-
Notifications
You must be signed in to change notification settings - Fork 260
Legend Authentication
This doc is a proposal for refactoring the Legend metamodel (and related impl detail) wrto authentication.
- Many ways to do the same thing - A concept can be described in many ways. This increases cognitive load for users and also duplication of Legend code and effort.
In both cases a private key is loaded from a vault ; though there are some differences.
Class AwsPKAuthenticationStrategy extends AuthenticationStrategy
{
secretArn: String[1];
user: String[1];
}
Class SnowflakePublicAuthenticationStrategy extends AuthenticationStrategy
{
privateKeyVaultReference : String[1];
passPhraseVaultReference : String[1];
publicUserName : String[1];
}
-
Reusable components buried in specific modules The SnowflakePublicAuthenticationStrategy can be used by any component that needs to obtain an encrypted private key. But using this strategy requires adding a dependency on the relational module.
-
No consistent way to describe authn Any Legend component that connects to an external "data source" needs some form of authentication. While there might be many data sources there are a relatively small number of authentication schemes that (I think) can be consistently described and used across the platform.
-
Split authentication from credential acquisition Authentication is the process by which a system verifies the identity of a "user". E.g a database authenticates the user making a connection.
Authentication requires that "user" present one/more "credentials". Credentials might be explicitly acquired (e.g read a key/pair from a vault) or might be acquired from the runtime environment (e.g current Kerberos subject).
To complete authentication, credentials have to be presented to the target system using some protocol. E.g add credentials to a JDBC properties object, create a file on disk that can be read by the ODBC driver, add a HTTP header with a bearer token etc.
While the authentication protocol by itself is very data source specific, the credential acquisition is more general and can be reused.
- For Legend Users
- For Legend Maintainers