Configuring Authentication for a Zed Lake Service
Table of Contents
A SuperDB data lake service may be configured to require
user authentication to be accessed from clients such as the
Zui application, the
super db
CLI commands, or the
SuperDB Python client. This document describes a simple
Auth0 configuration with accompanying super db serve
flags
that can be used as a starting point for creating similar configurations in
your own environment.
Environment
Our example environment consists of the following:
- An Auth0 trial account containing a verified user
testuser@brimdata.io
- A Linux VM with IP address
192.168.5.75
on which we’ll run our Zed lake service - A macOS desktop on which we’ll run our Zui app and
zed
CLI tooling
Auth0 API Configuration
-
Begin creating a new API by clicking APIs in the left navigation menu and then clicking the Create API button.
-
Enter any Name and URL Identifier for the API, then click the Create button.
✵ Tip ✵
Note the value you enter for the Identifier as you’ll need it later for the Zed lake service configuration.
-
Click the Settings tab for your newly created API.
-
Scroll down in the Settings tab and click the toggle to enable Allow Offline Access, then click the Save button.
Auth0 Application Configuration
- Begin creating a new application by clicking Applications in the left navigation menu and then clicking the Create Application button.
✵ Note ✵
Neither the “Zed lake (Test Application)” that was created for us automatically when we created our API nor the Default App that came with the trial are used in this configuration.
-
Enter any Name for the application. Keeping the default selection for creating a Native app, click the Create button.
-
Click the Settings tab for your newly created application.
-
On the Settings tab, note the Domain and Client ID values, as you’ll need them later for the Zed lake service configuration.
-
If you wish to allow authentication from the Zui desktop application, scroll down in the Settings tab to the Allowed Callback URLs and enter the value
zui://auth/auth0/callback
. -
If you wish to allow authentication from the Zed CLI tooling and/or the Python client, scroll down in the Settings tab and expand the Advanced Settings, then click the Grant Types tab, then click the checkbox to enable the Device Code grant type.
-
Scroll down to the bottom of the Settings tab and click the Save Changes button.
Zed Lake Service Configuration
-
Login to our Linux VM and install the most recent Zed tools from source.
$ go install github.com/brimdata/super/cmd/zed@latest go: downloading github.com/brimdata/super v1.6.0 $ zed -version Version: v1.6.0
-
Set shell variables with the values you noted previously from the Auth0 configuration for the API Identifier and the Domain and Client ID values from the application configuration. Make sure the
https://
prefix is included in the Identifier value.$ auth0_api_identifier=https://zedlakeapi.example.com $ auth0_clientid=9ooDnoufvD56HNqSM0KqsPLoB3XS55i3 $ auth0_domain=https://dev-6actj4z0ihvkuzeh.us.auth0.com
-
Download the JSON Web Key Set for the domain.
$ curl -O $auth0_domain/.well-known/jwks.json
-
Start the Zed service, specifying the required flags for the authentication configuration along with a directory name for lake storage.
$ zed serve \ -auth.enabled \ -auth.clientid=$auth0_clientid \ -auth.domain=$auth0_domain \ -auth.jwkspath=jwks.json \ -auth.audience=$auth0_api_identifier \ -lake=lake {"level":"info","ts":1678909988.9797907,"logger":"core","msg":"Started"} {"level":"info","ts":1678909988.9804773,"logger":"httpd","msg":"Listening","addr":"[::]:9867"} ...
Authenticated Login Flow
Now that we’ve configured both Auth0 and the Zed lake service, we can test the authenticated login flow with our Zed clients. The video below shows this using Zui v1.0.0 and the Zed CLI tooling and Zed Python client v1.6.0.
Summary:
-
After clicking Add Lake in Zui and entering a Name and our Lake URL, the Zed lake service redirects the user to Auth0 to complete authentication. Once authentication succeeds, Auth0 redirects back to Zui and the user can begin operating with the lake. The user can log out by clicking the lake URL in the left navigation menu, then clicking Get info, then clicking Logout.
-
Before starting the authentication flow with the Zed CLI tooling, ensure the
ZED_LAKE
environment variable is pointing at the appropriate lake URL. Oncezed auth login
is executed, the Zed lake service redirects the user to Auth0 where a device code is displayed that can be compared against the one shown by the Zed CLI. Once the user clicks the Confirm button, the user has authenticated and can begin operating with the lake. The credentials are cached in$HOME/.zed
. The user can log out viazed auth logout
. -
As the Python client depends on the same authentication used by the Zed CLI tooling, you can begin authenticated operations in the Python client once completing the previous step.