Advanced Topics
Shared access and Security
Documentation status
This part of the documentation is a work in progress.
A more detailed documentation of security features will be added soon.
Shared access
To allow remote access to eryph-zero, the following changes must be made:
Enable overlay networking
To allow remote users to access catlets, you must switch networking from nat_overlay to overlay mode.
See Advanced networking for details.
Assign a fixed port to eryph-zero
By default, eryph-zero uses a dynamic port for its API services. To access eryph remotely, it must be set to a fixed port.
To set a fixed port in eryph you have to modify the appsettings.json in the C:\Program Files\eryph\zero\bin
directory.
Add a basePath
property with the eryph hostname and the chosen port:
{
"basePath": "https://[hostname]:8000",
}
Eryph uses a self-signed ssl certificate signed with localhost, hostname, and hostname.domain if a domain is available. So you can use the fqdn name instead of the hostname.
Identity Clients
You will need to create identity clients for all users who need to access eryph remotely using the New-ErphClient
powershell command. If you want to restrict users to specific tasks or projects, you may also need to create projects and assign users as project members.
The command output returns the attributes of the client, including its private key:
new-EryphClient -Name user -AllowedScopes compute:catlets:write
Id : e6d7dd9c-b919-4dbc-8fa5-885c577382e7
Name : user
Description :
IdentityProvider : https://[hostname]:8000/identity
AllowedScopes : {compute:catlets:write}
PrivateKey : -----BEGIN RSA PRIVATE KEY-----
[Truncated]
-----END RSA PRIVATE KEY-----
Securely send this output to the remote user. Information needed to create the client configuration:
- Id
- IdentityProvider
https://[hostname]:8000/identity
- Private Key
Client Configuration
Users must manually install the eryph powershell client and then create a local client configuration.
$key ="[Insert private key here]"
$clientId = "[insert client id]"
$identityEndpoint="[insert identity service url, e.g. https://localhost:8000/identity]"
New-EryphClientCredentials -Id $clientId `
-InputObject $key `
-IdentityEndpoint $identityEndpoint `
-Configuration default | Add-EryphClientConfiguration `
-Name remote_zero -AsDefault
Identity Services
The eryph identity service is an OpenID based identity provider.
It is completely decoupled from the compute service and provides the following services
- Issue OpenID / OAuth access tokens to clients
- Management of identity clients
Scopes
Identity clients are restricted by scopes on the operations allowed in each service.
The following scopes currently exist for the compute service:
- compute:read
read access to all resources in the compute service - compute:write
read and write access to all resources in the compute service - compute:catlets:read
read catlets - compute:catlets:write
read, create, change and delete catlets - compute:catlets:control
right to start and stop catlets - compute:projects:read
read projects project networks - compute:projects:write
read, create, change and delete projects and networks
The following scopes currently exist for the identity service:
- identity:read
read access to all resources in the identity service - identity:write
read and write access to all resources in the identity service - identity:clients:read
read clients - identity:clients:write
read, create, change and delete clients