Skip to main content

Authentication and authorization

NucliaDB is designed to work behind an upstream authentication proxy provider like ORY Hydra.

Depending on how you want to use NucliaDB, you may want to lock down nucliadb differently for on-premise installations.

Internal Database and Search API

For example, if you wanted to setup NucliaDB to be interfaced with internal applications to interact exlusively through the API, a simple authentication proxy setup with Basic Auth might be all you need.

In this case you will need to configure your deployment with the value auth_policy=upstream_basicauth, for instance:

version: '3.9'

services:
  nucliadb:
    image: nuclia/nucliadb:latest
    ports:
      - '8080:8080'
    environment:
      - NUA_API_KEY=<my-key>
      - NUCLIA_ZONE=europe-1
      - DRIVER=PG
      - DRIVER_PG_URL=postgres://nucliadb:nucliadb@postgres:5432/nucliadb
      - FILE_BACKEND=PG
      - auth_policy=upstream_basicauth
      - CORS_ORIGINS=["http://localhost:8080"]
    volumes:
      - nucliadb-data:/data
    depends_on:
      - postgres

  postgres:
    image: postgres:latest
    ports:
      - '5432:5432'
    environment:
      - POSTGRES_USER=nucliadb
      - POSTGRES_PASSWORD=nucliadb
      - POSTGRES_DB=nucliadb
    volumes:
      - nucliadb-maindb:/var/lib/postgresql/data

volumes:
  nucliadb-data: {}
  nucliadb-maindb: {}

User authentication

If you're interested in supporting user authentication with NucliaDB, you can integrate with tooling like OAuth2 Proxy. This tool can allow you to configure authentication and authorization with many oauth2 providers.

version: '3.9'

services:
  nucliadb:
    image: nuclia/nucliadb:latest
    environment:
      - NUA_API_KEY=My NUA Key
      - NUCLIA_ZONE=europe-1
      - DRIVER=PG
      - DRIVER_PG_URL=postgres://nucliadb:nucliadb@postgres:5432/nucliadb
      - FILE_BACKEND=PG
      - auth_policy=upstream_oauth2
      - DATA_PATH=/data
      - CORS_ORIGINS=["http://localhost:8080"]
    volumes:
      - nucliadb-data:/data
    depends_on:
      - postgres

  postgres:
    image: postgres:latest
    ports:
      - '5432:5432'
    environment:
      - POSTGRES_USER=nucliadb
      - POSTGRES_PASSWORD=nucliadb
      - POSTGRES_DB=nucliadb
    volumes:
      - nucliadb-maindb:/var/lib/postgresql/data

  redis:
    image: redis:latest
    ports:
      - '6379:6379'

  auth-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    ports:
      - '4180:4180'
    environment:
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
      - OAUTH2_PROXY_UPSTREAMS=http://nucliadb:8080/
      - OAUTH2_PROXY_FORCE_HTTPS=false
      - OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_CLIENT_ID=Google client id
      - OAUTH2_PROXY_CLIENT_SECRET=google client secret
      - OAUTH2_PROXY_SESSION_STORE_TYPE=redis
      - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://redis:6379
      - OAUTH2_PROXY_COOKIE_SECRET=vLevdGju4C766R8KypPJZ806co4-kwNS9qMuPxLXqls=
      - OAUTH2_PROXY_EMAIL_DOMAINS=yourdomain.com
      - OAUTH2_PROXY_PASS_USER_HEADERS=true
      - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
    depends_on:
      - nucliadb
      - redis

volumes:
  nucliadb-data: {}
  nucliadb-maindb: {}