iRODS HTTP API

and OpenID Connect

November 17-22, 2024

Supercomputing 2024

Atlanta, GA

Terrell Russell, Ph.D

Executive Director, iRODS Consortium

Director of Data Management, RENCI

Protocol Plumbing - Presenting iRODS as other Protocols

  • WebDAV
  • FUSE
  • HTTP
  • NFS
  • SFTP
  • K8s CSI
  • S3

Over the last few years, the ecosystem around the iRODS server has continued to expand.

 

Integration with other types of systems is a valuable way to increase accessibility without teaching existing tools about the iRODS protocol or introducing new tools to users.

 

With some plumbing, existing tools get the benefit of visibility into an iRODS deployment.

What is the iRODS HTTP API?

Goals of the project ...

  • Present a cohesive representation of the iRODS API over the HTTP protocol
    • Simplify development of client-side iRODS applications for new developers
  • Maintain performance close to the iCommands
  • Remove behavioral differences between different client-side iRODS libraries
    • New language libraries to wrap the HTTP API
    • C++, Java, Python, Typescript, etc.
  • Absorbed by the iRODS server if adoption is significant

iRODS HTTP API - Endpoints

Based on concepts and entities defined in iRODS:

Operations are specified via parameters

  • Keeps URLs simple (i.e. no nesting required)
  • Allows new/existing developers to easily find the endpoint of interest

 

For example

  • To modify a user, investigate /users-groups
  • To write data to a data object, investigate /data-objects
/authenticate /resources
/collections /rules
/data-objects /tickets
/info /users-groups
/query /zones

Earlier Releases

v0.1.0 - Nov 7, 2023

  • 88 issues closed - 10 bugs, 57 enhancements

 

v0.2.0 - Jan 25, 2024

  • 57 issues closed - 11 bugs, 25 enhancements
  • Simplified OIDC configuration
  • Improved separation between HTTP status codes and iRODS status codes
  • Improved API documentation
  • Improved API usage by constraining input requirements
  • Improved stability
  • Configuration validation on server startup

 

v0.3.0 - Mar 15, 2024

  • 6 issues closed - 1 bug, 4 enhancements
  • Improved support for OIDC - Protected Resource mode
  • Improved support for TLS between HTTP API and iRODS server

Recent Releases

v0.4.0 - Aug 26, 2024

  • 30 issues closed - 3 bugs, 11 enhancements
  • Covered more of the iRODS API
  • Added client IP to the logging
  • Improved multipart/form-data parser
  • Improved stability

 

v0.5.0 - Nov 13, 2024

  • 16 issues closed - 5 bugs, 9 enhancements
  • Added the OIDC user-mapping plugin system
  • Improved security through OIDC token validation

HTTP API as OAuth 2.0 Confidential Client

  • Currently Supports Password Based Authentication
  • Runs in one of two modes
    • client
    • protected resource

OIDC User Mapping Plugins

  • Two plugins in v0.5.0
    • local file
      • live / auto-reload when JSON changes
      • pushed from external source
    • user claim
      • defined and populated via IDP

 

  • To be written / designed / contributed
    • specific external (AD, LDAP, Grouper, etc.)
      • pulled from external source

OIDC User Mapping - Local File Example

Text

{
    "alice": {
        "email": "alice@example.org",
        "sub": "123-abc-456-xyz"
    },
    "bob": {
        "email": "bob@example.org",
        "phone": "56709"
    }
}

OIDC - 2 modes vs 2 user mapping plugins

local file user claim


client

ID Token from IDP

Match defined members
 

ID Token from IDP

Trust the claim



protected resource

Access Token JWT
OR
Introspection endpoint response

Match defined members

Access Token JWT
OR
Introspection endpoint response

Trust the claim
 

HTTP API - Future Work

Next Steps

  • Extensive Documentation
  • Make write operation web-friendly
  • C++ JSON schema library
  • Implement additional iRODS API operations
  • More validation options for ID Token

 

Considering

  • Status / Cancellation operations for active transfers
  • Extending the lifetime of Basic Authentication tokens on use
  • Extensions framework
  • Additional OIDC verification

Thank you!

SC24 - iRODS HTTP API and OpenID Connect

By iRODS Consortium

SC24 - iRODS HTTP API and OpenID Connect

  • 68