Skip to content

feat(security): Update docs for new proxy implementation#981

Merged
bnevis-i merged 6 commits intoedgexfoundry:mainfrom
bnevis-i:proxy-switch
Mar 16, 2023
Merged

feat(security): Update docs for new proxy implementation#981
bnevis-i merged 6 commits intoedgexfoundry:mainfrom
bnevis-i:proxy-switch

Conversation

@bnevis-i
Copy link
Collaborator

@bnevis-i bnevis-i commented Mar 6, 2023

PR Checklist

Please check if your PR fulfills the following requirements:

  • Changes have been rendered and validated locally using mkdocs-material (see edgex-docs README)

@bnevis-i bnevis-i mentioned this pull request Mar 6, 2023
Merged
3 tasks
@bnevis-i
feat(security): Update docs for new proxy implementation
704ddef 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
@bnevis-i bnevis-i marked this pull request as ready for review March 6, 2023 23:39
@bnevis-i bnevis-i added this to the Minnesota milestone Mar 6, 2023
farshidtz
farshidtz reviewed Mar 10, 2023
View reviewed changes
@farshidtz farshidtz mentioned this pull request Mar 10, 2023
Merged
4 tasks
lenny-goodell
lenny-goodell requested changes Mar 13, 2023
View reviewed changes
bnevis-i
bnevis-i commented Mar 14, 2023
View reviewed changes
docs_src/getting-started/Ch-GettingStartedSnapUsers.md
Comment on lines 489 to 490
* `apps.secrets-config.proxy.tls.cert`
* `apps.secrets-config.proxy.tls.key`
Copy link
Collaborator Author

@bnevis-i bnevis-i Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@farshidtz

I don't know how to code support for the pre-seeded cert. I am pretty sure this is broken.

Copy link
Member

@farshidtz farshidtz Mar 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is wrapper around secrets-config which is implemented here. It takes the snap options set by the user (cert and key payloads), writes them to a file, and calls secret-config internally. I have it in my to do list to move it to the edgex-go repo.

Yes it is broken. However, there is no way to make it work because secrets-config doesn't work right now in the snap because of the file ownership change: #981 (comment)

bnevis-i added 2 commits March 14, 2023 15:25
@bnevis-i
feat(security): Update docs for new proxy implementation
6ba7c47 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
@bnevis-i
feat(security): Update docs for new proxy implementation
ff88d03 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
lenny-goodell
lenny-goodell requested changes Mar 15, 2023
View reviewed changes
@bnevis-i
feat(security): Update docs for new proxy implementation
e9c009c 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
jim-wang-yutsung
jim-wang-yutsung previously approved these changes Mar 15, 2023
View reviewed changes
Copy link

@jim-wang-yutsung jim-wang-yutsung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bnevis-i bnevis-i requested a review from lenny-goodell March 15, 2023 19:57
lenny-goodell
lenny-goodell requested changes Mar 16, 2023
View reviewed changes
docs_src/security/Ch-Authenticating.md
In non-secure mode of EdgeX, the API gateway is not started.


### Local Service-to-Service - Using EdgeX Service Clients
Copy link
Member

@lenny-goodell lenny-goodell Mar 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am looking for a section that explains how to hit one of the services externally on the local system. i.e. using curl or Postman. In V2 we could do this w/o a token. No in 3.0 we can not.

Copy link
Collaborator Author

@bnevis-i bnevis-i Mar 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See this commit: 072b306

vyshali-chitikeshi
vyshali-chitikeshi reviewed Mar 16, 2023
View reviewed changes
Copy link

@vyshali-chitikeshi vyshali-chitikeshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me from validation perspective

@vyshali-chitikeshi
Copy link

vyshali-chitikeshi commented Mar 16, 2023

This section "Prior to EdgeX 3.0, requests that originated remotely were authenticated at the API gateway via an HTTP Authorization header that contained a JWT bearer token. Internally-originated requests required no authentication. In EdgeX 3.0, the Authorization header is additionally checked at the microservice level on a per-route basis, where the majority of URL paths require authentication." it would be helpful to add details how user can add this token as authorization header with curl command or postman collection while executing rest-api's

@bnevis-i
feat(security): Update docs for new proxy implementation
072b306 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
@bnevis-i
Copy link
Collaborator Author

bnevis-i commented Mar 16, 2023

This section "Prior to EdgeX 3.0, requests that originated remotely were authenticated at the API gateway via an HTTP Authorization header that contained a JWT bearer token. Internally-originated requests required no authentication. In EdgeX 3.0, the Authorization header is additionally checked at the microservice level on a per-route basis, where the majority of URL paths require authentication." it would be helpful to add details how user can add this token as authorization header with curl command or postman collection while executing rest-api's

See this commit: 072b306

@vyshali-chitikeshi
Copy link

vyshali-chitikeshi commented Mar 16, 2023

LGTM

@bnevis-i bnevis-i requested a review from lenny-goodell March 16, 2023 21:13
@bnevis-i
feat(security): Update docs for new proxy implementation
418c32c 
Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
lenny-goodell
lenny-goodell approved these changes Mar 16, 2023
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bnevis-i bnevis-i merged commit 4ec2782 into edgexfoundry:main Mar 16, 2023
@bnevis-i bnevis-i deleted the proxy-switch branch March 16, 2023 23:14
edgex-jenkins added a commit that referenced this pull request Mar 16, 2023
@edgex-jenkins
ci: feat(security): Update docs for new proxy implementation (#981)
629a194 
Signed-off-by: edgex-jenkins <collab-it+edgex@linuxfoundation.org>
@farshidtz farshidtz mentioned this pull request Apr 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@farshidtz farshidtz farshidtz left review comments

@lenny-goodell lenny-goodell lenny-goodell approved these changes

@jim-wang-yutsung jim-wang-yutsung jim-wang-yutsung left review comments

+1 more reviewer

@vyshali-chitikeshi vyshali-chitikeshi vyshali-chitikeshi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Minnesota

Development

Successfully merging this pull request may close these issues.

5 participants

@bnevis-i @vyshali-chitikeshi @farshidtz @jim-wang-yutsung @lenny-goodell