custos-1.1

Apache Airavata Custos 1.1 Release Notes

Key Features

1. Authentication Services

• Support for multiple authentication mechanisms

  • OAuth2 Simplified authentication for web and mobile applications.
  • OIDC (OpenID Connect) Enhanced user experience and secure identity verification.

• PKCE Flow

  • Introduced support for Proof Key for Code Exchange (PKCE), making it suitable for Single Page Applications (SPA).

• JWKS Endpoint

  • Added support for a JSON Web Key Set (JWKS) endpoint to enable public key verification.

2. Authorization Management

• Token Customization

  • Injected group and scope claims into tokens for fine-grained authorization.

• OIDC Standards Implementation

  • Updated authorization, token, and OIDC endpoints to comply with OIDC standards, with changes to parameters and response formats.

3. Secrets Management

• Secure storage and retrieval

  • API keys, credentials, and other secrets are securely stored and retrieved.
  • All sensitive information is encrypted at rest.

• User-Friendly Management

  • Command Line Interface (CLI) and API support for managing secrets.

4. Multitenancy Support

• Enhanced Multitenancy
  • Host multiple tenants with isolated data and configurations.

5. Federated Identity Management

• Single Sign-On (SSO)

  • Support for SSO across multiple applications and services.

• Federation with Identity Providers

  • Seamless support for multiple identity providers through federation.

6. Developer-Friendly Tools

• Comprehensive REST APIs

  • Simplified integration with applications.

• Sample Applications

  • Demonstrations of common integration patterns.

---

Major Changes Since the last Release

1. Keycloak Upgrade

   • Upgraded from version 9.0.2 to 24.0.0 for improved security and additional features.

2. Service-to-Service Communication

   • Simplified service interactions by refactoring them into dependency-based communication.

3. OIDC Standards Implementation

   • Updated endpoints for authorization, token, and OIDC to comply with the latest OIDC standards.

4. Nginx Proxy Removal

   • Removed Nginx as a reverse proxy; SSL termination is now handled by the deployment architecture.

5. New Module Architecture

   • custos-application Entry point, configuration, and API integration.
   • custos-core Core business logic, entities, and repositories.
   • custos-services Service classes for implementing business logic.
   • custos-api REST controllers for exposing application functionality.

6. Terraform Deployment Scripts

   • Added scripts for AWS, including:
     • Network layer (VPC, private/public subnets).
     • Keycloak deployment.
     • Vault deployment.

---

What’s Next?

Our roadmap for future releases includes:

• Group Invite Links:

  • Enable group invitations, allowing members to join via invite links.

• Token Signing Key Rotation:

  • Implement automated and seamless token signing key rotation for enhanced security.

• Tenant-Specific Token Signing Keys:

  • Support for tenant-specific token signing keys to ensure isolated and secure token management per tenant.

• Enhanced Custos Portal Functionality:

  • Expose more features and capabilities through the Custos portal for improved user experience.

• Notifications:

  • Adding support for notifications to keep users informed.

---

Changelog

• Initial vault based credential store + Rest API framework with SSH and AWS credential support by @DImuthuUpe in #3
• initial python custos library by @machristie in #7
• Python SDK for authentication was keycloak and for other admin services by @aarushiibisht in #8
• Clean up code by @isururanawaka in #46
• clean up by @isururanawaka in #47
• clean python sdk and root pom by @isururanawaka in #48
• Add custos docker repository by @isururanawaka in #50
• bumping up to latest apache parent dependency by @smarru in #51
• adding rat plugin for license checks by @smarru in #52
• move custos-clients root folder to custos-python-sdk by @isururanawaka in #54
• modify python clients by @isururanawaka in #55
• move super credentials to secret env by @isururanawaka in #56
• remove sensitive configs by @isururanawaka in #57
• fixing travis build failure and refactoring custos-client to custos-java-client by @smarru in #59
• Integration tests by @isururanawaka in #61
• Add Agent, Group and User Java Clients by @isururanawaka in #62
• Modification agent management Id by @isururanawaka in #63
• remove snaphopt and non maven repositories by @isururanawaka in #64
• Add redirect uris as web origins by @isururanawaka in #67
• Add custom theme support for Custos jboss/keycloak by @isururanawaka in #70
• Core operations implementation of Airavata credential store by @isururanawaka in #72
• Add public APIs for resource secret management and validations by @isururanawaka in #73
• Fix resource secret access by @isururanawaka in #74
• Hireachical group membership support by @isururanawaka in #77
• Sharing persistance models by @isururanawaka in #84
• Institutional caching by @isururanawaka in #89
• grpc-web support by @isururanawaka in #85
• Add institutional whitelisting and backlisting for tenants by @isururanawaka in #90
• Agent client level role support by @isururanawaka in #91
• sharing management service e2e by @isururanawaka in #92
• Modified settings.py by @bhaktinarvekar in #96
• Enhance python SDK, Make Java clients to support multitenancy by @isururanawaka in #97
• Sharing service by @isururanawaka in #98
• Fixes for Airavata integration in Custos side by @isururanawaka in #100
• Institutional caching by @isururanawaka in #101
• Logging by @isururanawaka in #102
• remove ids by @isururanawaka in #103
• Change setup.py to package certificate files by @isururanawaka in #104
• Bug fix in IdentityService: fetching JWKS by @isururanawaka in #105
• Python SDK improvements by @isururanawaka in #107
• Custos python sdk demo by @isururanawaka in #108
• .asf.yaml by @isururanawaka in #109
• Fix duplicate entry fetching in sharing service by @isururanawaka in #106
• Add SECRET entity type by @isururanawaka in #110
• Merging Custos python sdk demo into Master by @smarru in #115
• Merging Develop into Master by @smarru in #116
• Enable vault server trust by @isururanawaka in #119
• Enhance secret delivery with shamir's algo by @isururanawaka in #121
• Implement KV support for resource secrets by @isururanawaka in #122
• Support ssh,password external token string by @isururanawaka in #124
• Add direct custos groups creation compatible with data migration by @isururanawaka in #125
• update db dns, add python sdk KV methods by @isururanawaka in #127
• resolve performance issue: Sharing service userHasAccess method by @isururanawaka in #128
• Add python samples for KV secret management by @isururanawaka in #129
• Improve tenant management APIs by @isururanawaka in #132
• Mft related changes by @isururanawaka in #133
• Mft related changes: Add credential Map by @isururanawaka in #134
• Improve Credential Map by @isururanawaka in #135
• Search groups by properties, add dynamic membership types by @isururanawaka in #140
• Improve get user by token api by @isururanawaka in #144
• Add tenant profile searching by @isururanawaka in #146
• moving keycloak to quay.io.9.0.2 by @isururanawaka in #147
• Staging changes by @isururanawaka in #148
• Compile time value binding properties by @isururanawaka in #150
• Bug fix in SearchTenantRepository by @isururanawaka in #151
• Add usertoken to tenant-management apis by @isururanawaka in #153
• fix secret core service cert save path by @hasithajayasundara in #160
• Autodetect usertokens and apply relevant authorization for APIs by @isururanawaka in #161
• Fix for issue 142 by @isururanawaka in #165
• add swagger api definitions by @isururanawaka in #170
• fix get certificate credential path by @hasithajayasundara in #168
• Authenticator refactoring by @isururanawaka in #172
• issue #178 by @isururanawaka in #179
• Add getAllDirectShares by @isururanawaka in #182
• Add getAdmin tenants endpoint by @isururanawaka in #183
• Bug fix in authinterceptor tenant by @isururanawaka in #184
• pytohn SDK update by @isururanawaka in #191
• Event based messaging by @isururanawaka in #188
• Fix aborting removal of group default owner by @isururanawaka in #192
• Event based messaging by @isururanawaka in #194
• make admin tenant admins control child tenants users roles by @isururanawaka in #196
• Restrict default tenant status to ACTIVE REQUESTED and DENIED by @isururanawaka in #197
• fix for #189 by @isururanawaka in #198
• Fix for #195 by @isururanawaka in #199
• Add tenantId to IdentitityManagement user by @isururanawaka in #203
• Fix for #202 by @isururanawaka in #204
• fix for #205 by @isururanawaka in #206
• fix for #207 by @isururanawaka in #208
• fix for #186 by @isururanawaka in #209
• create default permission types and entity types at tenant activation by @isururanawaka in #210
• Publish entity type for subscriber topics by @isururanawaka in #211
• UpdateCertificateCredential by @isururanawaka in #212
• sdk_update by @isururanawaka in #213
• Bug fix in update entity by @isururanawaka in #214
• Bug fix in tenant mapper by @isururanawaka in #215
• remove spring boot maven plugin from default build by @isururanawaka in #216
• Add shared_by property to sharing entries by @isururanawaka in #217
• Add sharedBy user support by @isururanawaka in #218
• Apply htrc theme by @isururanawaka in #219
• userbased external ids deletion by @isururanawaka in #220
• Add email service by @isururanawaka in #221
• Fix duplicate entities issue by @isururanawaka in #223
• Add get external idp links by @isururanawaka in #225
• Staging develop merge by @isururanawaka in #227
• upgrading to 1.1-SNAPSHOT and merge staging upgrades by @isururanawaka in #229
• Upgrade to helm3 by @isururanawaka in #131
• merge staging branch by @isururanawaka in #228
• Deactivate container profile by @isururanawaka in #230
• Deactivate container profile by @isururanawaka in #231
• #226 by @isururanawaka in #234
• convert GET IdentityManagement/isAuthenticated to POST IdentityManag… by @isururanawaka in #235
• make docker mage download to IfNotPresent by @isururanawaka in #236
• Bug fix in Dockerfile by @isururanawaka in #237
• update to 9.0.2 by @isururanawaka in #238
• fix missing argument in staging identity service by @isururanawaka in #239
• update latest client truststore by @isururanawaka in #240
• Production env changes by @isururanawaka in #241
• Merge production staging by @isururanawaka in #242
• Bug fix in usermanagement client by @isururanawaka in #243
• supports KV secrets for confidential clients by @isururanawaka in #244
• Add last_login event to findUsers response by @isururanawaka in #245
• Stagingtodevelop by @isururanawaka in #246
• improve python sdk resource secret management client by @isururanawaka in #247
• develop branch changes by @isururanawaka in #248
• upgrade helm maven version to 3.5.2 by @isururanawaka in #249
• Add repository for scim-service by @hasithajayasundara in #163
• Develop to Staging transfer by @isururanawaka in #250
• update keycloak keystore by @isururanawaka in #251
• Upgrade helm plugin version and apply htrc theme by @isururanawaka in #252
• Create Java clients inside try block to avoid grpc channel suspending by @isururanawaka in #253
• Implement custos jupyterhub authenticator by @isururanawaka in #256
• Develop by @isururanawaka in #257
• develop to staging merge by @isururanawaka in #258
• Merge staging to production by @isururanawaka in #259
• Adding group based authorization for authenticator by @isururanawaka in #260
• addEXternalIPDLinksOFUsers by @isururanawaka in #261
• Deployment scripts by @isururanawaka in #267
• update README of deployment scripts by @isururanawaka in #268
• update README of deployment scripts by @isururanawaka in #269
• Add managed channel by @isururanawaka in #272
• remove try-with-resource from clients by @isururanawaka in #273
• Closing managedchannel on Abstract client by @isururanawaka in #274
• custos clients by @isururanawaka in #275
• Adding pagination to Userprofile fetch endpoint by @isururanawaka in #280
• remove unwanted proto files by @isururanawaka in #281
• Coreservices changes for bearmetal by @isururanawaka in #282
• merging integration services by @isururanawaka in #283
• Adding dist folder by @isururanawaka in #284
• Merge integration services by @isururanawaka in #285
• merge integration services by @isururanawaka in #287
• Clean Up by @isururanawaka in #288
• Fix runtime issues of truststore loading by @isururanawaka in #291
• Update parent artifact id in pom files for integration services by @abhinav7sinha in #292
• Custos ansible scripts - init by @abhinav7sinha in #290
• Add default values for clients by @isururanawaka in #295
• DB migration #289 by @abhinav7sinha in #296
• Remove ssh password based authentication, Bug fix in input validators by @isururanawaka in #298
• Resource secret management service by @isururanawaka in #299
• Improvements to interceptor selection service by @isururanawaka in #300
• remove zipkin by @isururanawaka in #301
• Disable unnecessary info logs by @isururanawaka in #302
• remove zipkin dependencies from integration services by @isururanawaka in #303
• Ansible baremetal - Keycloak db migration and update to accept password file #289 by @abhinav7sinha in #304
• Add shared_by attribute to sharing core service by @isururanawaka in #306
• add recursive mysql query for entity search by @isururanawaka in #309
• adding sharing metadata by @isururanawaka in #310
• Fix password reset by @isururanawaka in #312
• fix reset password by @isururanawaka in #313
• make DB migration optional by @abhinav7sinha in #305
• implement nginx rate limiting by @isururanawaka in #317
• implement log rotation by @isururanawaka in #318
• fix for 311 by @isururanawaka in #319
• extend sharing proto by @isururanawaka in #336
• externalize sharing core to be released as independent package by @isururanawaka in #341
• Custos lib externalization by @isururanawaka in #342
• Develop by @bkrshubham95 in #294
• Mac m1 protobuf compatibility #322 by @abhinav7sinha in #328
• ansible changes and keycloak update #322 #289 by @abhinav7sinha in #327
• upload dist folder for distribution creation by @isururanawaka in #343
• Move proto files to one location by @isururanawaka in #344
• remove sharing core impl from tenant management pom by @isururanawaka in #345
• add scim module to integration server by @isururanawaka in #346
• Bug fix in SCIM user search by @isururanawaka in #347
• support user search in scim by @isururanawaka in #348
• Implement listWithPost method by @isururanawaka in #349
• Bug fix in SCIM FindUsers by @isururanawaka in #350
• Buf fix in ResourceManager by @isururanawaka in #351
• Bug fix in resource manager by @isururanawaka in #352
• Resource Manager by @isururanawaka in #353
• Adding pagination for groups by @isururanawaka in #354
• group resource manager by @isururanawaka in #355
• Group service baremetal by @isururanawaka in #356
• custos-services bug fix in group resource manager by @isururanawaka in #357
• Add total number of groups by @isururanawaka in #358
• fetch users belong to a group by @isururanawaka in #359
• fetch users belong to a group by @isururanawaka in #360
• fetch users belong to a group by @isururanawaka in #361
• change user location to in groups by @isururanawaka in #362
• IDE Integration by @isururanawaka in #340
• Entire Custos backend stack runs on docker by @isururanawaka in #364
• Remove old truststore files by @isururanawaka in #365
• Adding README by @isururanawaka in #366
• improve readme by @isururanawaka in #367
• Conver javax.persistence to jakarta namespace by @isururanawaka in #368
• mac m1 protobuf compatibility (ported to baremetal branch) by @machristie in #369
• update spring boot to 3.0.1 and change namespace from javax.persisten… by @isururanawaka in #370
• Improve README by @isururanawaka in #371
• Merge baremetal branch to develop by @isururanawaka in #372
• README improvement by @isururanawaka in #373
• Add method to finduser by @isururanawaka in #375
• Improve README by @isururanawaka in #377
• change grpc port by @isururanawaka in #378
• Fix local development issues by @isururanawaka in #379
• Fix for #382 by @isururanawaka in #383
• Fix ansible issues by @isururanawaka in #384
• make docker build optional by @isururanawaka in #385
• disable docker plugin for default building by @isururanawaka in #386
• reenable docker in non root user by @isururanawaka in #387
• fix ansible issues by @isururanawaka in #388
• Merge develop branch into staging by @isururanawaka in #389
• adding staging ansible by @isururanawaka in #390
• Merge staging ansible by @isururanawaka in #391
• Change ID generator by @isururanawaka in #392
• staging ansible changes by @isururanawaka in #393
• Merge staging into Master by @isururanawaka in #394
• Adding Custos Diagram by @isururanawaka in #395
• Merge staging to master by @isururanawaka in #396
• Adding Ack by @isururanawaka in #397
• Fix minor typo by @isururanawaka in #398
• Changed the docker build library by @lahirujayathilake in #399
• Code refactoring and feature implementation by @lahirujayathilake in #405
• added custos auth portal by @ganning127 in #408
• AWS Terraform scripts by @lahirujayathilake in #410
• edited nav bar to be collapsible and made it responsive to screen size by @TimiOmo in #411

Full Changelog: 0.0.0...custos-1.1

We welcome feedback from the community to further enhance Apache Airavata Custos. For more details, visit our GitHub repository.