Basic auth with RBAC

[kdhrubo]

1. Provide support for Basic auth
2. Support for RBAC for user/roles

How to supply the basic auth list of users, passwords, and roles?

• Using a file that provides an updated list of users, and passwords with roles and permissions. However, this will require a restart of DB2Rest instance
• Provide management API to update the list. The management API can be called from CI/CD pipeline or another script. This will not require any restart. DB2Rest on this call will refresh in-memory cache.

[MichalisDBA]

Maybe make db2rest save the configs, credentials or anything else to a sqlite db file. SQLite is used from numbered of apps as embedded database.

[MichalisDBA]

Also this authorization library has support for Java. https://casbin.org/

[kdhrubo]

is there any example for api auth with jcasbin?

[MichalisDBA]

I don't know for sure. Haven't used it.

[MichalisDBA]

This? https://github.com/supertokens/supertokens-core

[susanta-mukhopadhyay]

I do not think jcasbean is having any authentication capability. It is for RBAC.

[kdhrubo]

Actually it would be great if you want to use an open source 3rd party service like

• supertokens
• unkey

We already have an integration with unkey. We need to enable it.

That way these 3rd party systems manage and maintain the users and roles, and DB2Rest calls their API to authenticate/authorize.

How does this sound?

[MichalisDBA]

Yes sounds good. Let's see what the future holds!

[thadguidry]

That's basically how most secure systems do it (Banks, etc.) They don't embed or directly package Auth into ANY of the App layers, right? It's always a tokenized call to an IAM of some sort. Keep DB2Rest separate from an IAM, rather than embedding even a lightweight IAM of sorts into its packaging directly. IAM or PAM, for that matter.

What we can do is perhaps make it easier to integrate DB2Rest with IAM systems especially within cloud services? I'm thinking, SAML, SPM, SCIM, Auth2.0, where I think SCIM and Auth2.0 are more important to support initially since nearly all cloud providers provide one or both?

[susanta-mukhopadhyay]

I think jcasbean is only for RBAC. If we need both authentication and authorization, supertoken is better. Keycloak is also an option widely used and having good features.
https://www.baeldung.com/spring-boot-keycloak

[thadguidry]

Right, but Keycloak is something you have to run and spinup yourself locally or in the cloud. It uses OAuth2.0 or OpenID Connect. Not everyone wants or needs to run their own IAM/PAM, but sure, if they do want to run their own, Keycloak is a good way to do so.

Regardless of the IAM solution or where it is run, as long as it uses Auth2.0 or maybe optionally SCIM and OpenID Connect? , then DB2Rest could connect to those IAM solutions.

[thadguidry]

Hmm, does Spring have something, anything for connecting via SCIM? I would have thought Spring themselves already has official support for SCIM or SCIM2.0 somewhere somehow?

[thadguidry]

I only found this with Apache... https://github.com/apache/directory-scimple which "seems" to have Spring Boot support, I guess? https://github.com/apache/directory-scimple/tree/develop/support/spring-boot

[susanta-mukhopadhyay]

I agree about Keycloak it is little heavy, but I have seen solution which is using Keycloak for their own IAM and connecting to customer's IAM from that easily. Though implementation and server resource requirement may be on the higher side.

[PittyXu]

https://github.com/dromara/Sa-Token

[kdhrubo]

Thanks. We have borrowed the idea from their other project for API security i.e sureness. Implementation is 80% complete..will release mid next month after tests. Will support basic auth and jwt.(hmac) for the time being.

…

On Wed, May 22, 2024, 9:46 PM Pitty ***@***.***> wrote: https://github.com/dromara/Sa-Token — Reply to this email directly, view it on GitHub <#516 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAISPRCOR4MWWFNMD2ZJAKLZDVKANAVCNFSM6AAAAABG4DLUT6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMRZGA4TQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[kdhrubo]

If you would like to work on it, please check the auth module.

…

On Wed, May 22, 2024, 9:48 PM Dhrubo ***@***.***> wrote: Thanks. We have borrowed the idea from their other project for API security i.e sureness. Implementation is 80% complete..will release mid next month after tests. Will support basic auth and jwt.(hmac) for the time being. On Wed, May 22, 2024, 9:46 PM Pitty ***@***.***> wrote: > https://github.com/dromara/Sa-Token > > — > Reply to this email directly, view it on GitHub > <#516 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAISPRCOR4MWWFNMD2ZJAKLZDVKANAVCNFSM6AAAAABG4DLUT6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMRZGA4TQ> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

[PittyXu]

How about this, it has both authentication and authorization interface, support many features for user login. Or we can provide some interface for 3rd library.

https://github.com/dromara/Sa-Token

[kdhrubo]

This is like okta. DB2Rest doesn't have UI to login. So you can generate jwt with sa-token and DB2Rest can auth with that token.

…

On Wed, May 22, 2024, 9:52 PM Pitty ***@***.***> wrote: How about this, it has both authentication and authorization interface, support many features for user login. Or we can provide some interface for 3rd library. https://github.com/dromara/Sa-Token — Reply to this email directly, view it on GitHub <#516 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAISPRCH4E7HX6CZD4QBVKDZDVKX5AVCNFSM6AAAAABG4DLUT6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TKMRZGEZTC> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[kdhrubo]

@thadguidry @MichalisDBA
Implemented - https://db2rest.com/docs/security/basic_auth

Hence closing.