Certification program¶
1. Description¶
-
Authentication includes: client authentication and site authentication
-
Authentication configuration:
$FATE_BASE/conf/service_conf.yaml
.
## Site authentication requires configuration of the party site id
party_id:
# Hook module, need to configure different hooks according to different scenarios
hook_module:
client_authentication: fate_flow.hook.flow.client_authentication
site_authentication: fate_flow.hook.flow.site_authentication
# Third-party authentication service name
hook_server_name:
authentication:
client:
# Client authentication switch
switch: false
http_app_key:
http_secret_key:
site:
# Site authentication switch
switch: false
- Authentication method: Support flow's own authentication module authentication and third-party service authentication. The authentication hooks can be modified by hook_module, currently the following hooks are supported.
- client_authentication supports "fate_flow.hook.flow.client_authentication" and "fate_flow.hook.api.client_authentication", where the former is the client authentication method of flow. the former is the client authentication method of flow, the latter is the client authentication method of third-party services.
- site_authentication supports "fate_flow.hook.flow.site_authentication" and "fate_flow.hook.api.site_authentication", where the former is the site authentication method of flow and the latter is the third-party The former is the site authentication method of flow, and the latter is the third-party site authentication method.
2. client authentication¶
2.1 flow authentication¶
2.1.1 Configuration¶
hook_module:
client_authentication: fate_flow.hook.flow.client_authentication
authentication:
client:
switch: true
http_app_key: "xxx"
http_secret_key: "xxx"
2.2.2 Interface Authentication Method¶
All client requests sent to Flow need to add the following header
`TIMESTAMP`: Unix timestamp in milliseconds, e.g. `1634890066095` means `2021-10-22 16:07:46 GMT+0800`, note that the difference between this time and the current time of the server cannot exceed 60 seconds
`NONCE`: random string, can use UUID, such as `782d733e-330f-11ec-8be9-a0369fa972af`
`APP_KEY`: must be consistent with `http_app_key` in the Flow configuration file
`SIGNATURE`: signature generated based on `http_secret_key` and request parameters in the Flow configuration file
2.2.3 Signature generation method¶
- Combine the following elements in order
TIMESTAMP
NONCE
APP_KEY
request path + query parameters, if there are no query parameters then the final ?
, such as /v1/job/submit
or /v1/data/upload?table_name=dvisits_hetero_guest&namespace=experiment
If Content-Type
is application/json
, then it is the original JSON, i.e. the request body; if not, this item is filled with the empty string
If Content-Type
is application/x-www-form-urlencoded
or multipart/form-data
, all parameters need to be sorted alphabetically and urlencode
, refer to RFC 3986 (i.e. except a-zA-Z0-9- . _~
), note that the file does not participate in the signature; if not, this item is filled with the empty string
-
Concatenate all parameters with the newline character
\n
and encode them inASCII
. -
Use the
HMAC-SHA1
algorithm to calculate the binary digest using thehttp_secret_key
key in the Flow configuration file -
Encode the binary digest using base64
2.2.4 Example¶
You can refer to Fate SDK
2.2 Third party service authentication¶
2.2.1 Configuration¶
hook_module:
client_authentication: fate_flow.hook.api.client_authentication
authentication:
client:
switch: true
hook_server_name: "xxx"
2.2.2 Interface Authentication Method¶
- The third party service needs to register the client authentication interface with flow, refer to Client Authentication Service Registration
- If the authentication fails, flow will return the authentication failure directly to the client.
3. Site Authentication¶
3.1 flow authentication¶
3.1.1 Configuration¶
party_id: 9999
hook_module:
site_authentication: fate_flow.hook.flow.site_authentication
authentication:
client:
switch: true
http_app_key: "xxx"
http_secret_key: "xxx"
3.1.2 Authentication scheme¶
- flow generates a pair of public and private keys when it starts, and needs to exchange public keys with each other with its partners. When sending a request, it uses the public key to generate a signature by RSA algorithm, and the requested site verifies the signature by its co-key.
- flow provides a key management cli as follows
3.1.3 Key Management¶
- Add the partner's public key
Used to save other fate site public key information, that is, for cooperation with other sites
flow key save -c fateflow/examples/key/save_public_key.json
Options
parameters | short format | long format | required | type | description |
---|---|---|---|---|---|
conf_path | -c |
-conf-path |
yes | string | configuration-path |
Note: conf_path is the parameter path, the specific parameters are as follows
parameter name | required | type | description |
---|---|---|---|
party_id | yes | string | site id |
key | yes | string | site public key |
return
parameter name | type | description |
---|---|---|
retcode | int | return code |
retmsg | string | return message |
Sample
{
"retcode": 0,
"retmsg": "success"
}
- Delete a partner's public key
Delete the partner site public key, i.e. cancel the partnership
flow key delete -p 9999
Options
parameters | short-format | long-format | required | type | description |
---|---|---|---|---|---|
party_id | -p |
--party-id |
yes | string | site id |
returns
parameter name | type | description |
---|---|---|
retcode | int | return-code |
retmsg | string | return message |
Sample
{
"retcode": 0,
"retmsg": "success"
}
- Query the co-key
Query the public key information of our or partner's fate site
flow key query -p 9999
parameters | short-format | long-format | required | type | description |
---|---|---|---|---|---|
party_id | -p |
--party-id |
yes | string | site id |
returns
parameter name | type | description |
---|---|---|
retcode | int | return-code |
retmsg | string | return information |
data | object | return data |
Sample
{
"data": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxgbxa3cfhvwbu0AFfY/\ nkm7uFZ17J0EEDgaIWlrLakds7XboU5iOT0eReQp/KG3R0fVM9rBtdj8NcBcArtZ9\n2242Atls3jiuza/MPPo9XACnedGW7O+ VAfvVmq2sdmKZMX5l7krEXYN645UZAd8b\nhIh+xf0qGW6IgxyKvqF13VxxB7OMUzUwyY/ZcN2rW1urfdXsCNoQ1cFl3KaarkHl\nn/ gBMcCDvACXoKysFnFE7L4E7CGglYaDBJrfIyti+sbSVNxUDx2at2VXqj/PohTa\nkBKfrgK7sT85gz1sc9uRwhwF4nOY7izq367S7t/W8BJ75gWsr+lhhiIfE19RBbBQ\n /wIDAQAB\n-----END PUBLIC KEY-----",
"retcode": 0,
"retmsg": "success"
}
3.2 Third-party service authentication¶
3.2.1 Configuration¶
hook_module:
site_authentication: fate_flow.hook.api.site_authentication
authentication:
site:
switch: true
hook_server_name: "xxx"
3.2.2 Interface Authentication Method¶
- Third party services need to register the site authentication interface with flow, refer to site authentication service registration
- If the authentication fails, flow will directly return the authentication failure to the initiator.