Advanced Topics

Shared access and Security

Documentation status

This part of the documentation is a work in progress.
A more detailed documentation of security features will be added soon.

Shared access

To allow remote access to eryph-zero, the following changes must be made:

Enable overlay networking
To allow remote users to access catlets, you must switch networking from nat_overlay to overlay mode.
See Advanced networking for details.

Assign a fixed port to eryph-zero
By default, eryph-zero uses a dynamic port for its API services. To access eryph remotely, it must be set to a fixed port.

To set a fixed port in eryph you have to modify the appsettings.json in the C:\Program Files\eryph\zero\bin directory.

Add a basePath property with the eryph hostname and the chosen port:

{
    "basePath": "https://[hostname]:8000",
}

Eryph uses a self-signed ssl certificate signed with localhost, hostname, and hostname.domain if a domain is available. So you can use the fqdn name instead of the hostname.

Identity Clients
You will need to create identity clients for all users who need to access eryph remotely using the New-ErphClient powershell command. If you want to restrict users to specific tasks or projects, you may also need to create projects and assign users as project members.

The command output returns the attributes of the client, including its private key:

new-EryphClient -Name user -AllowedScopes compute:catlets:write

Id               : e6d7dd9c-b919-4dbc-8fa5-885c577382e7
Name             : user
Description      :
IdentityProvider : https://[hostname]:8000/identity
AllowedScopes    : {compute:catlets:write}
PrivateKey       : -----BEGIN RSA PRIVATE KEY-----
                  [Truncated]
                   -----END RSA PRIVATE KEY-----

Securely send this output to the remote user. Information needed to create the client configuration:

  • Id
  • IdentityProvider https://[hostname]:8000/identity
  • Private Key

Client Configuration
Users must manually install the eryph powershell client and then create a local client configuration.

$key ="[Insert private key here]"
$clientId = "[insert client id]"
$identityEndpoint="[insert identity service url, e.g. https://localhost:8000/identity]"

New-EryphClientCredentials -Id $clientId `
      -InputObject $key `
      -IdentityEndpoint $identityEndpoint `
      -Configuration default | Add-EryphClientConfiguration `
      -Name remote_zero -AsDefault

Identity Services

The eryph identity service is an OpenID based identity provider.

It is completely decoupled from the compute service and provides the following services

  • Issue OpenID / OAuth access tokens to clients
  • Management of identity clients

Scopes

Identity clients are restricted by scopes on the operations allowed in each service.

The following scopes currently exist for the compute service:

  • compute:read
    read access to all resources in the compute service
  • compute:write
    read and write access to all resources in the compute service
  • compute:catlets:read
    read catlets
  • compute:catlets:write
    read, create, change and delete catlets
  • compute:catlets:control
    right to start and stop catlets
  • compute:projects:read
    read projects project networks
  • compute:projects:write
    read, create, change and delete projects and networks

The following scopes currently exist for the identity service:

  • identity:read
    read access to all resources in the identity service
  • identity:write
    read and write access to all resources in the identity service
  • identity:clients:read
    read clients
  • identity:clients:write
    read, create, change and delete clients
Previous
Networking