Comments (11)
I agree with @shaunakv1 that authentication does not belong in this project 👍
I have been using nginx as a reverse proxy in front of Martin and there is a trick to add an authentication layer !
There is a directive called auth_request
that allows you to forward the request to an other server for validation before it is passed to martin.
You could then implement JWT validation in this server (this is exactly what I am doing).
Here is a small snippet :
upstream tile_auth {
server my_auth_service:443;
}
upstream martin {
server martin:3000;
}
location ~ /rpc/.+/[0-9]+/[0-9]+/[0-9]+.pbf {
auth_request /auth;
proxy_pass http://martin;
proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization';
}
location = /auth {
internal;
proxy_pass http://tile_auth/api/check$request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Host "https://my_auth_micro_service.example;
}
Nginx documentation about this feature
from martin.
Hi @mdtrooper!
Thanks for reaching us and sorry for the late response. What is your use case for that? I was thinking about adding some kind of access tokens support e.g. like Mapbox Access tokens.
from martin.
Yes, yes,it is more or less the similar feature of "mapbox access tokens" or carto api keys.
But JWT is a standard RFC 7519.
from martin.
Sorry...maybe there was a misunderstanding...Could we start a branch with this feature?
from martin.
Sure! it's open-source, so you can fork it and create a PR
from martin.
@mdtrooper This would be really helpful. Is there an ETA for this enhancement. Thank you.
from martin.
Yes, sorry. Maybe 3 months, because the summer starts in Spain.
from martin.
@mdtrooper Hi there ! Just wanted to check if there is progress on this feature. Thank you.
from martin.
Hi @mdtrooper , just saw the PR you created for this: (#190). Nice work! However my 2 cents on the topic is that authentication is subjective and while yes JWTs are quite common, not everyone uses them. I did notice that the PR makes enabling them optional using a startup flag, but I am worried we are adding extra complexity of authentication to an otherwise lightweight API server. Especially just one specific kind of authentication. This can cause bloat in the code base over time, from maintenance POV. Here's a great example of how this can quickly get out of hand:
My worry is authentication scenarios don't stop there and we will have to keep piling on to the code base, where primary use case is vector tiles. Not authentication.
Ability to add access tokens as @stepankuzmin is a lot more attractive in my mind, as while not authentication, it enables a very common domain specific feature for tile servers.
Also most of the common HTTP proxy servers like Nginx, Apache, envoy etc., have modules to enable JWT on a proxy end point that can be wrapped around Martin. That is actually how we use it currently, to enable things like http caching and SSL. No reason why JWT can't be done the same way and kept out of Martin's code base.
That being said, I don't mean to be a party pooper and there is some great work in the PR! If we do end up merging the PR into Martin, I think it would be great to have some examples for people that do want to use JWT on how exactly to setup some scenarios. Right now the readme is updated to saw what options are supported, but I don't believe that is enough for a lot of folks, especially coming from GIS background and not web developers.
from martin.
Hi @shaunakv1, you're probably right that my comment could lead to abusing an otherwise simple functionality.
My use case is much closer to Mapbox Access tokens to which @stepankuzmin has already referred. When it comes to JWT authentication only I second your suggestion about using a reverse proxy. I wonder if we can to the same for access restricion? Could a reverse proxy (or API gateway if more customization is needed) impose some additional filters on table or function sources? If so, I'd like to give it a shot and would gladly create a wiki page explaining the process.
from martin.
I'd like to point out the authentication system that is used by Postgrest, another awesome Postgres No-Code server.
https://postgrest.org/en/stable/auth.html
Basically, you have a specialized authenticator user with login privileges and the job of the authenticator is to authenticate the user, extract the user from the JWT, and then run the query after switching to that role.
The cool thing about this is that you get to piggyback on Postgres' extremely fine grained permissions model, allowing you to implement column level as well as row level security. That would be a huge benefit for something like this, and you don't need to implement the row/column level security yourself, just the authenticator system.
from martin.
Related Issues (20)
- Add cache configuration HOT 2
- Run Martin on subpath with Traefik proxy HOT 1
- Support docker compose plugin to justfile HOT 4
- Some `mbtiles` tool operations produce db or disk/machine out of space errors HOT 3
- Migrate MacOS CI to use new MacOS M1 runners
- Implement PMTiles S3 bucket support with authentication HOT 2
- Martin v0.11.6 much faster than v0.12.0 and 0.13.0?? HOT 3
- Implement `--preferred-encoding (gzip|brotli)` configuration
- Add `--base-path` CLI option to override the URL path in the tilejson HOT 6
- Website breaks when you click on Jan 1st in the demo
- Add a Tile Preview HOT 1
- How to handle dynamic sources? HOT 2
- For `--auto-bounds quick`, use `ST_EstimatedExtent` instead of `ST_Extent` for quicker results HOT 3
- `Event not found` when starting martin HOT 3
- Add file extension to individual tile URL
- Output valid TileJSON for PostgreSQL Function Sources HOT 2
- Failed local installation due to mismatched types compilation error HOT 1
- What happens when a new materialized view / table added to the database? HOT 1
- db error: ERROR: column ix.indnkeyatts does not exist HOT 6
- Detect old postgresql versions and warn user HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from martin.