Merge branch 'master' into deploy-k8s-dns

neicnordic · Dec 18, 2023 · 8563593 · 8563593
2 parents 2e961ae + b4e3c51
commit 8563593
Show file tree

Hide file tree

Showing 7 changed files with 291 additions and 55 deletions.
diff --git a/aggregate-mappings.json b/aggregate-mappings.json
@@ -8,7 +8,8 @@
         "sda/cmd/s3inbox/s3inbox.md": "docs/services/s3inbox.md",
         "sda/cmd/syncapi/syncapi.md": "docs/services/syncapi.md",
         "sda/cmd/sync/sync.md": "docs/services/sync.md",
-        "GETTINGSTARTED.md": "docs/guides/sda-dev-test-doc.md",
+        "sda-sftp-inbox/README.md": "docs/services/sftpinbox.md",
+        "./GETTINGSTARTED.md": "docs/guides/sda-dev-test-doc.md",
         "sda/sda.md": "docs/services/sda.md"
     }
 }
diff --git a/docs/dictionary/wordlist.txt b/docs/dictionary/wordlist.txt
@@ -1,3 +1,21 @@
+ACCESSIONROUTING
+BIGINT
+Bigpicture
+CENTERPREFIX
+DNS
+FK
+HOSTKEY
+INGESTROUTING
+JWTPUBKEYURL
+MAPPINGROUTING
+NSS
+PEMKEYPASS
+PEMKEYPATH
+PGDATA
+PREFETCHCOUNT
+RegisterFile
+SYNCPUBKEYPATH
+SetAccessionID
 aaf
 aai
 aaiconnectprofile
@@ -7,6 +25,8 @@ accessionids
 accesskey
 ack'ed
 acked
+adminPassword
+adminUser
 ae
 aissue
 aj
@@ -17,9 +37,14 @@ apiVersion
 atitle
 auth
 automagically
+autonumber
 backend
+backupArchive
+backupRoutingKey
 backuppubkey
 bbug
+bigint
+bigpicture
 blockquote
 bmi
 bugfix
@@ -38,6 +63,7 @@ checksums
 chunksize
 clientcert
 clientkey
+clusterIssuer
 cmd
 cn
 commandline
@@ -57,6 +83,9 @@ dataset
 datasetid
 datasetids
 datasets
+dbPassword
+dbUser
+dbschema
 ddfqevq
 decrypt
 decryptable
@@ -78,6 +107,7 @@ egaf
 egas
 endcoordinate
 envs
+erDiagram
 exportrequests
 federatedega
 fega
@@ -93,6 +123,7 @@ getheaderforstableid
 getinboxpath
 gh
 ghcr
+glbal
 golang
 golangci
 gopath
@@ -115,8 +146,12 @@ isolations
 jks
 jku
 json
+jsonb
 jwk
 jwt
+jwtKey
+jwtPub
+jwtSecret
 jwtpubeyurl
 jwtpubkeypath
 jwtpubkeyurl
@@ -147,6 +182,8 @@ miniostorage
 misspelled words:
 mountpoint
 mq
+mqPassword
+mqUser
 msgtype
 mtls
 mvn
@@ -161,6 +198,7 @@ neicnordic
 NetworkPolicy
 nginx
 notls
+nss
 oidc
 ol
 oldpath
@@ -183,12 +221,14 @@ podSelector
 policyTypes
 posix
 postgres
+postgresAdminPassword
 postgresql
 pre
 prefetchcount
 prepended
 publickey
 rabbitmq
+rabbitmqctl
 readme
 readthedocs
 readypath
@@ -204,29 +244,36 @@ repo
 reqs
 requesters
 rootedfilesystem
+routingError
 routingkey
 rsa
 samtools
 schemas
 sda
 sda's
+secretName
 secretkey
+sequenceDiagram
 setaccessionid
 setarchived
 sftp
 sftpinbox
 sha
 smth
 somedir
+speciffic
 src
 sshd
 ssl
 sslmode
+stableIDs
 startcoordinate
+storageType
 storeheader
 submitters
 svc
 svg
+syncapi
 sysdevs
 tada
 testsuite
@@ -311,3 +358,8 @@ TCP
 UDP
 kube
 nodeport
+FS
+Mina's
+SPRINGFRAMEWORK
+env
+programmatically
diff --git a/docs/guides/sda-dev-test-doc.md b/docs/guides/sda-dev-test-doc.md
@@ -1,4 +1,4 @@
-## Developing components of the SDA stack
+## Getting Started developing components of the SDA stack
 
 If you wish to work on the SDA stack itself you'll first need [Go](https://www.golang.org/) installed on your machine. The recommended version can be checked by running:
 

diff --git a/docs/guides/secret-management.md b/docs/guides/secret-management.md
diff --git a/docs/services/sftpinbox.md b/docs/services/sftpinbox.md
@@ -0,0 +1,79 @@
+# SFTP Inbox
+
+## Federated EGA/LocalEGA login system
+
+`CentralEGA` contains a database of users, with IDs and passwords.
+
+We have developed a solution based on [Apache Mina SSHD](https://mina.apache.org/sshd-project/)
+to allow user authentication via either a password or an RSA key against the CentralEGA database
+itself. The user is locked within their home folder, which is done programmatically using 
+[RootedFileSystem](https://github.com/apache/mina-sshd/blob/master/sshd-core/src/main/java/org/apache/sshd/common/file/root/RootedFileSystem.java).
+
+The solution uses `CentralEGA`'s user IDs but can also be extended to
+use LifeScience AAI IDs (of which we strip the ``@elixir-europe.org`` suffix).
+
+The procedure is as follows. The inbox is started without any created
+user. When a user wants to log into the inbox (actually, only ``sftp``
+uploads are allowed), the code looks up the username in a local
+cache, and, if not found, queries the `CentralEGA` [REST endpoint](https://nss.ega-archive.org/spec/). Upon
+return, we store the user credentials in the local cache and create
+the user's home directory. The user now gets logged in if the password
+or public key authentication succeeds. Upon subsequent login attempts,
+only the local cache is queried, until the user's credentials
+expire. The cache has a default TTL of 5 minutes, and is wiped clean
+upon reboot (as a cache should). Default TTL can be configured via ``CACHE_TTL`` env var.
+
+The user's home directory is created when its credentials upon successful login.
+Moreover, for each user, we detect when the file upload is completed and compute its
+checksum. 
+
+## S3 integration
+
+Default storage back-end for the inbox is local file-system. But we also support S3 service as a back-end. It can be 
+enabled using S3-related env-vars (see configuration details below).
+
+If S3 is enabled, then files are still going to be stored locally, but after successful upload, they will going to be 
+uploaded to the specified S3 back-end. With this approach local file-system plays role of so called "staging area", 
+while S3 is the real final destination for the uploaded files.
+
+## Configuration
+
+Environment variables used:
+
+
+| Variable name       | Default value      | Description                                                     |
+|---------------------|--------------------|-----------------------------------------------------------------|
+| BROKER_USERNAME     | guest              | RabbitMQ broker username                                        |
+| BROKER_PASSWORD     | guest              | RabbitMQ broker password                                        |
+| BROKER_HOST         | mq                 | RabbitMQ broker host                                            |
+| BROKER_PORT         | 5672               | RabbitMQ broker port                                            |
+| BROKER_VHOST        | /                  | RabbitMQ broker vhost                                           |
+| BROKER_EXCHANGE     | sda                | RabbitMQ broker exchange                                        |
+| BROKER_ROUTING_KEY  | files              | RabbitMQ broker routing key                                     |
+| INBOX_PORT          | 2222               | Inbox port                                                      |
+| INBOX_LOCATION      | /ega/inbox/        | Path to POSIX Inbox backend                                     |
+| INBOX_FS_PATH       |                    | Prefix path when custom filesystem is used on top of POSIX      |
+| INBOX_KEYPAIR       |                    | Path to RSA keypair file                                        |
+| KEYSTORE_TYPE       | JKS                | Keystore type to use, JKS or PKCS12                             |
+| KEYSTORE_PATH       | /etc/ega/inbox.jks | Path to Keystore file                                           |
+| KEYSTORE_PASSWORD   |                    | Password to access the Keystore                                 |
+| CACHE_TTL           | 300.0              | CEGA credentials time-to-live                                   |
+| CEGA_ENDPOINT       |                    | CEGA REST endpoint                                              |
+| CEGA_ENDPOINT_CREDS |                    | CEGA REST credentials                                           |
+| S3_ENDPOINT         | inbox-backend:9000 | Inbox S3 backend URL                                            |
+| S3_REGION           | us-east-1          | Inbox S3 backend region (us-east-1 is default in Minio)         |
+| S3_ACCESS_KEY       |                    | Inbox S3 backend access key (S3 disabled if not specified)      |
+| S3_SECRET_KEY       |                    | Inbox S3 backend secret key (S3 disabled if not specified)      |
+| S3_BUCKET           |                    | Inbox S3 backend secret bucket (S3 disabled if not specified)   |
+| USE_SSL             | true               | true if S3 Inbox backend should be accessed by HTTPS            |
+| LOGSTASH_HOST       |                    | Hostname of the Logstash instance (if any)                      |
+| LOGSTASH_PORT       |                    | Port of the Logstash instance (if any)                          |
+
+If `LOGSTASH_HOST` or `LOGSTASH_PORT` is empty, Logstash logging will not be enabled.
+
+In addition, environment variables can be used to configure log level for different packages. Package loggers can be configured using corresponding package names, for example, to turn of logs of Spring, one can set environment variable `LOGGING_LEVEL_ORG_SPRINGFRAMEWORK=OFF`, or to set Mina's own logs to debug: `LOGGING_LEVEL_SE_NBIS_LEGA_INBOX=DEBUG`, etc.
+
+### SFTP Inbox Local Development/Testing
+
+For local development/testing see instructions in [dev_utils](https://github.com/neicnordic/sensitive-data-archive/tree/main/sda-sftp-inbox/dev_utils) folder.
+There is an README file in the [dev_utils](https://github.com/neicnordic/sensitive-data-archive/tree/main/sda-sftp-inbox/dev_utils) folder with sections for running the pipeline locally using Docker Compose.