There are different approaches to giving users and systems access to our tools (authentication) and assigning them appropriate rights and roles (authorization).
Authentication and authorization
Since gICS 2.11.0 and gPAS 1.9.1, two Docker Compose variants of each tool are made available via Github: a standard and web-auth version.
- gICS Web-Auth-Version: https://github.com/mosaic-hgw/gICS/tree/master/docker/web-auth
- gPAS Web-Auth-Version: https://github.com/mosaic-hgw/gPAS/tree/master/docker/web-auth
- E-PIX Web-Auth-Version: work in progress
The web-auth version provides authentication and authorization mechanisms for the tools‘ web interface. Users must log in using a username and password to use the tool. Depending on the assigned role, they contain different authorizations. Authorization can be used across tools. For example, the same person can be a standard user for E-PIX and an admin user for gICS.
Details about the installation and usage of the web-auth versions can be found here:
https://www.ths-greifswald.de/wp-content/uploads/tools/Auth_ttp_tools.pdf
This includes an overview of user groups, default users and passwords, an overview of roles and permissions in the web interface, and HowTos for managing users, roles and permissions via MySQL and Docker EXEC.
Note: Options for including KeyCloak are currently being evaluated.
Recommendations for securing E-PIX, gPAS and gICS application servers
Access to relevant application and database servers of the Trusted Third Party tools should only be possible for authorized personnel and via authorized endpoints.
We recommend implementing the following IT security measures:
- Operation of relevant servers in separate network zones (separate from research and utility networks).
- Use of firewalls and IP filters
- Access restriction an URL level with Basic Authentification (e.g. with NGINX or Apache)