Update authorization and authentication flow details + change component name to "security" #1219
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomekpapiernik
requested review from
a-thaler,
akucharska,
bszwarc,
clebs,
kazydek,
klaudiagrz,
lilitgh,
magicmatatjahu,
hudymi,
mjasinski5,
pkosiec and
suleymanakbas91
as code owners
magicmatatjahu
suggested changes
Oct 11, 2018
kazydek
reviewed
Oct 11, 2018
docs/manifest.yaml
Outdated
| - displayName: Authorization and Authentication | ||
| id: authorization-and-authentication | ||
| - displayName: Security | ||
| id: security |
There was a problem hiding this comment.
L.G. suggested to change the order of the components and move the Security topic at the top of the components' list - to important to be at the bottom.
|
|
||
| 1. The user opens the Kyma Console UI. If the Console application doesn't find a JWT token in the browser session storage, it redirects the user's browser to the Open ID Connect (OIDC) provider, Dex. | ||
| 2. Dex lists all defined Identity Provider connectors to the user. The user selects the Identity Provider to authenticate with. After successful authentication, the browser is redirected back to the OIDC provider which issues a JWT token to the user. After obtaining the token, the browser is redirected back to the Console UI. The Console UI stores the token in the Session Storage and uses it for all subsequent requests. | ||
| 3. The Console UI requests for a list of cluster resources in Environments from the API Server. The API Server is not accessible directly. The request is routed through the API Server Proxy - a simple Nginx reverse proxy exposed through an Istio Ingress. | ||
| 4. The request arrives at the Kubernetes API Server. The Kubernetes API Server validates the JWT token it received and directs the request accordingly if the validation is successful. | ||
| 3. The Authorization Proxy validates the JWT token passed in the `Authorization Bearer` request header. It extracts the user and groups details, the requested resource path, and the request method from the token. The Proxy uses this data to build an attributes record, which it sends to the Kubernetes Authorization API. |
There was a problem hiding this comment.
**Authorization Bearer** request header
kazydek
added
area/documentation
kazydek
approved these changes
Oct 11, 2018
suleymanakbas91
approved these changes
Oct 11, 2018
tomekpapiernik
force-pushed
the
issue-887
branch
from
64eb438 to
8460139
Compare
|
Not able to merge due to CI failing over and over. |
tomekpapiernik
force-pushed
the
issue-887
branch
from
8460139 to
69d5b03
Compare
|
Blocked - the CI keeps failing. |
tomekpapiernik
requested review from
crabtree,
jakkab,
jasiu001,
mszostok,
mwieczorek,
piotrmiskiewicz,
piotrmsc,
PK85,
polskikiel,
strekm and
Tomasz-Smelcerz-SAP
as code owners
tomekpapiernik
force-pushed
the
issue-887
branch
from
efd1d62 to
95628e4
Compare
aszecowka
approved these changes
Oct 18, 2018
grischperl
pushed a commit
to grischperl/kyma
that referenced
this pull request
Nov 10, 2020
* Create jobs for cluster-user tests * Fix release * Remove old test dir
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Changes proposed in this pull request:
Related issue(s)
#887