custos-1.1

Apache Airavata Custos 1.1 Release Notes

Key Features

1. Authentication Services

• Support for multiple authentication mechanisms

  • OAuth2 Simplified authentication for web and mobile applications.
  • OIDC (OpenID Connect) Enhanced user experience and secure identity verification.

• PKCE Flow

  • Introduced support for Proof Key for Code Exchange (PKCE), making it suitable for Single Page Applications (SPA).

• JWKS Endpoint

  • Added support for a JSON Web Key Set (JWKS) endpoint to enable public key verification.

2. Authorization Management

• Token Customization

  • Injected group and scope claims into tokens for fine-grained authorization.

• OIDC Standards Implementation

  • Updated authorization, token, and OIDC endpoints to comply with OIDC standards, with changes to parameters and response formats.

3. Secrets Management

• Secure storage and retrieval

  • API keys, credentials, and other secrets are securely stored and retrieved.
  • All sensitive information is encrypted at rest.

• User-Friendly Management

  • Command Line Interface (CLI) and API support for managing secrets.

4. Multitenancy Support

• Enhanced Multitenancy
  • Host multiple tenants with isolated data and configurations.

5. Federated Identity Management

• Single Sign-On (SSO)

  • Support for SSO across multiple applications and services.

• Federation with Identity Providers

  • Seamless support for multiple identity providers through federation.

6. Developer-Friendly Tools

• Comprehensive REST APIs

  • Simplified integration with applications.

• Sample Applications

  • Demonstrations of common integration patterns.

---

Major Changes Since the last Release

1. Keycloak Upgrade

   • Upgraded from version 9.0.2 to 24.0.0 for improved security and additional features.

2. Service-to-Service Communication

   • Simplified service interactions by refactoring them into dependency-based communication.

3. OIDC Standards Implementation

   • Updated endpoints for authorization, token, and OIDC to comply with the latest OIDC standards.

4. Nginx Proxy Removal

   • Removed Nginx as a reverse proxy; SSL termination is now handled by the deployment architecture.

5. New Module Architecture

   • custos-application Entry point, configuration, and API integration.
   • custos-core Core business logic, entities, and repositories.
   • custos-services Service classes for implementing business logic.
   • custos-api REST controllers for exposing application functionality.

6. Terraform Deployment Scripts

   • Added scripts for AWS, including:
     • Network layer (VPC, private/public subnets).
     • Keycloak deployment.
     • Vault deployment.

---

What’s Next?

Our roadmap for future releases includes:

• Group Invite Links:

  • Enable group invitations, allowing members to join via invite links.

• Token Signing Key Rotation:

  • Implement automated and seamless token signing key rotation for enhanced security.

• Tenant-Specific Token Signing Keys:

  • Support for tenant-specific token signing keys to ensure isolated and secure token management per tenant.

• Enhanced Custos Portal Functionality:

  • Expose more features and capabilities through the Custos portal for improved user experience.

• Notifications:

  • Adding support for notifications to keep users informed.

---

Changelog

• Initial vault based credential store + Rest API framework with SSH and AWS credential support by @DImuthuUpe in #3
• initial python custos library by @machristie in #7
• Python SDK for authentication was keycloak and for other admin services by @aarushiibisht in #8
• Clean up code by @isururanawaka in #46
• clean up by @isururanawaka in #47
• clean python sdk and root pom by @isururanawaka in #48
• Add custos docker repository by @isururanawaka in #50
• bumping up to latest apache parent dependency by @smarru in #51
• adding rat plugin for license checks by @smarru in #52
• move custos-clients root folder to custos-python-sdk by @isururanawaka in #54
• modify python clients by @isururanawaka in #55
• move super credentials to secret env by @isururanawaka in #56
• remove sensitive configs by @isururanawaka in #57
• fixing travis build failure and refactoring custos-client to custos-java-client by @smarru in #59
• Integration tests by @isururanawaka in #61
• Add Agent, Group and User Java Clients by @isururanawaka in #62
• Modification agent management Id by @isururanawaka in #63
• remove snaphopt and non maven repositories by @isururanawaka in #64
• Add redirect uris as web origins by @isururanawaka in #67
• Add custom theme support for Custos jboss/keycloak by @isururanawaka in #70
• Core operations implementation of Airavata credential store by @isururanawaka in #72
• Add public APIs for resource secret management and validations by @isururanawaka in #73
• Fix resource secret access by @isururanawaka in #74
• Hireachical group membership support by @isururanawaka in #77
• Sharing persistance models by @isururanawaka in #84
• Institutional caching by @isururanawaka in #89
• grpc-web support by @isururanawaka in #85
• Add institutional whitelisting and backlisting for tenants by @isururanawaka in #90
• Agent client level role support by @isururanawaka in #91
• sharing management service e2e by @isururanawaka in #92
• Modified settings.py by @bhaktinarvekar in #96
• Enhance python SDK, Make Java clients to support multitenancy by @isururanawaka in #97
• Sharing service by @isururanawaka in #98
• Fixes for Airavata integration in Custos side by @isururanawaka in #100
• Institutional caching by @isururanawaka in #101
• Logging by @isururanawaka in #102
• remove ids by @isururanawaka in #103
• Change setup.py to package certificate files by @isururanawaka in #104
• Bug fix in IdentityService: fetching JWKS by @isururanawaka in #105
• Python SDK improvements by @isururanawaka in #107
• Custos python sdk demo by @isururanawaka in #108
• .asf.yaml by @isururanawaka in #109
• Fix duplicate entry fetching in sharing service by @isururanawaka in #106
• Add SECRET entity type by @isururanawaka in #110
• Merging Custos python sdk demo into Master by @smarru in #115
• Merging Develop into Master by @smarru in #116
• Enable vault server trust by @isururanawaka in #119
• Enhance secret delivery with shamir's algo by @isururanawaka in #121
• Implement KV support for resource secrets by @isururanawaka in #122
• Support ssh,password external token string by @isururanawaka in #124
• Add direct custos groups creation compatible with data migration by @isururanawaka in #125
• update db dns, add python sdk KV methods by @isururanawaka in #127
• resolve performance issue: Sharing service userHasAccess method by @isururanawaka in #128
• Add python samples for KV secret management by @isururanawaka in #129
• Improve tenant management APIs by @isururanawaka in #132
• Mft related changes by @isururanawaka in #133
• Mft related changes: Add credential Map by @isururanawaka in #134
• Improve Credential Map by @isururanawaka in #135
• Sea...

Custos Initial Code Base

Merge pull request #45 from isururanawaka/microservices_based_impl

minimize update request operations