Cybercom API¶
Cybercomm API is based from open-source project. CU Boulder library modified the API using federated SSO and security groups merged from local and grouper groups.
Containers¶
API django application dockerfile
Celery dockerfile
Docker Hub: RabbitMQ - rabbitmq:3.6
Docker Hub: Mongo - mongo:4.2.10
Docker Hub: Memcache - memcached:latest
Configuration¶
Refer to cybercommons for system configuration documentation. This documentation assumes you are not working in kubernetes.
Changes with Kubernetes:
Secret(cybercom) contains all secrets
Encrypted communication through self signed certificates stored in Secret(cybercom)
Within container certs are mounted from secret and located
/ssl
directory.Certificates are valid
cat /ssl/server/mongodb.pem | openssl x509 -noout -enddate notAfter=Sep 10 19:12:02 2029 GMT
Federated SSO certificates are stored in Secret(cybercom)
Catalog and Data Store¶
The Catalog and Data Store are using MongoDB for the backend. The API leverages the pymongo query language, including aggregation and distinct queries. Documentation
Applications API SSO Authentication¶
Authentication configuration within Nginx conf file
LibBudget Example
server { listen 80; server_name libapps.colorado.edu; resolver 10.43.0.10; index index.php index.html; auth_request /user; location / { root /usr/share/nginx/html/; autoindex on; } location = /user { internal; set $upstream_user https://libapps.colorado.edu/api/user/; proxy_pass $upstream_user?app=libbudget; proxy_read_timeout 3600; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-METHOD $request_method; } error_page 401 = @error401; location @error401 { set_escape_uri $request_uri_encoded $request_uri; set $saml_sso https://libapps.colorado.edu/api/api-saml/sso/saml; return 302 $saml_sso?next=$request_uri_encoded; } # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html/; } location ~\.php$ { root /usr/share/nginx/html/; fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_param HTTP_PROXY ""; fastcgi_pass libbudget-php-service:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_read_timeout 300s; fastcgi_send_timeout 300s; fastcgi_connect_timeout 70s; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }
Possible Errors¶
Certificate Expiration: Will see logs with certificate expiration. Current certificates expiration
Sep 10 19:12:02 2029 GMT
Upgrading dependencies: API <===> RabbitMQ <===> Celery(kombu)
Additionally, TSL arguments are changing on Mongo URI from ssl to tls
Mongo unable to connect to volume. Volume assigned to subnet. Spot instances occassional do not have capacity in specific subnet.
Celery Queue build missing requirement
Applications¶
Application |
Auth |
Django Apps |
Celery |
Mongo |
---|---|---|---|---|
Yes |
||||
Yes |
||||
Yes |
||||
Room Booking (tablet only) |
Yes |
Yes |
||
Yes |
Yes |
|||
No |
Yes |
|||
Yes |
||||
ARK Server , info |
Yes |
Yes |
||
Yes |
||||
Yes |
Yes |
|||
Yes |
||||
Email Service |
Yes |
|||
Thumbnail Creation |
Yes |
Inactive Applications¶
Information Survey
Gate Count Celery Queue