04 Explanation
- Tokens for a user could be created using DX AAA Server API : link to the API docs. The token used in DX are :
| Token | Purpose | Users |
|---|---|---|
| DX Identity token | Serves as an identifier of the user to the server to access the ACL-APD Server's capabilities | Provider, provider delegate, consumer, consumer delegate, cos admin, admin |
| Keycloak token | Access token as bearer credential is generated by Keycloak by providing the client's email ID and password and then adding bearer to the access token : bearer <access-token>
|
DX AAA Server, Users |
| Access token | To get access to resource, resource group | Provider, provider delegate, consumer, consumer delegate |
| TokenType | Purpose | Users |
|---|---|---|
| JWT Token | Used for Local Catalogue instance authentication. | Users, DX AAA Server |
| Keycloak Token | Provides access as a bearer credential in Central Catalogue | Users authenticated via DX AAA Server |
Tokens accepted by the DX Catalogue Server are the DX Access token and keycloak token. CosAdmin, Consumers and their delegates are allowed to access the following APIs using the mentioned token:
| API | Users | Token |
|---|---|---|
| Create/Update Item | cos_admin | DX Access token |
| Delete Item | cos_admin | DX Access token |
| Create/Update Rating | Consumer, consumer delegate | DX Access token |
| Delete Rating | Consumer, consumer delegate | DX Access token |
| Create, Update and Delete instances | cos_admin | DX Access token |
| Create Domains (Mlayer APIs) | cos_admin | DX Access token |
All registered users of DX can access the DX Catalogue Server. The DX ACL APD Server identifies the user based on the token information which is provided by DX AAA Server.
How is the user considered as a consumer, provider or delegate?
- While decoding the token at the DX Catalogue Server, the role in token fetched from DX AAA
Server and then the following rules is applied to identify the user
- A user is considered as a provider if role is provider
- A user is considered as a consumer if role is consumer
- A user is considered as a delegate of the consumer if role is delegate and drl is consumer
- A user is considered as a delegate of the provider if role is delegate and drl is provider
- Catalogue Server: The component responsible for organizing, managing, and making datasets accessible to users. It offers various endpoints for querying, adding, updating, and deleting resource metadata.
- Local Catalogue Instance: A deployment of the Catalogue Server where isUACinstance is set to false. This instance uses JWT-based authentication for access control.
- Central Catalogue Instance: A deployment of the Catalogue Server where isUACinstance is set to true. This instance uses Keycloak-based authentication for access control and supports centralized dataset management across multiple local instances.
- JWT Token: A JSON Web Token used in Local Catalogue instances to verify the user's identity and role, allowing or restricting access to certain APIs.
- Keycloak Token: A bearer token generated by Keycloak, used in Central Catalogue instances. It provides authentication by including the user's access credentials.
- Delegate : Consumer or provider appointed user who could act on behalf of the delegator