Authentication and authorization
NucliaDB is designed to work behind an upstream authentication proxy provider like ORY Hydra.
Depending on how you want to use NucliaDB, you may want to lock down nucliadb differently for on-premise installations.
Internal Database and Search API
For example, if you wanted to setup NucliaDB to be interfaced with internal applications to interact exlusively through the API, a simple authentication proxy setup with Basic Auth might be all you need.
In this case you will need to configure your deployment with the value auth_policy=upstream_basicauth
, for instance:
version: '3.9'
services:
nucliadb:
image: nuclia/nucliadb:latest
ports:
- '8080:8080'
environment:
- NUA_API_KEY=<my-key>
- NUCLIA_ZONE=europe-1
- DRIVER=PG
- DRIVER_PG_URL=postgres://nucliadb:nucliadb@postgres:5432/nucliadb
- auth_policy=upstream_basicauth
- CORS_ORIGINS=["http://localhost:8080"]
volumes:
- nucliadb-data:/data
depends_on:
- postgres
postgres:
image: postgres:latest
ports:
- '5432:5432'
environment:
- POSTGRES_USER=nucliadb
- POSTGRES_PASSWORD=nucliadb
- POSTGRES_DB=nucliadb
volumes:
- nucliadb-maindb:/var/lib/postgresql/data
volumes:
nucliadb-data: {}
nucliadb-maindb: {}
User authentication
If you're interested in supporting user authentication with NucliaDB, you can integrate with tooling like OAuth2 Proxy. This tool can allow you to configure authentication and authorization with many oauth2 providers.
version: '3.9'
services:
nucliadb:
image: nuclia/nucliadb:latest
environment:
- NUA_API_KEY=My NUA Key
- NUCLIA_ZONE=europe-1
- DRIVER=PG
- DRIVER_PG_URL=postgres://nucliadb:nucliadb@postgres:5432/nucliadb
- auth_policy=upstream_oauth2
- DATA_PATH=/data
- CORS_ORIGINS=["http://localhost:8080"]
volumes:
- nucliadb-data:/data
depends_on:
- postgres
postgres:
image: postgres:latest
ports:
- '5432:5432'
environment:
- POSTGRES_USER=nucliadb
- POSTGRES_PASSWORD=nucliadb
- POSTGRES_DB=nucliadb
volumes:
- nucliadb-maindb:/var/lib/postgresql/data
redis:
image: redis:latest
ports:
- '6379:6379'
auth-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy
ports:
- '4180:4180'
environment:
- OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
- OAUTH2_PROXY_UPSTREAMS=http://nucliadb:8080/
- OAUTH2_PROXY_FORCE_HTTPS=false
- OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback
- OAUTH2_PROXY_PROVIDER=google
- OAUTH2_PROXY_CLIENT_ID=Google client id
- OAUTH2_PROXY_CLIENT_SECRET=google client secret
- OAUTH2_PROXY_SESSION_STORE_TYPE=redis
- OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://redis:6379
- OAUTH2_PROXY_COOKIE_SECRET=vLevdGju4C766R8KypPJZ806co4-kwNS9qMuPxLXqls=
- OAUTH2_PROXY_EMAIL_DOMAINS=yourdomain.com
- OAUTH2_PROXY_PASS_USER_HEADERS=true
- OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
depends_on:
- nucliadb
- redis
volumes:
nucliadb-data: {}
nucliadb-maindb: {}