iRODS HTTP API
and OpenID Connect
November 17-22, 2024
Supercomputing 2024
Atlanta, GA
Terrell Russell, Ph.D
Executive Director, iRODS Consortium
Director of Data Management, RENCI
Protocol Plumbing - Presenting iRODS as other Protocols
- WebDAV
- FUSE
- HTTP
- NFS
- SFTP
- K8s CSI
- S3
Over the last few years, the ecosystem around the iRODS server has continued to expand.
Integration with other types of systems is a valuable way to increase accessibility without teaching existing tools about the iRODS protocol or introducing new tools to users.
With some plumbing, existing tools get the benefit of visibility into an iRODS deployment.
What is the iRODS HTTP API?
Goals of the project ...
- Present a cohesive representation of the iRODS API over the HTTP protocol
- Simplify development of client-side iRODS applications for new developers
- Maintain performance close to the iCommands
- Remove behavioral differences between different client-side iRODS libraries
- New language libraries to wrap the HTTP API
- C++, Java, Python, Typescript, etc.
- Absorbed by the iRODS server if adoption is significant
iRODS HTTP API - Endpoints
Based on concepts and entities defined in iRODS:
Operations are specified via parameters
- Keeps URLs simple (i.e. no nesting required)
- Allows new/existing developers to easily find the endpoint of interest
For example
- To modify a user, investigate /users-groups
- To write data to a data object, investigate /data-objects
/authenticate | /resources |
/collections | /rules |
/data-objects | /tickets |
/info | /users-groups |
/query | /zones |
Earlier Releases
v0.1.0 - Nov 7, 2023
- 88 issues closed - 10 bugs, 57 enhancements
v0.2.0 - Jan 25, 2024
- 57 issues closed - 11 bugs, 25 enhancements
- Simplified OIDC configuration
- Improved separation between HTTP status codes and iRODS status codes
- Improved API documentation
- Improved API usage by constraining input requirements
- Improved stability
- Configuration validation on server startup
v0.3.0 - Mar 15, 2024
- 6 issues closed - 1 bug, 4 enhancements
- Improved support for OIDC - Protected Resource mode
- Improved support for TLS between HTTP API and iRODS server
Recent Releases
v0.4.0 - Aug 26, 2024
- 30 issues closed - 3 bugs, 11 enhancements
- Covered more of the iRODS API
- Added client IP to the logging
- Improved multipart/form-data parser
- Improved stability
v0.5.0 - Nov 13, 2024
- 16 issues closed - 5 bugs, 9 enhancements
- Added the OIDC user-mapping plugin system
- Improved security through OIDC token validation
HTTP API as OAuth 2.0 Confidential Client
- Currently Supports Password Based Authentication
- Runs in one of two modes
- client
- protected resource
OIDC User Mapping Plugins
- Two plugins in v0.5.0
- local file
- live / auto-reload when JSON changes
- pushed from external source
- user claim
- defined and populated via IDP
- local file
- To be written / designed / contributed
- specific external (AD, LDAP, Grouper, etc.)
- pulled from external source
- specific external (AD, LDAP, Grouper, etc.)
OIDC User Mapping - Local File Example
Text
{
"alice": {
"email": "alice@example.org",
"sub": "123-abc-456-xyz"
},
"bob": {
"email": "bob@example.org",
"phone": "56709"
}
}
OIDC - 2 modes vs 2 user mapping plugins
local file | user claim | |
---|---|---|
client |
ID Token from IDP Match defined members |
ID Token from IDP Trust the claim |
protected resource |
Access Token JWT OR Introspection endpoint response Match defined members |
Access Token JWT OR Introspection endpoint response Trust the claim |
HTTP API - Future Work
Next Steps
- Extensive Documentation
- Make write operation web-friendly
- C++ JSON schema library
- Implement additional iRODS API operations
- More validation options for ID Token
Considering
- Status / Cancellation operations for active transfers
- Extending the lifetime of Basic Authentication tokens on use
- Extensions framework
- Additional OIDC verification
Thank you!
Copy of SC24 - iRODS HTTP API and OpenID Connect
By Alan King
Copy of SC24 - iRODS HTTP API and OpenID Connect
- 6