Accessing External Services via AUTHENTICATION Service

Manage the access to an external service via the AUTHENTICATION service of yuuvis® Momentum.

Table of Contents

Introduction

The AUTHENTICATION service manages the access to the yuuvis® Momentum API gateway. With a suitable configuration, also the access to external services running in the same Kubernetes cluster can be managed via the AUTHENTICATION service of yuuvis® Momentum.

Involved Services

Two services of yuuvis® Momentum are responsible for the service routing:

  • the AUTHENTICATION service and
  • the API gateway.

After successful authentication of incoming requests, the AUTHENTICATION service sends the requests to the API gateway.

AUTHENTICATION Service

The service has its own endpoints that are configured in the file authentication-prod.yml in the sections routing.endpoints and authorization.accesses.

The AUTHENTICATION service endpoints are only available for endpoints listed in routing.endpoints.

In authorization.accesses, permissions can be defined for the access to the individual endpoints and sub-paths.
>> authentication-prod.yml

API Gateway

The API gateway uses the Spring Cloud Kubernetes DiscoveryClient in order to dynamically create routes. This DiscoveryClient sends requests to the Kubernetes API. The corresponding permissions are configured via the Kubernetes objects ServiceAccount, RoleBinding and Role.

The pod for the API gateway is executed via the service account that is used by the DiscoveryClient to request namespaces.

The number of the Kubernetes Services can be limited. This can be configured in the file application-kubernetes.yml in the filter for Kubernetes Services. Only for services matching the filter internal routes are created by the API gateway. Per default, the following filter is applied:

metadata!=null && metadata.labels!=null && metadata.labels['yuuvis']=="true"

In order to create a route for a service in the API gateway, the entry yuuvis: true has to be added in the <externalservice>-service.yaml file in the labels section.

Example Configuration

In this example scenario, the required steps of configuration are shown. Afterwards, the external service app in the namespace other will be available via the AUTHENTICATION service.

Follow these steps:

  • Deploy the pod for the external service app in the namespace other

    app-deployment.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      namespace: other
      name: app
    spec:
      replicas: 1
      selector:
        matchLabels:
          name: app
      template:
        metadata:
          labels:
            name: app
        spec:
          containers:
          - name: app
          ...
            ports:
            - containerPort: 80
          ...
    
    
  • Create a Kubernetes Service for app in the namespace other, e.g., app-svc.

    app-service.yaml
    apiVersion: v1
    kind: Service
    metadata:
      name: app-svc
      labels:
      name: app-svc
      namespace: other
    spec:
      ports:
      - name: "http"
         port: 80
         targetPort: 80
      selector:
         name: app
      type: ClusterIP
  • Create the Kubernetes Service in the namespace yuuvis. Use the type externalName that references the namespace other.

    <externalservice>-service.yaml
    apiVersion: v1
    kind: Service
    metadata:
      name: app
      labels:
        yuuvis: "true"
      namespace: yuuvis
    spec:
      type: ExternalName
      externalName: app-svc.other.svc.cluster.local
      ports:
      - port: 80
    
    
  • Add the external service app to the sections routing.endpoints: and routing.access: in the authentication-prod.yml file.

    authentiaction-prod.yml
    routing.endpoints:
      - 'app' # external service added to the list
    ...
    authorization.accesses:
      - endpoints: /app/** # add
      # optionally restrict to a method, e.g.: method: Post
      # optionally restrict to users with specific roles, e.g.: hasAuthority('COGNISPHERE')
  • Restart the AUTHENTICATION service.


Summary

External services running in the same Kubernetes cluster together with yuuvis® Momentum, access authorization can be managed via the AUTHENTICATION service. The required configuration steps were shown for an example scenario.

Read on

Installation Guide

Instructions for the installation of a yuuvis® Momentum system operating in a Kubernetes cluster via Helm Charts. Start with Helm charts for testing purposes and replace default third-party software according to your preferences. Keep reading

Access Authorization and Permissions

A yuuvis® Momentum user has to be authorized to the functionality of the system by assigning roles. For the individual roles, permissions can be set to allow actions on objects restricted by defined conditions where appropriate and the usage of specific endpoints can be controlled. Keep reading

Authentication against the Core API

This article details the authentication methods compatible with the yuuvis® Core API and how to choose the correct one for your use case. Keep reading