Add Person Access Token (PAT) system

1. Current Auth Framework in NOMAD

Currently we mostly rely on keycloak token (via the Resource Owner Password Credentials flow) for user to retrieve token and authorize access to the backend. This has a few issues, like:

  • User cannot easily manage (refresh/revoke/introspect) their tokens, and JWT is stateless (so no metadata like "last used" and so on)
  • User cannot customize token lifetime (determined from server side), and keycloak session token is meant to be short-lived (our current token lifetime of 1 day seems too long), it would be problematic for long-term session like scripting
  • currently we don't have fine-grained scopes/permissions for API endpoints
  • keycloak token would automatically have access to full user permission (i.e. all API scopes by default)
  • We have different tokens (app/signature/upload) for different endpoints at this moment, instead we should have a single PAT but with scopes

1.1 Different Custom Tokens in NOMAD

Previously #2414 (closed)

2. Future Auth Components

GUI sessions

User login via keycloak, and gets access token with full user-level permission to the backend.

Personal Access Token (PAT)

From the GUI, user should be able to generate/manage their PAT, which would be stateful (we need to store them internally) and would allow checking metadata (expire/last_user/token_name/scope) or revoke them

3. Tasks

3.1 Personal Access Token (PAT)

  • backend token generation
  • A dedicated table in nomad_oasis_postgresql (gitlab implementation for example)
  • Backend user resolver need to allow PAT
  • User-faced management page (GUI side)
  • Deprecate/remove other custom tokens
Edited by Haoyu Yang