The goal of Request Broker service is to be an intermediary between Requesters and Providers within the OCF Collab network serving couple of purposes:
- Authenticate requests and make sure they come from authorized Requesters
- Allow Requesters to search for competency frameowks across the whole network
- Allow Requester Node Agents to fetch competency frameworks from multiple providers using single, common API
- Enable Requesters to receive competency frameworks in desired metamodel via Metamodel Interchange
- Collect Transaction Log allowing insight into nodes usage pattern
Node Directory, represented by NodeDirectory database model, is a collection of competency frameworks exposed to the network by specific provider. Competency frameworks are represented by Node Directory Entry files in a specified S3 bucket within configured AWS account.
Current list of node directoties is maintained within config/registry_directory.json file present in this repository.
In order to ensure proper configuration in the database run registry_directory:sync_from_file Rake task.
Use AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION environment variables to specify access credentials for S3 buckets assigned to Node Directories.
All requests come from Request Node Agents which are the end user access points for searching and retrieving competency frameworks.
Specific Request Node Agents are authenticated using OAuth 2.0 protocol with JWT tokens and Request Broker serves as an identity provider.
Request Broker doesn't authenticate specific end users and instead uses Client Credential flow for application based authentication.
In order to enable Request Node Agent access to the network OauthApplication record has to be created.
THe only required attribute is name. uid and secret, which serve as OAuth 2.0 client credentials are generated automatically.
Specify node_directory association if the Request Node Agent belongs to a node member that also exposes its own directory to the network. The association is used only for insight within Transaction Log.
JWT tokens generated by Request Broker are signed with an RSA private key.
Run the following command to generate an RSA key:
ssh-keygen -t rsa -b 4096 -m pem
The generated key file should start with -----BEGIN RSA PRIVATE KEY----- header.
Put the generated key in JWT_SECRET environment variable.
Public key required for veryfing the requests will be automatically generated and exposed via /auth/keys endpoint.
Read RNA integration.md and PNA integration.md files for more information on authenticating and veryfing requests.
Request Broker generates a log containing detailed information about specific steps within all brokered transactions.
The log file location is log/transactions.log in your app directory.
In order to allow easy access to the log it's fed into AWS CloudWatch and then ElasticSearch index with Kibana front-end.
In order to allow EC2 instance to push logs to CloudWatch the instance needs an IAM Role configured as in Create IAM Roles and Users for Use with the CloudWatch Agent instructions.
After creating the role with appropiate permissions policy attach it to the EC2 instance(s) running Request Broker as in Attaching an IAM role to an instance instructions.
After creating IAM role install and configure CloudWatch agent as in Install and Configure the CloudWatch Logs Agent on a Running EC2 Linux Instance.
Skip "Step 1: Configure Your IAM Role or User for CloudWatch Logs" and use the role created in previous step.
Use following timestamp format when configuring the agent: %Y-%m-%dT%H:%M:%S.%fZ.
[/var/deploy/t3_ocf_collab__rb/web_head/shared/log/transactions.log]
datetime_format = %Y-%m-%dT%H:%M:%S.%fZ
file = /var/deploy/t3_ocf_collab__rb/web_head/shared/log/transactions.log
buffer_duration = 5000
log_stream_name = request-broker-transaction-log-production
initial_position = start_of_file
log_group_name = request-broker-production
Follow Streaming CloudWatch Logs Data to Amazon Elasticsearch Service instructions.