This project consists in a web application to easily access file objects stored within Ceph Object Storage/RADOS Gateway, using the AWS S3 protocol for object handling, and the OAuth2/OpenID Connect for authorization and authentication with Indigo IAM.
The webapp is implemented using the React, Next.js, TypeScript and TailwindCSS, as core frameworks. The OAuth2 support is provided by the Auth.js framework, while all S3 operations are implemented using the official AWS SDK for javascript.
The webapp acts as client for IAM backend and thus, registering the client is required. This step is required the first time only (or whenever the local database volume is deleted/recreated).
To register a new client, go to the chosen IAM instance, login as admin, register a new client and configure it as described in the following sections.
In the client main page, add all needed redirect uris, in the form of
<WEBAPP_URL>/api/auth/callback/indigo-iam
(without the trailing /), where <WEBAPP_URL> is the hostname of the machine
hosting the application.
It is possible to configure more than one redirect URI.
For development:
http://localhost:300/api/auth/callback/indigo-iamFor a production deployment, the redirect uri will be, for example:
https://s3webui.cloud.infn.it/api/auth/callback/indigo-iamIn the Scopes tab, assure that the following scopes are enabled
emailopenidprofile
In the Grant Types tab, enable authorization_code.
Finally, in the Crypto section enable PKCE with SHA-256 has algorithm.
Before start the application, an environment file is needed. An example can be found at envs/example.env.
AUTH_URL: hostname of your deployment, for examplehttps://s3webui.cloud.infn.itorhttp://localhost:8080AUTH_SECRET: secret to encrypt session cookies (see below)IAM_AUTHORITY_URL: INDIGO IAM endpointIAM_CLIENT_ID: INDIGO IAM client IDIAM_CLIENT_SECRET: INDIGO IAM client secretIAM_AUDIENCE: INDIGO IAM audience for Rados GatewayIAM_SCOPE: must be exactlyopenid email profileS3_ENDPOINT: endpoint of Rados GatewayS3_REGION: Rados Gateway regionS3_ROLE_ARN: Rados Gateway role ARNS3_ROLE_DURATION_SECONDS: duration of the Role (1h: 3600)
The application needs a secret to encrypt/decrypt session cookies.
N.B.: This is a real secret and must be kept secure.
You can generate an AUTH_SECRET with the following command:
openssl rand -base64 32If you are are going to the deploy in high availability, thus in manifold
replicas, use the same AUTH_SECRET for each replica. In this way, sessions
started from a replica can be maintained also with the other replicas.
This project is configured with a CI/CD pipeline which builds Docker images for development and production releases. The images are stored here.
To start the application run
docker run --rm --name s3webui -p 8080:80 --env-file .env indigopaas/webapp-rgwIf you have trouble in reaching the Rados Gateway endpoint from within the
container, you can specify the private IP address using the --add-host flag
to the docker run command, for example
docker run \
--rm \
--name s3webui \
-d \
--add-host rgw.cloud.infn.it=10.200.0.18 \
--add-host s3webui.cloud.infn.it=10.200.0.18 \
-p 127.0.0.1:8080:80 \
--env-file .env \
indigopaas/webapp-rgwThe application supports Opentelemetry instrumentation and INFN-CNAF Otello service. Telemetry is enabled by default and sends traces to https://otello.cloud.cnaf.infn.it/collector/v1/traces.
It is possible to change the OTLP collector endpoint setting the
OTEL_EXPORTER_OTLP_ENDPOINT variable.
To disable telemetry export the following environment variable
OTEL_DISABLE_TELEMETRY=1