gafaelfawr — Authentication & identity

Gafaelfawr provides authentication and identity management services for the Rubin Science Platform. It is primarily used as an NGINX auth_request handler configured via annotations on the Ingress resources of Science Platform services. In that role, it requires a user have the required access scope to use that service, rejects users who do not have that scope, and redirects users who are not authenticated to the authentication process.

Gafaelfawr supports authentication via either OpenID Connect (often through CILogon or GitHub).

Gafaelfawr also provides a token management API and (currently) UI for users of the Science Platform.

View on GitHub	applications/gafaelfawr Application template
Homepage	https://gafaelfawr.lsst.io/
Source	lsst-sqre/gafaelfawr
Related docs	DMTN-234: RSP identity management design DMTN-224: RSP identity management implementation strategy SQR-055: COmanage configuration for Rubin Science Platform SQR-069: Implementation decisions for RSP identity management
Type	Helm
Namespace	gafaelfawr
Environments	base values ccin2p3 values idfdev values idfint values idfprod values minikube values roe values roundtable-dev values roundtable-prod values summit values tucson-teststand values usdf-tel-rsp values usdfdev values usdfint values usdfprod values

Guides

• Bootstrapping Gafaelfawr
  • Choose an identity provider
  • Assign scopes and admins
  • Enable database schema initialization
• Managing the database schema
  • Updating the database schema
  • Initializing the database
• Recreating Gafaelfawr service tokens
• Releasing GitHub organization data
• Troubleshooting
  • User has no access to services
  • COmanage enrollment fails after prompting for attributes
  • Viewing logs
• Gafaelfawr Helm values reference