As of v25.1, you can set up Gateway using Standalone authentication, to authenticate users without connecting to Micetro or Address Manager. The workflows that you run using Standalone authentication must be designed for this type of authentication. By default, only a single user account can be created when using Standalone authentication. This is suitable for some situations, but not others. Gateway lets workflow developers provide their own custom authentication functions that can be used for building your own system to manage multiple user credentials.
To build your own system to manage multiple user credentials, you would need a method to store the credentials, such as in your own database. The Standalone authentication functions would then access the authentication system and database that you want your Standalone Gateway installation to use. The script files containing the custom authentication functions must be contained within the Built-in workspace. This means that the functions will be available only if Gateway is built into a custom Docker container image with the customized authentication code before it is installed.
To set up Standalone authentication functions:
Create a local directory for your Standalone authentication project.
Within this directory, create a custom authentication script named
gw_custom_authentication.pythat implements theretrieve_user_information()andretrieve_user_information_via_token()functions.These functions should validate the user's credentials by either username/password or from a session token. For more details, see Standalone authentication function script format below.
In the same directory where your custom authentication script is located, create the following Dockerfile script (with the file name
Dockerfile):FROM quay.io/bluecat/gateway:v25.3.0 USER root COPY ./gw_custom_authentication.py /builtin/customizations/ # Ensure the content is available if the container is run with a custom User ID. RUN chgrp -R 0 /builtin && chmod -R g=u /builtin USER flaskIn addition to
./gw_custom_authentication.py, addCOPYcommands for any other files needed by your custom authentication scripts.When executed as part of a docker build command, this file first copies the
gw_custom_authentication.pyfile to the customizations folder in the built-in workspace (/builtin/customizations).Run the following command from the same directory as the Dockerfile script you just created:
docker build . -t <Custom project:Version>Where:
<Custom projectis the a custom name for your project, with no spaces.<Versionis a version number for your project, with no spaces. This can be useful during development to track different versions of docker images.
Running this command creates a docker image named
<Custom project:Version>.Run the container with this newly-created image. Use the same docker command you normally would, replacing the final
--nameparameter with<Custom project:Version>. For example:docker run -d \ -p 80:8000 \ -p 443:44300 \ -v <Path to mapped workspace directory>:/bluecat_gateway/ \ -v <Path to mapped logs directory>:/logs/ \ -e AUTHENTICATION=Standalone \ -e STANDALONE_USERNAME=<Standalone account user name> \ -e STANDALONE_PASSWORD=<Standalone account password> \ --name bluecat_gateway <Custom project:Version>You can now log in to Gateway as a user with your custom credentials.
Standalone authentication function script format
Your custom authentication extension scripts must comply with the following rules.
The file must be named
gw_custom_authentication.py.The file must contain the following functions, written in Python:
retrieve_user_information(username: str, password: str) -> dict:Validates a user with the given
usernameandpassword.retrieve_user_information_via_token(token: str) -> dict:Validates a user with the given token.
In both functions, if the credentials or token are valid, the function should return the user's details in the following format:
{ "username": <User name>, "token": <Token>, "group": <Gateway group>, }