Accueil Explorer Aide
Connexion
Shellmiao
/
FateWithShellmiaoComment
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 2032e77c72
Branches Tags
FateWithShel...
/
FATE-Flow
/
doc
/
fate_flow_authority_management.md

fate_flow_authority_management.md 5.6 KB
Historique Raw

Certification program

1. Description

  • Authentication includes: client authentication and site authentication

  • Authentication configuration: $FATE_BASE/conf/service_conf.yaml.

  ## Site authentication requires configuration of the party site id
  party_id:
  # Hook module, need to configure different hooks according to different scenarios
  hook_module:
    client_authentication: fate_flow.hook.flow.client_authentication
    site_authentication: fate_flow.hook.flow.site_authentication
  # Third-party authentication service name
  hook_server_name:
  authentication:
    client:
      # Client authentication switch
      switch: false
      http_app_key:
      http_secret_key:
    site:
      # Site authentication switch
      switch: false
  • Authentication method: Support flow's own authentication module authentication and third-party service authentication. The authentication hooks can be modified by hook_module, currently the following hooks are supported.
    • client_authentication supports "fate_flow.hook.flow.client_authentication" and "fate_flow.hook.api.client_authentication", where the former is the client authentication method of flow. the former is the client authentication method of flow, the latter is the client authentication method of third-party services.
    • site_authentication supports "fate_flow.hook.flow.site_authentication" and "fate_flow.hook.api.site_authentication", where the former is the site authentication method of flow and the latter is the third-party The former is the site authentication method of flow, and the latter is the third-party site authentication method.

2. client authentication

2.1 flow authentication

2.1.1 Configuration

hook_module:
  client_authentication: fate_flow.hook.flow.client_authentication
authentication:
  client:
    switch: true
    http_app_key: "xxx"
    http_secret_key: "xxx"

2.2.2 Interface Authentication Method

All client requests sent to Flow need to add the following header


`TIMESTAMP`: Unix timestamp in milliseconds, e.g. `1634890066095` means `2021-10-22 16:07:46 GMT+0800`, note that the difference between this time and the current time of the server cannot exceed 60 seconds

`NONCE`: random string, can use UUID, such as `782d733e-330f-11ec-8be9-a0369fa972af`

`APP_KEY`: must be consistent with `http_app_key` in the Flow configuration file

`SIGNATURE`: signature generated based on `http_secret_key` and request parameters in the Flow configuration file

2.2.3 Signature generation method

  • Combine the following elements in order

TIMESTAMP

NONCE

APP_KEY

request path + query parameters, if there are no query parameters then the final ?, such as /v1/job/submit or /v1/data/upload?table_name=dvisits_hetero_guest&namespace=experiment

If Content-Type is application/json, then it is the original JSON, i.e. the request body; if not, this item is filled with the empty string

If Content-Type is application/x-www-form-urlencoded or multipart/form-data, all parameters need to be sorted alphabetically and urlencode, refer to RFC 3986 (i.e. except a-zA-Z0-9- . _~), note that the file does not participate in the signature; if not, this item is filled with the empty string

  • Concatenate all parameters with the newline character \n and encode them in ASCII.

  • Use the HMAC-SHA1 algorithm to calculate the binary digest using the http_secret_key key in the Flow configuration file

  • Encode the binary digest using base64

2.2.4 Example

You can refer to Fate SDK

2.2 Third party service authentication

2.2.1 Configuration

hook_module:
  client_authentication: fate_flow.hook.api.client_authentication
authentication:
  client:
    switch: true
hook_server_name: "xxx"

2.2.2 Interface Authentication Method

  • The third party service needs to register the client authentication interface with flow, refer to Client Authentication Service Registration
  • If the authentication fails, flow will return the authentication failure directly to the client.

3. Site Authentication

3.1 flow authentication

3.1.1 Configuration

party_id: 9999
hook_module:
  site_authentication: fate_flow.hook.flow.site_authentication
authentication:
  client:
    switch: true
    http_app_key: "xxx"
    http_secret_key: "xxx"

3.1.2 Authentication scheme

  • flow generates a pair of public and private keys when it starts, and needs to exchange public keys with each other with its partners. When sending a request, it uses the public key to generate a signature by RSA algorithm, and the requested site verifies the signature by its co-key.
  • flow provides a key management cli as follows

3.1.3 Key Management

  • Add the partner's public key

{{snippet('cli/key.md', '### save')}}

  • Delete a partner's public key

{{snippet('cli/key.md', '### delete')}}

  • Query the co-key

{{snippet('cli/key.md', '### query')}}

3.2 Third-party service authentication

3.2.1 Configuration

hook_module:
  site_authentication: fate_flow.hook.api.site_authentication
authentication:
  site:
    switch: true
hook_server_name: "xxx"

3.2.2 Interface Authentication Method

  • Third party services need to register the site authentication interface with flow, refer to site authentication service registration
  • If the authentication fails, flow will directly return the authentication failure to the initiator.