SKA SRC Accounting API

This API has been generated from the SRCNet API template. Please fill out this section with details about what the API does.

Authentication

The following sections assume that the API has been integrated with both IAM and the Permissions API. This involves:

  • Creating an IAM client (for Services to obtain access via a client_credentials grant),

  • Passing the credentials (id/secret) to either .env files (docker-compose) or in the values.yaml (helm), and

  • Creating the permissions policy and loading it in to the Permissions API.

Access can then be granted for either a User or Service.

User

To access this API as a user, the user needs to have first authenticated with the SRCNet and to have exchanged the token resulting from this initial authentication with one that allows access to this specific service. See the Authentication Mechanism and Token Exchange Mechanism sections of the Authentication API for more specifics.

Service

For service-to-service interactions, it is possible to obtain a token via a client_credentials grant to the ska-src-api-accounting IAM client.

Authorisation

Hereafter, the caller (either a user or another service) is assumed to have a valid token allowing access to this API. Authenticated requests are then made by including this token in the header.

The token audience must also match the expected audience, also defined in the accounting-api permissions policy (default: “accounting-api”).

Restricting user access to routes using token scopes

The presented token must include a specific scope expected by the service to be permitted access to all API routes. This scope is defined in the accounting-api permissions policy (default: “accounting-api-service”).

This scope must also be added to the IAM permissions client otherwise the process of token instrospection will drop this scope.

Deployment

Deployment is managed by docker-compose or helm.

The docker-compose file can be used to bring up the necessary services locally i.e. the REST API, setting the mandatory environment variables. Sensitive environment variables, including those relating to the IAM client, should be kept in .env files to avoid committing them to the repository. There is also a helm chart for deployment onto a k8s cluster.

If deployed locally, the rapidoc openapi operator interface will be made available at http://localhost:8080/v1/www/docs/oper.

Example via docker-compose

Edit the .env.template file accordingly and rename to .env, then:

ska_src_api_accounting$ docker-compose up

Example via Helm

First build the docker image locally:

ska_src_api_accounting$ make oci-image-build

Then install the chart (assumes Minikube):

ska_src_api_accounting$ make k8s-install-chart