I'm building a Django rest framework based service which has some complicated permissions. So far, my microservices stack looks like this:
/auth/ JWT authentication service
/users/ - adding users, adding them to different services
/new-service/ - needs authorization
Users database is shared by auth and users read-only, and read/write respectively. new-service has no access to this database but the challenges consist of:
user can be in multiple groups specific to that service
user could have read-only access to one item in one of the groups
user could be allowed to create new users with access to one of the groups
users have different roles in the service, but we still need to allow for access like the read-only one listed
Groups are used not to manage users, but to provide access to things. Like GitLab groups provide access to GitLab projects.
If I put all the permissions in the users service, my new service has to talk to that one and it will get chatty. It seems like there has to be a data divide, but I'm not sure exactly where to put it. Conversely, should the django-rest-framework service even have a shadow entry of the user account in it's db? Advice appreciated. I'm feeling like I'm having a slow day.
Related
There is a web application (Angular front-end, Laravel Backend, Postgress DB).
Current approach:
Laravel auth package is being used for user management, but due to expanding of scale and managing permission at their most granular level, where every user may have multiple roles on different organizations (one of the entities of the system) and so they should have different access levels to the data of each organization (very similar to how GitHub is managing users and go).
Challenge:
Implementing a custome user management piece is time-consuming with costs. Also, it will end up with too much complexity.
Looking forward to:
Use AWS Authentication and Access management tools, so that it covers everything about the user, roles, and permissions, and integrate that with my application.
What I found so far:
It seems that these tools are mostly for managing access of the AWS resources rather than managing access inside an external application (As far as I have gone). So the main question that remains here is, can't these services even simplify the process? If they can, how far and how?
Note: The most closely related answer I could reach so far is Can I have dynamic User specific permissions using AWS IAM / Cognito?
I am working on a Project and in there I have used AWS Cognito for basic Authentication for My Web Application; In this web Application I am providing multiple role-based Authentication (Like Super User, User, Admin, Super Admin) and for that right now I have created different Userpools for each. Is there another way to achieve the same functionality? like I can use single Userpool and still can achieve Role-based Authentication. Also, which one is the Appropriate?
You can setup different groups in the same Cognito User Pool.
In your case Super User, Admin and Super Admin. Then assign your users to the group that they belong to. In your backend code you will then need to check what group the user is in by looking up the group that the user belong to.
See this link for more details: cognito-user-pools-user-groups
I am trying to make an API using AWS api-gateway and lambda.
Requirements
I am trying to build a dashboard, The dashboard will be for multiple organisations and each organisation will have multiple users who can login and see the respective dashboard.
Example we have a dashboard for Intel and its accessible by User1, user2, user3
A user must be able to login and access the dashboard for his specific Organization and also do CRUD on his data as well
I found out that aws cognito with its user pool can be used for the auth process. After that I intend to use api-gateway with lambda function to query a sql database and populate the frontend. The place where I am stuck at is how do I link the user from cognito to corresponding data in database.
In simple applications we would have a user-table and its a simple query but I would appreciate if someone can suggest a good way to go about implementing this
For the last few years, I've built a PHP and MySQL based website where users can submit reprographics and IT requests. I'm hoping to make this cloud-based rather than running it from a local webserver. My initial idea was to have an EC2 instance running as a web server for each company which uses my system, but as the system is PHP session based I'm assuming the security would not be great so I think I need to move towards more of an AWS system using Cognito for user management and the API Gateway with Lambda to do the job of getting the data from the databases. My question is, my current system has an admin console where the admin user can access the lists of users, and assign them permissions (session variables) which allows them access to specific pages. How would I make a webpage where users can manage the users in a Cognito user pool without giving them access to the AWS console.
Implement a Cognito AdminAddUserToGroup operation in your Lambda function for admin users to manage what Cognito Groups your users belong to. Your admins will be the only ones that are able to invoke the API call to the Lambda function because they'll be included in the Cognito Admin Group with appropriate permissions to invoke the Lambda function that you specified as the developer.
Specify permissions of what each Congito Group has access to by assigning roles for each Cognito Group.
You can also decode the jwt on the backend to determine what Cognito Group the user belongs to that made the request and use Amplify on the FrontEnd to manage the FrontEnd's display of content based on the Group (links, etc). More info about that can be found in this thread: How do I access the group for a Cognito User account?
I do not have enough points to comment on the CLI update-user-pool suggestion, but wanted you to know that wouldn't work because 1.) It would impact the entire user pool and affect ALL users in the user pool and 2.) It would make no difference in regards to what your users were able to have permission to access in your application.
My production environment uses AWS cognito federated identities (AKA: identity pool) for allowing users to sign in with their Google/FB accounts. This is working fine.
However, for my staging environment I want to offer a similar sign in functionality (that is: users sign in in via Google) but I want to restrict the ability to sign in only to a specific whitelist (of, say, #gmail.com accounts). This is because the staging environment should only be accessed by team members and a bunch of trusted users.
My question is this: is it possible to define a Cognito identity pool that allows only the whitelisted users to sign in? if the answer is "yes", then how?
I know that I can do the whitelist checking at my backend (that is: at the backend of my staging env. I will reject every request not coming from these whitelisted users) but this is a bit unclean. In particular, I want the rejection to happen as early and possible and, ideally, to be carried out by cognito itself, and not by my backend.
Clarifications:
I mentioned a list of #gmail.com accounts as the whitelist. I am open to any other mechanism for defining the whitelist.
In a way I am asking whether I can have user directory functionality (in particular: determining if a user is in a certain group of users) with an cognito identity pool.
The purpose of the Identity pool is to provide access to authenticated identities. Therefore, this resource cannot manage users (ie: white listing a user group).
There are two ways to do this:
Link 3rd Party Identity into a User Pool and white list by User Group. Your user group will have a Roles and permission it will assume that will allow your test users to have the functionality they need without allowing other users who log to have that functionality.
Manage users from the 3rd Party Identity - I am not an expert at Google authentication.. but some OpenID providers allow you to create user groups with different access roles. This is an example for Google.
You can invoke a trigger and execute a lambda function when the user submits their information to accept or deny the sign in request.