The DAFNI Security Service (DSS) controls authentication (the process of verifying who a user is) and authorization (the process of verifying what a user has access to) on DAFNI. The DSS is utilised by all other DAFNI components in order to find out what assets a user has access to, whether a user is allowed to carry out any given action on the system and to identify a user from their access token.
The DSS also encompasses the login-app which allows a registered user to login to DAFNI with their given credentials. Upon logging into DAFNI, the user is assigned a JSON Web Token (JWT) which encodes the identity of the user in a long series of letters and numbers. This token can only be decoded if one has the appropriate secret key (which in this case is only stored in the DSS itself).
Once successfully logged into DAFNI, the JWT is stored in a cookie in the user’s browser. Whenever the user makes a request to a DAFNI component, the JWT will be passed between the browser and the component they are making the request to. The component will then pass the JWT to the DSS which is able to decode it with the secret key, identify the user and finally carry out the permissions query which the component is asking for.
The DSS stores the relationships between users and “assets” (which can be datasets, models, workflows, visualisations, etc…). These relationships can be directly between users and assets as well as being between groups of users and assets. Adding group permissions enables a collection of users to be given the same permissions on an asset by first adding them to a group and then adding permissions between the group and the asset.
As an extra layer of security, DAFNI makes use of Kubernetes Ingress in order to control incoming traffic to DAFNI. All DAFNI components (apart from the login-app) sit behind the ingress. The ingress analyses each incoming request and checks to see whether it contains a valid JWT before allowing the request to reach the component. This extra check ensures that no malicious users can make requests to DAFNI and that only logged in, valid users can use the DAFNI system.
System Diagram
Future
Keycloak
In the future, the authentication part of the DSS will be replaced by Keycloak (an open source identity and access management system) which will allow federated login to DAFNI. Federated login will mean that users can use non-DAFNI-specific credentials to login to DAFNI. For example, users may be able to login using their academic, social media or GitHub credentials, removing the need for users to have a separate set of DAFNI login credentials.
Licenses
We also want the DSS to be able to make decisions based on a user’s licenses and the licenses that an asset requires for access. This would ensure that only those users who have been certified as having an academic license would be able to access data that has only been made available to academics. At the moment, this kind of data cannot be added to DAFNI as we cannot ensure that everyone using the platform has the license required to access it. The DSS would handle this by storing a list of all the licenses a user is certified as having as well as a list of all the licenses an asset requires for access.
Interested in collaborating with DAFNI?
If you would be interested in using DAFNI, would like to access Data on DAFNI or involve us in a new project, we would like to hear from you. Please complete your details on the contact form using the link and we will be in contact with you by email.