authn-authz: fix CORS issue and refine doc

* add cors policy in the configuration * reflect helm chart related changes * clearify the three options for authentication and authorization in readme Signed-off-by: Ruoyu Ying <[email protected]>
opea-project · Sep 11, 2024 · 0443fac · 0443fac
1 parent 267d828
commit 0443fac
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 27 deletions.
diff --git a/authN-authZ/auth-istio/README.md b/authN-authZ/auth-istio/README.md
@@ -2,7 +2,12 @@
 
 In enterprise settings not only do we want to identify who is using a service but also what they are entitled to use. This is where authentication and authorization comes in. In contrast, API tokens provide full access by virtue of possession as long as they are valid/not expired. With that aside, we first provide the solution on AuthN and AuthZ in OPEA using Istio and JWT tokens. Another option is to leverage the oauth2-proxy with various OIDC providers for authentication and authorization. Using oauth2-proxy with Istio ensures secure, scalable access control, centralizes user management, and provides seamless single sign-on capabilities, improving overall security and user experience in complex microservices environments.
 
-Currently we provide three kinds of setups for authentication and authorization: via fake JWT token, via JWT token generated by OIDC providers and via oauth2-proxy and OIDC providers. And here we use the chatQnA pipeline as an example.
+Currently we provide three kinds of setups for authentication and authorization:
+- [via fake JWT token with curl](#perform-authentication-and-authorization-via-fake-jwt-tokens)
+- [via JWT token generated by OIDC providers with curl](#perform-authentication-and-authorization-via-jwt-tokens-generated-by-oidc-provider)
+- [via oauth2-proxy and OIDC providers with UI](#perform-authentication-and-authorization-via-oauth2-proxy-and-oidc-provider-and-ui)
+
+Here we use the chatQnA pipeline as an example.
 
 ## Prerequisite
 
@@ -265,29 +270,26 @@ kubectl create ns oauth2-proxy
 envsubst < $(pwd)/oauth2_install.yaml | kubectl apply -f -
 ```
 
-**Expose the pipeline endpoint through Istio Ingressgateway and install chatQnA UI**
+**Expose the pipeline endpoint and UI through Istio Ingressgateway**
 
 Here we expose the chatQnA endpoint through the ingress gateway and then install the chatQnA conversation UI.
+Notice that the instructions differs between helm chart based deployment and GMC based deployment. Please the instructions accordingly.
+
+With GMC based deployment, export chatqna endpoint and install UI services:
 
 ```bash
 # expose chatqna endpoint
 kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway_oauth.yaml
-# build chatqna UI image if not exist on your machine
-git clone https://github.com/opea-project/GenAIExamples.git
-cd GenAIExamples/ChatQnA/docker/ui/
-docker build --no-cache -t opea/chatqna-conversation-ui:latest --build-arg https_proxy=$https_proxy --build-arg http_proxy=$http_proxy -f ./docker/Dockerfile.react .
-# inject image to containerd repo
-docker save -o ui.tar opea/chatqna-conversation-ui:latest
-sudo ctr -n k8s.io image import ui.tar
 # install chatqna conversation UI
-cd && cd GenAIInfra
-if [ "${DEPLOY_METHOD}" = "gmc-based" ]; then
-    helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui --set BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/",DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/dataprep"
-else
-    helm install chatqna-ui $(pwd)/helm-charts/common/chatqna-ui --set BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/v1/chatqna",DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/v1/dataprep"
-fi
+cd ../../
+helm install chatqna-ui $(pwd)/helm-charts/common/ui --set BACKEND_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/",DATAPREP_SERVICE_ENDPOINT="http://chatqna-service.com:${INGRESS_PORT}/dataprep"
 # expose ui service outside
-kubectl apply -f $(pwd)/chatQnA_ui_gateway.yaml
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_ui_gateway.yaml
+```
+
+With helm chart based deployment, the UI already deployed as part of the pipeline. So expose endpoints like this:
+```bash
+kubectl apply -f $(pwd)/$DEPLOY_METHOD/chatQnA_router_gateway_oauth.yaml
 ```
 
 **Add authentication and authorization rules to the pipeline through Istio Ingress Gateway**
@@ -314,5 +316,6 @@ Add both host names for ChatQnA UI and backend service into /etc/hosts
 sudo sed -i '1i\127.0.0.1       chatqna-service.com' /etc/hosts
 sudo sed -i '1i\127.0.0.1       chatqna-ui.com' /etc/hosts
 ```
+Open browser with address `"chatqna-ui.com:${INGRESS_PORT}"` if using GMC based deployment. Otherwise, open the browser with address `"chatqna-service.com:${INGRESS_PORT}"`.
 
-Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service.
+Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service.
diff --git a/authN-authZ/auth-istio/chatQnA_authZ_oauth.yaml b/authN-authZ/auth-istio/chatQnA_authZ_oauth.yaml
@@ -13,6 +13,8 @@ spec:
   rules:
   - to:
     - operation:
+        hosts:
+        - chatqna-ui.com:${INGRESS_PORT}
         notPaths:
         - /realms/*
   selector:

diff --git a/authN-authZ/auth-istio/gmc-based/chatQnA_router_gateway_oauth.yaml b/authN-authZ/auth-istio/gmc-based/chatQnA_router_gateway_oauth.yaml
@@ -29,7 +29,20 @@ spec:
   hosts:
   - chatqna-service.com
   http:
-  - match:
+  - corsPolicy:
+      allowCredentials: true
+      allowHeaders:
+      - content-type
+      - authorization
+      allowMethods:
+      - POST
+      - GET
+      - OPTIONS
+      - PUT
+      - DELETE
+      allowOrigins:
+      - regex: http://chatqna-ui.com:.*
+    match:
     - uri:
         prefix: /
     route:

diff --git a/...-authZ/auth-istio/chatQnA_ui_gateway.yaml → ...h-istio/gmc-based/chatQnA_ui_gateway.yaml b/...-authZ/auth-istio/chatQnA_ui_gateway.yaml → ...h-istio/gmc-based/chatQnA_ui_gateway.yaml
diff --git a/authN-authZ/auth-istio/helm-chart-based/chatQnA_router_gateway_oauth.yaml b/authN-authZ/auth-istio/helm-chart-based/chatQnA_router_gateway_oauth.yaml
@@ -34,14 +34,22 @@ spec:
         prefix: /v1/chatqna
     route:
     - destination:
-        host: chatqna.chatqa.svc.cluster.local
+        host: chatqna-nginx.chatqa.svc.cluster.local
         port:
-          number: 8888
+          number: 80
   - match:
     - uri:
         prefix: /v1/dataprep
     route:
     - destination:
-        host: chatqna-data-prep.chatqa.svc.cluster.local
+        host: chatqna-nginx.chatqa.svc.cluster.local
         port:
-          number: 6007
+          number: 80
+  - match:
+     - uri:
+         prefix: /
+    route:
+      - destination:
+        host: chatqna-nginx.chatqa.svc.cluster.local
+        port:
+          number: 80
diff --git a/authN-authZ/auth-istio/oauth2_install.yaml b/authN-authZ/auth-istio/oauth2_install.yaml
@@ -35,6 +35,9 @@ data:
     #extra attributes
     reverse_proxy = true
     auth_logging = true
+    request_logging = true
+    silence_ping_logging = true
+    standard_logging = true
     cookie_httponly = true
     cookie_refresh = "2m"
     cookie_expire = "3m"
@@ -43,15 +46,11 @@ data:
     pass_authorization_header = true
     pass_basic_auth = true
     pass_user_headers = true
-    request_logging = true
     set_authorization_header = true
     set_xauthrequest = true
-    silence_ping_logging = true
     skip_provider_button = true
-    skip_auth_strip_headers = false
+    skip_auth_preflight = true
     skip_jwt_bearer_tokens = true
-    ssl_insecure_skip_verify = true
-    standard_logging = true
 kind: ConfigMap
 metadata:
   name: oauth2-proxy-config