal: highest_available | ||
|
|
||
| recovery: | ||
| enabled: true | ||
| ui_url: http://localhost:3010/auth/recovery | ||
| use: link | ||
| after: | ||
| hooks: | ||
| - hook: revoke_active_sessions | ||
|
|
||
| verification: | ||
| enabled: false | ||
|
|
||
| logout: | ||
| after: | ||
| default_browser_return_url: http://localhost:3010/auth | ||
|
|
||
| login: | ||
| ui_url: http://localhost:3010/auth/login | ||
| lifespan: 10m | ||
|
|
||
| registration: | ||
| enabled: false | ||
|
|
||
| log: | ||
| level: debug | ||
| format: json | ||
| leak_sensitive_values: true | ||
|
|
||
| secrets: | ||
| cookie: | ||
| - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE | ||
| cipher: | ||
| - 32-LONG-SECRET-NOT-SECURE-AT-ALL | ||
|
|
||
| ciphers: | ||
| algorithm: xchacha20-poly1305 | ||
|
|
||
| hashers: | ||
| algorithm: bcrypt | ||
| bcrypt: | ||
| cost: 8 | ||
|
|
||
| identity: | ||
| schemas: | ||
| - id: default | ||
| url: file:///etc/config/kratos/identity.schema.json | ||
|
|
||
| courier: | ||
| smtp: | ||
| connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true | ||
|
|
||
| session: | ||
| lifespan: 1h | ||
| cookie: | ||
| persistent: false | ||
| same_site: Strict | ||
| path: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| CREATE USER cloud_nine_wallet_backend WITH PASSWORD 'cloud_nine_wallet_backend'; | ||
| CREATE DATABASE cloud_nine_wallet_backend; | ||
| ALTER DATABASE cloud_nine_wallet_backend OWNER TO cloud_nine_wallet_backend; | ||
|
|
||
| CREATE USER cloud_nine_wallet_auth WITH PASSWORD 'cloud_nine_wallet_auth'; | ||
| CREATE DATABASE cloud_nine_wallet_auth; | ||
| ALTER DATABASE cloud_nine_wallet_auth OWNER TO cloud_nine_wallet_auth; | ||
|
|
||
| CREATE USER happy_life_bank_backend WITH PASSWORD 'happy_life_bank_backend'; | ||
| CREATE DATABASE happy_life_bank_backend; | ||
| ALTER DATABASE happy_life_bank_backend OWNER TO happy_life_bank_backend; | ||
|
|
||
| CREATE USER happy_life_bank_auth WITH PASSWORD 'happy_life_bank_auth'; | ||
| CREATE DATABASE happy_life_bank_auth; | ||
| ALTER DATABASE happy_life_bank_auth OWNER TO happy_life_bank_auth; | ||
|
|
||
| CREATE USER happy_life_kratos WITH PASSWORD 'kratos_password'; | ||
| CREATE DATABASE happy_life_kratos; | ||
| ALTER DATABASE happy_life_kratos OWNER TO happy_life_kratos; | ||
|
|
||
| CREATE USER cloud_nine_kratos WITH PASSWORD 'kratos_password'; | ||
| CREATE DATABASE cloud_nine_kratos; | ||
| ALTER DATABASE cloud_nine_kratos OWNER TO cloud_nine_kratos; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| services: | ||
| cloud-nine-admin: | ||
| environment: | ||
| AUTH_ENABLED: true | ||
| KRATOS_CONTAINER_PUBLIC_URL: 'http://cloud-nine-kratos:4433' | ||
| KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4433' | ||
| KRATOS_ADMIN_URL: 'http://cloud-nine-kratos:4434/admin' | ||
| depends_on: | ||
| - cloud-nine-backend | ||
| - cloud-nine-kratos | ||
|
|
||
| happy-life-admin: | ||
| environment: | ||
| AUTH_ENABLED: true | ||
| KRATOS_CONTAINER_PUBLIC_URL: 'http://happy-life-kratos:4433' | ||
| KRATOS_BROWSER_PUBLIC_URL: 'http://localhost:4432' | ||
| KRATOS_ADMIN_URL: 'http://happy-life-kratos:4434/admin' | ||
| depends_on: | ||
| - cloud-nine-admin | ||
| - happy-life-backend | ||
| - happy-life-kratos | ||
|
|
||
| cloud-nine-kratos: | ||
| build: | ||
| context: ../.. | ||
| dockerfile: ./packages/frontend/kratos/Dockerfile | ||
| args: | ||
| PATH_TO_KRATOS_CONFIG: ./localenv/admin-auth/cloud-nine-kratos.yml | ||
| depends_on: | ||
| - shared-database | ||
| - mailslurper | ||
| environment: | ||
| DEV_MODE: true | ||
| ports: | ||
| - "4433:4433" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| happy-life-kratos: | ||
| build: | ||
| context: ../.. | ||
| dockerfile: ./packages/frontend/kratos/Dockerfile | ||
| args: | ||
| PATH_TO_KRATOS_CONFIG: ./localenv/admin-auth/happy-life-kratos.yml | ||
| depends_on: | ||
| - shared-database | ||
| - mailslurper | ||
| environment: | ||
| DEV_MODE: true | ||
| ports: | ||
| - "4432:4433" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| mailslurper: | ||
| image: oryd/mailslurper:latest-smtps | ||
| ports: | ||
| - "4436:4436" | ||
| - "4437:4437" | ||
| networks: | ||
| - rafiki | ||
|
|
||
| shared-database: | ||
| volumes: | ||
| - ../admin-auth/dbinit.sql:/docker-entrypoint-initdb.d/init.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| version: v0.13.0 | ||
|
|
||
| dsn: postgres://happy_life_kratos:kratos_password@shared-database:5432/happy_life_kratos?sslmode=disable&max_conns=20&max_idle_conns=4 | ||
|
|
||
| serve: | ||
| public: | ||
| base_url: http://localhost:4432/ | ||
| cors: | ||
| enabled: true | ||
| admin: | ||
| base_url: http://happy-life-kratos:4434/ | ||
|
|
||
| selfservice: | ||
| default_browser_return_url: http://localhost:4010/ | ||
| allowed_return_urls: | ||
| - http://localhost:4010 | ||
|
|
||
| methods: | ||
| link: | ||
| config: | ||
| lifespan: 1h | ||
| base_url: http://localhost:4432 | ||
| enabled: true | ||
| password: | ||
| enabled: true | ||
|
|
||
| flows: | ||
| error: | ||
| ui_url: http://localhost:4010/error | ||
|
|
||
| settings: | ||
| ui_url: http://localhost:4010/settings | ||
| privileged_session_max_age: 15m | ||
| required_aal: highest_available | ||
|
|
||
| recovery: | ||
| enabled: true | ||
| ui_url: http://localhost:4010/auth/recovery | ||
| use: link | ||
| after: | ||
| hooks: | ||
| - hook: revoke_active_sessions | ||
|
|
||
| verification: | ||
| enabled: false | ||
|
|
||
| logout: | ||
| after: | ||
| default_browser_return_url: http://localhost:4010/auth | ||
|
|
||
| login: | ||
| ui_url: http://localhost:4010/auth/login | ||
| lifespan: 10m | ||
|
|
||
| registration: | ||
| enabled: false | ||
|
|
||
| log: | ||
| level: debug | ||
| format: json | ||
| leak_sensitive_values: true | ||
|
|
||
| secrets: | ||
| cookie: | ||
| - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE | ||
| cipher: | ||
| - 32-LONG-SECRET-NOT-SECURE-AT-ALL | ||
|
|
||
| ciphers: | ||
| algorithm: xchacha20-poly1305 | ||
|
|
||
| hashers: | ||
| algorithm: bcrypt | ||
| bcrypt: | ||
| cost: 8 | ||
|
|
||
| identity: | ||
| schemas: | ||
| - id: default | ||
| url: file:///etc/config/kratos/identity.schema.json | ||
|
|
||
| courier: | ||
| smtp: | ||
| connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true | ||
|
|
||
| session: | ||
| lifespan: 1h | ||
| cookie: | ||
| persistent: false | ||
| same_site: Strict | ||
| path: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.