OneStop is a data discovery system being built by CIRES researchers on a grant from the NOAA National Centers for Environmental Information. We welcome contributions from the community!
This project is maintained by cedardevs
Estimated Reading Time: 10 minutes
The OneStop REST API endpoints that use for publishing, updating and removing a record are secured via CAS authentication.
The following endpoints that use HTTP Methods POST, PUT, PATCH, or DELETE:
/metadata/**
The following endpoints that use HTTP Method GET:
/metadata/**/resurrection
Examples of providing credentials:
# Example credentials
export CAS_USER=casuser
export CAS_PASSWORD=password
# Prompt CAS user 'casuser' for credentials via curl
curl -u "${CAS_USER}" \
-H "Content-Type: application/json" \
-X POST https://data.dev.ncei.noaa.gov/psi-registry/metadata/**
# Manually provide CAS user 'casuser' credentials via curl
curl -u "${CAS_USER}:${CAS_PASSWORD}" \
-H "Content-Type: application/json" \
-X POST https://data.dev.ncei.noaa.gov/psi-registry/metadata/**
# Manually provide CAS user 'casuser' credentials via curl and 'Authorization' header
curl \
-H "Authorization: Basic $(echo "${CAS_USER}:${CAS_PASSWORD}" | base64) " \
-H "Content-Type: application/json" \
-X POST https://data.dev.ncei.noaa.gov/psi-registry/metadata/**
However it is accomplished, it is required to provide the Authorization
header with every secure request. The credentials can be hard-coded in the above commands, stored in environment variables, or otherwise retrieved and maintained from a properties file to prevent the need to prompt for credentials when working with batches of requests. In the case of a Java client, you could also retrieve credentials from a JKS (Java Keystore)
Authorization (privileged users) is a configuration on the OneStop Registry API. For CAS users who need the privileges to use the secured endpoints described above, they will need to be added to the ROLE_ADMIN
role. In order to give this privilege to a new user, the security configuration will need to be updated:
spring:
profiles: cas
cas:
prefixUrl: 'https://auth.ncdc.noaa.gov/cas'
authorization:
roles:
ROLE_ADMIN:
- ...
- cas.user.who.needs.privilege
Ensuring CAS security is enabled on the OneStop Registry API:
Under the hood, we use a spring profile ‘cas’ to enable security. The mechanisms for toggling are many, but we recommend one of the following (multiple profiles would be comma-delimited):
spring.profiles.active:cas
export SPRING_PROFILES_ACTIVE=cas
The concept of “service accounts” is not yet being utilized for OneStop Registry on CAS, but one could theoretically be added for dedicated/automated service clients (non-humans) if the administrators of CAS are willing to maintain such a use case.
OneStop Registry is not a UI or browser frontend, and is not intended to be exposed to the general public. The CAS instance it transacts with is using its own REST API that should not be exposed outside of an internal network to prevent brute-force dictionary attacks. This is why clients don’t need to maintain an SSO session with OneStop Registry and require per-request credentials (“direct client”).