Skip to content

Legend Authentication

Ephrim Stanley edited this page Oct 7, 2022 · 11 revisions

Overview

This doc is a proposal for refactoring the Legend metamodel (and related impl detail) wrto authentication.

Current Challenges

  • Many ways to do the same thing - A concept can be described in many ways. This increases cognitive load for users and also duplication of Legend code and effort.

In both cases a private key is loaded from a vault ; though there are some differences.

Class AwsPKAuthenticationStrategy extends AuthenticationStrategy
{
    secretArn: String[1];
    user: String[1];
}

Class SnowflakePublicAuthenticationStrategy extends AuthenticationStrategy
{
    privateKeyVaultReference : String[1];
    passPhraseVaultReference : String[1];
    publicUserName : String[1];
}
  • Reusable components buried in specific modules The SnowflakePublicAuthenticationStrategy can be used by any component that needs to obtain an encrypted private key. But using this strategy requires adding a dependency on the relational module.

  • No consistent way to describe authn Any Legend component that connects to an external "data source" needs some form of authentication. While there might be many data sources there are a relatively small number of authentication schemes that (I think) can be consistently described and used across the platform.

  • Split authentication from credential acquisition Authentication is the process by which a system verifies the identity of a "user". E.g a database authenticates the user making a connection.

Authentication requires that "user" present one/more "credentials". Credentials might be explicitly acquired (e.g read a key/pair from a vault) or might be acquired from the runtime environment (e.g current Kerberos subject).

To complete authentication, credentials have to be presented to the target system using some protocol. E.g add credentials to a JDBC properties object, create a file on disk that can be read by the ODBC driver, add a HTTP header with a bearer token etc.

While the authentication protocol by itself is very data source specific, the credential acquisition is more general and can be reused.

Clone this wiki locally