-
Notifications
You must be signed in to change notification settings - Fork 0
COPS-298: populate docs into backstage #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
+215
−204
Closed
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
eae15c1
COPS-298: populate docs into backstage
agaetep 733912d
update project structure
agaetep 9af823f
fix dead link
agaetep e250768
use docs/index.md as original readme with symlink
agaetep 393a894
disable markdown link for root level path
agaetep File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,204 @@ | ||
| # LFX v2 Access Check Service | ||
|
|
||
|  | ||
|  | ||
|  | ||
|
|
||
| A access check service for the LFX v2 platform, providing centralized authorization and permission management across LFX services. | ||
agaetep marked this conversation as resolved.
Show resolved
Hide resolved
agaetep marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## ✨ Key Features | ||
|
|
||
| - **🚀 Bulk Access Checks**: Process multiple resource-action permission checks in a single HTTP request | ||
| - **🔐 JWT Authentication**: Secure authentication using Heimdall-issued JWT tokens | ||
| - **🔄 Real-time Processing**: Asynchronous message processing via NATS queue | ||
| - **🚢 Cloud Native**: Kubernetes-ready with Helm charts for easy deployment | ||
|
|
||
| ## 🏗️ Architecture Overview | ||
|
|
||
| ```mermaid | ||
| graph TB | ||
| subgraph "LFX v2 Platform Gateway" | ||
| T[Traefik<br/>API Gateway] | ||
| H[Heimdall<br/>Access Decision Service] | ||
| end | ||
|
|
||
| subgraph "Access Check Service" | ||
| AC[HTTP Server<br/>:8080] | ||
| AS[Access Service<br/>Core Logic] | ||
| HE[Health Endpoints<br/>/livez /readyz] | ||
| end | ||
|
|
||
| subgraph "Platform Infrastructure" | ||
| N[NATS<br/>Message Queue] | ||
| end | ||
|
|
||
| T --> H | ||
| H --> AC | ||
| AC --> AS | ||
| AC --> HE | ||
|
|
||
| AS <-->|bulk access checks<br/>access-check subject| N | ||
| ``` | ||
|
|
||
| ## 🔄 Access Check Flow | ||
|
|
||
| ```mermaid | ||
| sequenceDiagram | ||
| participant Client as API Consumer | ||
| participant Traefik as Traefik Gateway | ||
| participant Heimdall as Heimdall Access Decision | ||
| participant AccessCheck as Access Check Service | ||
| participant NATS as NATS Queue | ||
|
|
||
| Client->>Traefik: POST /access-check<br/>Bearer: JWT + resource list | ||
| Traefik->>Heimdall: Validate JWT & authorize | ||
| Heimdall-->>Traefik: Auth success | ||
| Traefik->>AccessCheck: Forward authenticated request | ||
|
|
||
| AccessCheck->>AccessCheck: Extract principal from JWT | ||
| AccessCheck->>AccessCheck: Build resource-action pairs | ||
| AccessCheck->>NATS: Publish bulk access check<br/>Subject: access-check | ||
|
|
||
| NATS-->>AccessCheck: Return authorization results | ||
| AccessCheck-->>Traefik: JSON response with decisions | ||
| Traefik-->>Client: Access check results | ||
|
|
||
| Note over AccessCheck: Optimized for bulk operations<br/>with comprehensive logging | ||
| ``` | ||
|
|
||
| ## 🚀 Quick Start | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| - **Go**: 1.24.0 | ||
| - **Docker**: For containerized deployment | ||
| - **NATS**: Message queue for service communication | ||
| - **Heimdall**: JWT authentication provider | ||
|
|
||
| ### Local Development | ||
|
|
||
| 1. **Clone the repository** | ||
| ```bash | ||
| git clone https://github.com/linuxfoundation/lfx-v2-access-check.git | ||
| cd lfx-v2-access-check | ||
| ``` | ||
|
|
||
| 2. **Install dependencies** | ||
| ```bash | ||
| make deps | ||
| ``` | ||
|
|
||
| 3. **Generate API code** (if needed) | ||
| ```bash | ||
| make apigen | ||
| ``` | ||
|
|
||
| 4. **Build the service** | ||
| ```bash | ||
| make build | ||
| ``` | ||
|
|
||
| 5. **Run tests** | ||
| ```bash | ||
| make test | ||
| ``` | ||
|
|
||
| 6. **Start the service** | ||
| ```bash | ||
| ./bin/lfx-access-check | ||
| ``` | ||
|
|
||
| ### Configuration | ||
|
|
||
| The service is configured via environment variables: | ||
|
|
||
| | Variable | Description | Default | | ||
| |----------|-------------|---------| | ||
| | `HOST` | Server host address | `0.0.0.0` | | ||
| | `PORT` | Server port | `8080` | | ||
| | `DEBUG` | Enable debug logging | `false` | | ||
| | `JWKS_URL` | Heimdall JWKS endpoint | `http://heimdall:4457/.well-known/jwks` | | ||
| | `AUDIENCE` | JWT audience | `lfx-v2-access-check` | | ||
| | `ISSUER` | JWT issuer | `heimdall` | | ||
| | `NATS_URL` | NATS server URL | `nats://nats:4222` | | ||
|
|
||
| ### Docker Deployment | ||
|
|
||
| ```bash | ||
| # Build image | ||
| make docker-build | ||
|
|
||
| # Run container | ||
| docker run -p 8080:8080 \ | ||
| -e JWKS_URL=http://heimdall:4457/.well-known/jwks \ | ||
| -e NATS_URL=nats://nats:4222 \ | ||
| linuxfoundation/lfx-access-check:latest | ||
| ``` | ||
|
|
||
| ### Health Endpoints | ||
|
|
||
| - **Liveness**: `GET /livez` - Basic service health | ||
| - **Readiness**: `GET /readyz` - Service + dependencies health | ||
|
|
||
| ## 🏛️ Architecture Details | ||
|
|
||
| ### Core Components | ||
|
|
||
| 1. **HTTP Server** (`cmd/lfx-access-check/`) | ||
| - Goa-based REST API server | ||
| - JWT authentication middleware | ||
| - Request ID tracking | ||
| - Structured logging | ||
|
|
||
| 2. **Access Service** (`internal/service/`) | ||
| - Core business logic | ||
| - JWT token validation | ||
| - NATS message publishing | ||
| - Response aggregation | ||
|
|
||
| 3. **Infrastructure Layer** (`internal/infrastructure/`) | ||
| - **Auth Repository**: Heimdall JWT validation | ||
| - **Messaging Repository**: NATS communication | ||
| - **Config**: Environment-based configuration | ||
|
|
||
| 4. **Domain Contracts** (`internal/domain/contracts/`) | ||
| - Shared data structures | ||
| - JWT claims modeling | ||
| - Service interfaces | ||
|
|
||
| ### Project Structure | ||
|
|
||
| ``` | ||
| ├── cmd/lfx-access-check/ # Application entry point | ||
| ├── design/ # Goa API design definitions | ||
| ├── gen/ # Generated API code (Goa) | ||
| ├── internal/ | ||
| │ ├── container/ # Dependency injection | ||
| │ ├── domain/contracts/ # Domain models & interfaces | ||
| │ ├── infrastructure/ # External service adapters | ||
| │ ├── middleware/ # HTTP middleware | ||
| │ ├── service/ # Core business logic | ||
| │ └── mocks/ # Test mocks | ||
| ├── pkg/ | ||
| │ ├── constants/ # Application constants | ||
| │ └── log/ # Structured logging utilities | ||
| ├── test/integration/ # Integration tests | ||
| └── charts/ # Helm deployment charts | ||
| ``` | ||
agaetep marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ## 🚢 Deployment | ||
|
|
||
| ### Kubernetes with Helm | ||
|
|
||
| ```bash | ||
| # Install/upgrade with Helm | ||
| helm upgrade --install lfx-v2-access-check ./charts/lfx-v2-access-check \ | ||
| --set image.tag=latest \ | ||
| --set config.jwksUrl=http://heimdall:4457/.well-known/jwks \ | ||
| --set config.natsUrl=nats://nats:4222 | ||
| ``` | ||
|
|
||
| ## 📄 License | ||
|
|
||
| This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Copyright The Linux Foundation and each contributor to LFX. | ||
| --- | ||
| site_name: 'LFX One Access Check' | ||
| site_description: 'Documentation for LFX One Access Check' | ||
agaetep marked this conversation as resolved.
Show resolved
Hide resolved
agaetep marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| nav: | ||
| - Home: index.md | ||
| plugins: | ||
| - techdocs-core | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.