https://github.com/humanbrainproject/servicehub

https://github.com/humanbrainproject/servicehub

Last synced: 6 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/humanbrainproject/servicehub
• Owner: HumanBrainProject
• License: apache-2.0
• Created: 2018-02-20T10:15:45.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2022-12-08T00:54:50.000Z (over 3 years ago)
• Last Synced: 2025-01-23T09:16:28.356Z (about 1 year ago)
• Language: Python
• Size: 813 KB
• Stars: 1
• Watchers: 4
• Forks: 2
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# ServiceHub

Service hub provides a container infrastructure to add authentication and spawn an app per user.

The goal is to allow scientists to provide simple docker containers without managing users and sessions.

Authentication is provided by OAUTH in an Apache proxy. Docker containers are spawned for each user and destroyed after a period of inactivity.

A Traefik reverse proxy provides the routing based on a userid parameter in the header. You can see an architecture diagram ![servicehub architecture](docs/servicehub.jpg).

## Configuring

There are two applications that need to be configured. The first is Apache which is authenticating requests. It needs OpenID tokens to connect to our OpenID provider, and also needs to be configured for SSL. The second is the servicehub, which needs to be provided with the Docker image for the apps, and the settings for the containers.

### OIDC Client registration

You application will need to be registered with the OpenID Connect server. You can register [here](https://collab.humanbrainproject.eu/#/collab/54/nav/1051) using the server flow. You must be an HBP member to access this service.

### Configuration files

- _docker-compose.yaml_:

  Get an SSL certificate for your domain. You can find steps for setting it up with Letsencrypt [here](https://letsencrypt.org/getting-started/).

  Once you have SSL certificates, update the mapping in `docker-compose.yaml`'s 'services/volumes' to point to the certificate directory. For Debian based distros, this will usually be `/etc/letsencrypt/live` if you use letsencrypt's certbot to obtain the certificates.

- _config/servicehub.conf_:

  Copy config/servicehub(-ssl).conf.example to config/servicehub.conf and configure the OIDC parameters.

  + ServerName: your domain name

  + OIDCClientID: the client ID you obtained from the collab when creating a client.

  + OIDCClientSecret: the secret you obtained from the collab when creating a client.

  + OIDCRedirectUri: http(s)://my-domain.org/redirect_uri

  + OIDCCryptoPassphrase: a secret random passphrase

  + OIDCAuthNHeader: the user id field used by the OIDC provider. HBP users `sub`.

  + If using SSL, adjust the SSL certificate paths as necessary. You should have mapped the directory they are stored in in the docker-compose.yaml.

- _servicehub/servicehub.conf_:

  Copy servicehub/servicehub.conf.example to servicehub/servicehub.conf

  Update the image name and optionnaly label to use your application's image.

  NOTE: The session lifetime is not implemented yet.

## Installing

    make build

## Requirements

Python >= 3.4

docker-compose

make

## Running

Start with docker compose

    make start

You should now be able to access the app at the domain you have set in the Apache vhost (assuming that you have set the DNS). You should be redirected to the Human Brain Login page, which will ask you whether you authorize it to give you access to the scopes you have requested during the client registration. Once you sign in and accept, your application should load. If your home page is /hello, browse to http(s)://my-domain.org/hello.

## Application

For security purposes, the containerized application should not run as root!

## Authentication and user ACLs

## Connecting to services

### Configuration wizard

 * [ ] apache

 * [ ] servicehub

 * [ ] letsencrypt

### ServiceHub

 * [ ] session monitoring from Traefik logs

 * [ ] configurable volume mounting

 * [ ] configurable docker parameters (quotas, etc)

### Reverse proxy

 * [ ] access logs

 * [x] Redirect non-existing route to service hub

## Acknowledgements

This open source software code was developed in part or in whole in the Human Brain Project, funded from the European Union’s Horizon 2020 Framework Programme for Research and Innovation under the Specific Grant Agreement No. 785907 (Human Brain Project SGA2).