Skip to content

Support a simplified workflow for using the TDM#604

Merged
lesserwhirls merged 4 commits into
Unidata:mainfrom
lesserwhirls:localTdm
Jul 29, 2025
Merged

Support a simplified workflow for using the TDM#604
lesserwhirls merged 4 commits into
Unidata:mainfrom
lesserwhirls:localTdm

Conversation

@lesserwhirls

Copy link
Copy Markdown
Member

Add a localhost-only API for managing collections with the TDM. This will bypass the need to setup tomcat authentication in cases where the TDM and TDS are running on the same host.

Create a "localhost" filter (prevent requests from IP addresses which
differ from the server) for paths /local/*, and use it to create a
local collections API to simplify use of the TDM for the use case of
the TDM when running on the same machine as the TDS.
@lesserwhirls lesserwhirls added the TDM Issues related to the THREDDS Data Manager (TDM) label Jul 28, 2025
@lesserwhirls lesserwhirls added this to the v5.7 milestone Jul 28, 2025
@lesserwhirls lesserwhirls added the docs: content Improvements or additions to documentation label Jul 28, 2025
When making a request to the local API, we check that the IP address
associated with the request comes from the same IP address that the
server is listening on locally though the use of a servlet filter. This
will prevent simple external requests to the local API, but the request
IP address can can be spoofed and thwart this. This commit adds an
additional check - a signature based authorization - to the local API.
At this point, only GET requests are supported. An HMAC SHA256 algorithm
is used to generate a hash of the the path and query components of the
request, along with the ISO formatted date/time (rounded down to the
nearest 5 second boundary). The client and server must have access to
the same key used to initialize the hash generator. This hash is sent
with the request as a header (key: X-TDS-Local-Api-Signature-V1). Upon
receipt, the server generates a hash in a similar manner. If the hashes
do not match, the server will respond with a 404. By adding the
date/time string to the hash calculation, we limit the window in which a
request is valid to 5 seconds. The server generates a has using the
current five minute window, and if that fails, it will generate the hash
using the previous 5 minute window.
When the TDM is configured to send triggers to one or more servers with
a hostname of localhost, use the new local API path of the TDS to send
triggers without needing credentials.
@lesserwhirls
lesserwhirls force-pushed the localTdm branch 2 times, most recently from 0d1fd3e to bfb2047 Compare July 29, 2025 19:44
@lesserwhirls
lesserwhirls marked this pull request as ready for review July 29, 2025 23:05
@lesserwhirls
lesserwhirls merged commit ea566ea into Unidata:main Jul 29, 2025
6 checks passed
@lesserwhirls
lesserwhirls deleted the localTdm branch July 29, 2025 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs: content Improvements or additions to documentation TDM Issues related to the THREDDS Data Manager (TDM)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant