Authentication

Note

This feature is only available in Ververica Platform Stream Edition and above.

Authentication is the process of verifying who an entity (such as a user) is. In order to enable authentication for Ververica Platform you have to integrate with an external identity provider. Ververica Platform does not actively manage user records (such as names or passwords).

The following identity providers are supported:

If your organization uses a different authorization system, such as Lightweight Directory Access Protocol (LDAP) or Active Directory you may use an OIDC bridge such as Dex to connect the systems.

OpenID Connect (OIDC)

Ververica Platform supports integration with OpenID Connect (OIDC) identity providers for authentication. OIDC is an authentication protocol that is based on the OAuth 2.0 family of specifications.

Configuration

In order to enable the OIDC integration, you have to configure it in the main configuration file under the vvp.auth.oidc key by providing a registration and provider specification.

The groupsClaim key indicates the OIDC ID token claim that contains a list of the user’s groups. These groups can be referenced in Role Bindings by using the group: prefix. For example, if the ID token for an authenticated user contains the claim groups: ["vvp-editors"], and you configure vvp.auth.oidc.groupsClaim=groups, a role binding assigning the role editor to group:vvp-editors will match this user.

Note that currently this claim must be present in the ID token returned by the OIDC provider. Claims in the access token are not supported because access tokens have no standardized structure and parsing them is implementation-specific.

Example: OIDC configuration template

vvp:
  auth:
    enabled: true
    admins:
    - user:foo@bar.com
    oidc:
      groupsClaim: roles  # The OIDC ID token claim containing a list of the user's groups
      registrationId: my-oidc-provider
      registration:
        clientId: vvp
        clientSecret: secret
        redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
        clientAuthenticationMethod: basic
        authorizationGrantType: authorization_code
        scope:
        - openid
      provider:
        authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
        tokenUri: http://my-oidc-provider.internal/openid-connect/token
        userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
        jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
        userNameAttribute: email  # Required to correctly identify users
      endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout

registration and provider expose Spring Security objects; more information about configuring these objects can be found in the Spring Boot documentation.

Please consult the Configuration section for more specific examples.

Secure clientSecret with Kubernetes Secrets

In a production environment, you may want to secure clientSecret with Kubernetes Secrets. To do so, you first remove it from the configuration above, then create a yaml file containing:

# file: env_secret.yaml
env:
# OIDC authentication:
- name: vvp.auth.oidc.registration.clientSecret
  valueFrom:
    secretKeyRef:
      name: mysecrets  # the name of the Kubernetes Secret
      key: oidc        # the key

Then you can install Ververica Platform with this additional values file:

$ helm install ... --values env_secret.yaml

Use helm upgrade if you are upgrading/modifying an existing installation.

Security Assertion Markup Language (SAML)

Ververica Platform supports integration with Security Assertion Markup Language (SAML) identity providers for authentication. SAML is an XML-based markup language for security assertions.

Configuration

To enable SAML, first register your VVP application at your identity provider, setting the following values:

  • Single sign on URL: your-vvp-installation/login/saml2/sso/<registrationId>
  • Service provider entity id: your-vvp-installation/saml2/service-provider-metadata/<registrationId>

Here, registrationId can be chosen arbitrarily and identifies the pair of service provider and identity provider. It has to match the one set in the Ververica Platform configuration (see below), which will default to vvp-saml unless overridden.

Next, update the main configuration file by adding the following lines:

vvp:
  auth:
    enabled: true

    saml:
      groupsAttribute: groups  # The SAML assertion attribute containing a list of the user's groups
      registrationId: vvp-saml  # Your chosen identifier for the <service provider> - <identity provider> pair
      entityId: http://www.my-saml-provider.com/abcdefg123  # entity id of the identity provider
      ssoServiceLocation: https://my-saml-provider.com/some-application/abcdefg123/sso/saml  # service location of the identity provider
      certificateLocation: /vvp/secrets/saml-creds/cert.crt  # absolute path to the certificate in the gateway container

The groupsAttribute key indicates the name of the attribute in the SAML assertion that contains a list of the user’s groups, and will default to groups. These groups can be referenced in Role Bindings by using the group: prefix. For example, if the assertion for an authenticated user contains the attribute groups: ["vvp-editors"], a role binding assigning the role editor to group:vvp-editors will match this user. registrationId has to coincide with the one set at the service provider. It will default to vvp-saml if it is not specified. Both entityId and ssoServiceLocation have to be retrieved from the identity provider; the latter is specific to the application registered there. certificateLocation is the absolute path inside the gateway container to the certificate, which can also be retrieved from the identity provider. It only needs to be specified if the certificate is injected into the gateway container at a location which is different from the default /vvp/secrets/saml-creds/cert.crt (see below).

Credentials

The necessary certificate file can be provided in several ways.

Injecting the certificate into the container

In case you have existing infrastructure to inject credentials files into containers, the certificate can be injected into the gateway container of your Ververica Platform deployment, and the path can be referenced as shown in the configuration example above.

Providing the certificate directly in the configuration file

The certificate can also be provided directly in the main configuration file. To do so, add the following lines to your values.yaml:

samlCredentials:
  certificate: |-
    -----BEGIN CERTIFICATE-----
    <...>
    -----END CERTIFICATE-----

Using an existing Kubernetes secret

In order to avoid putting the certificate into the configuration file in plaintext, an existing Kubernetes secret containing it can also be used. To do so, reference the secret by name by setting samlCredentials.existingSecret: secret-name. The secret should contain the keys certificate.crt, with the certificate as the value (if the key is named differently, certificateLocation has to be adapted accordingly). This secret will automatically be mounted in the gateway container at /vvp/secrets/saml-creds/. If you don’t have a secret already, you can create one by preparing a file like:

# file: samlCredentials.yaml
apiVersion: v1
kind: Secret
metadata:
  name: secret-name
  labels:
    chart: "ververica-platform-x.y.z"
    component: ververica-platform
    heritage: "Helm"
    release: "ververica-platform"
    system: ververica-platform
type: Opaque
data:
  certificate.crt: <base64 encoded certificate>

The secret can then be created by running kubectl apply -f samlCredentials.yaml. Note that values in secrets have to be base64 encoded by default! You can base64 encode an existing file or string by running base64 -w 0 <file> for a file and echo -n <string> | base64 -w 0 for a string (note that line wrapping is disabled to avoid line break issues in the yaml).