Cockpit - Authorization with remote engine

Camunda 7 Topics Discussion & Questions
,
1

Hi,

our cockpit doesn’t use the internally engine/rest api, but rather a remote one.
(See Exchange rest-api the webapp is using)

This works fine, but now we are trying to activate authorizations in the webapp, to have e.g. read only users.
Problem now is that the login request of the webapp always goes to the internally admin api from cockpit.
=> http://localhost:8081/bpa-camunda-webapp/api/admin/auth/user/default/login/cockpit

So we are getting successfully authenticated in the engine of the webapp. But our remote engine still doesn’t know anything about an authenticated user. So for all other requests which the cockpit does (e.g. fetching process list), the remote engine allows everything. (Because no auth check is done if there is no currentAuthentication)

I’ve already tried to include the UserAuthenticationResource to our remote rest api. (I also fixed the CORS problems)
Problem is that there is no way to change the endpoint of the login request from cockpit …
Although I’ve already replaced admin-api endpoint in the index.html, the request goes to the internally api.
It looks like that the login module is not part of the webapp? (Found some components for this in camunda-commons-ui)

So how can I use camunda webapp + authentication against a remote engine?

2

Hi @patrick.schalk,

would a proxy pass be an option for you?
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

Cheers,
Askar

3

Hi Askar,

sure, we can use some reverse proxy like zuul or so, but the prefered way would be to directly use the correct endpoint.

I just saw that the tasklist and admin view are using the admin-api parameter in base tag.
Both are sending all admin api requests to our defined endpoint.

… so why is this not working in cockpit?

Regards,
Patrick

4

It seems,

That url used to authenticate is created here:

And I guess you can customize some parts of it from base tag. At least it looks like it.

Those parts are defined here:

and this getUri function basically get attribute from base tag

Maybe that will help you.

5

Hi mariusz,

yes I already know those code parts, I’ve already tried to set the admin-api to base tag.

My cockpit base tag looks like this:

  <base href="$BASE"
    cockpit-api="$APP_ROOT/api/cockpit/"
    engine-api="$REST_API_ENDPOINT"
    admin-api="$REST_API_ENDPOINT"
    app-root="$APP_ROOT" />

($REST_API_ENDPOINT will be replaced by a filter)

This works for all calls against engine api, but for admin api, still the old url is used.

Regards,
Patrick

6

Notice that is using cockpit-api, not admin-api.

For admin it is admin-api, as you can se below:

But the same value for cockpit is

UriProvider.replace('admin://', getUri('cockpit-api') + '../admin/');

Try cockpit-api="$REST_API_ENDPOINT/cockpit/"

7

Hi Mariusz,

hm, basically this helps, but now all requests against cockpit api (Loading plugin stuff and so on) have an error because my Services doesn’t contains those resources. :confused:

Why is the URI from cockpit-api used for this? With this hardcoded ‘…/admin/’? This is not very consistent regarding tasklist / admin app …

regards,
Patrick

8

Hi Patrick,

You can always change decorate Uri service in angular, so that it replaces admin:// with what you want.

take a look at http://blog.xebia.com/extending-angularjs-services-with-the-decorate-method/

From what I can see UriProvider.replace method is just simple assignment, so if you create module that uses it after cockpit it should be possible to override cockpit provided value.

9

Hi Mariusz,

many thanks for you help, but we’ve created a support ticket for this.
(Because we also need a client change regarding cors, which we can not do ourselves)

regards,
Patrick

10