The Authorization service provides basic authorization for all other datawave microservices. Authorization is a single endpoint that returns a signed JSON Web Token (JWT) that represents a list of DatawaveUser objects. Authorization may be performed by a trusted entity (i.e., a server) on behalf of another user or chain of servers leading to a user.
The Authorization service caches authorized users and also provides an administrative rest API to query and manage the cache.
When the fields 'email' and 'login' were added to DatawaveUser, we created V2 of the authorization and oauth API methods to ensure that microservices using the pre-change authorization-api could still deserialize the JSON or JWT serialized DatawaveUser when they call the V1 methods.
https://host:port/authorization/v1/
| Method | Operation | Description | Request Body |
|---|---|---|---|
GET |
authorize | Authorizes the calling user | N/A |
GET |
whoami | Returns details about the calling user | N/A |
https://host:port/authorization/v2/
| Method | Operation | Description | Request Body |
|---|---|---|---|
GET |
authorize | Authorizes the calling user | N/A |
GET |
whoami | Returns details about the calling user | N/A |
https://host:port/authorization/v2/oauth/
| Method | Operation | Description | Request Body |
|---|---|---|---|
GET |
authorize | For registered client_id and authorized user, return a short-lived code that can be used by the client to retrieve a user's JWT | N/A |
POST |
token | Using either a code from 'authorize' or a refresh_token, a registered can fetch the corresponding user's JWT | N/A |
GET |
user | Returns details about primary current (by token or PKI) user | N/A |
GET |
users | Returns details about all current (by token or PKI) proxied users | N/A |
Users must possess the Administrator role to access any of the admin methods.
| Method | Operation | Description | Request Body |
|---|---|---|---|
DELETE |
admin/evictAll | Deletes all users from the cache | N/A |
DELETE |
admin/evictUser | Deletes the named user from the cache | N/A |
DELETE |
admin/evictUsersMatching | Deletes users with names containing the supplied string from the authorization cache | N/A |
GET |
admin/listUsers | Shows all users in the cache | N/A |
GET |
admin/listUser | Retrieves the named user from the cache | N/A |
GET |
admin/listUsersMatching | Retrieves users with names containing the supplied string from the authorization cache | N/A |
- See AuthorizationOperations class for details
-
First, refer to services/README for launching the config service.
-
Launch this service as follows, with the
mockprofile to leverage test PKI materials and associated user configuration (see authorization-mock.yml).java -jar service/target/authorization-service*-exec.jar --spring.profiles.active=dev,mock -
Ensure that the testUser.p12 (password: ChangeIt) cert is imported into your browser, and then visit any of the following:
- https://localhost:8643/authorization/v1/authorize
- https://localhost:8643/authorization/v1/whoami
- https://localhost:8643/authorization/v1/admin/listAll
- https://localhost:8643/authorization/v1/admin/listUser?username=test
- https://localhost:8643/authorization/v1/admin/listUsersMatching?username=test
- Perform PUT and POST API operations with your preferred HTTP client, as desired
See sample_configuration/authorization-dev.yml and configure as desired