This open source software code was developed in part or in whole in the Human Brain Project, funded from the European Union's Horizon 2020 Framework Programme for Research and Innovation under Specific Grant Agreements No. 720270, No. 785907 and No. 945539 (Human Brain Project SGA1, SGA2 and SGA3).
âšī¸ This is the new documentation of the EBRAINS KG. It's going to be extended continuously.
If you find any issues / have any comment, please contact kg@ebrains.eu to give us your feedback!
If you find any issues / have any comment, please contact kg@ebrains.eu to give us your feedback!
Keycloak clients
The KG ecosystem knows two different types of Keycloak clients: Those for authentication and those for service accounts.
For all clients we set the following settings: * Client Scopes: * Default scopes: * email * group * profile * roles * team * Optional scopes: None * Scope * Full Scope Allowed: OFF
Authentication clients
For all autentication clients, we set: * Access type: public
-
kg:
- Access type: public
- Flows:
- standard with PKCE (S256)
- implicit deprecated (used presumably only by data.kg.ebrains.eu)
- Redirect URIs:
- core.kg.ebrains.eu
- data.kg.ebrains.eu
- editor.kg.ebrains.eu
- query.kg.ebrains.eu
- search.kg.ebrains.eu
- Deprecated: kg-editor.humanbrainproject.eu
- Deprecated: nexus-iam.humanbrainproject.org
- Deprecated: kg.ebrains.eu
- Web Origins: +
-
kg-core-python:
- Access type: public
- Flows:
- OAuth 2.0 Device Authorization Grant
- OAuth 2.0 Device Code Lifespan: 5 minutes
- OAuth 2.0 Device Polling Interval: 4
-
kg-internal:
- Access type: confidential
- Flows:
- Standard
- Client Scopes:
- group
- openid
- web-origins
- Service Accounts Enabled: ON
- Redirect URIs:
- cron.kg.ebrains.eu
- docs.kg.ebrains.eu
- monitoring.kg.ebrains.eu (PROD only)
- error.kg.ebrains.eu (PROD only)
- code-analytics.kg.ebrains.eu (PROD only)
- infra.kg.ebrains.eu (PROD only)
Service account clients
For all service account clients, we set: * Access type: confidential * Flows: None * Service Accounts Enabled: ON * Backchannel Logout Session Required: OFF
- kg-admin: For kg-airflow for the admin endpoints
- kg-client-model-catalog (PROD only): Service account for Model Catalog
- kg-core: For kg-core to talk to the Admin API of IAM (e.g. for admin client in KG Core e.g. to list users)
- Additional Default Client Scopes:
- realm-management
- Service Account Roles
- Client "realm-management"
- query-users
- view-users
- kg-cron: For kg-airflow for write access to the KG (mostly public spaces) -> Attention: We need to test the access rights (we didn't add the kg-devs group anymore - service accounts should be authorized explicitly in KG)
- Service Account Roles
- Client "group"
- group-dataset-curators: To access protected data-proxy buckets for file indexing
- kg-docs: To allow the kg-docs pipeline to access and manipulate protected data-proxy buckets (e.g. to download and upload blobs such as videos)
- Service Account Roles
- Client "team"
- collab-kg-tutorial-videos-editor
- kg-editor: For service-2-service communication with kg-core
- kg-query-builder: For service-2-service communication with kg-core
- kg-search: For service-2-service communication with kg-core
- kg-statistics: For service-2-service communication with kg-core
To be validated
- kg-hdg: Formerly used by the old hdg.kg.ebrains.eu. Still mapped in data-proxy ansible script hdg_old_client_id
- kg-modelcatalog: Seems redundant with kg-client-model-catalog -> to be validated with Andrew Davison
Deprecated clients
- kg-error: Used for former kg-error authentication on the reverse proxy level
- kg-infra: Used for former kg-infra.humanbrainproject.eu
- kg-nexus: For KG v2
This open source software code was developed in part or in whole in the Human Brain Project, funded from the European Union's Horizon 2020 Framework Programme for Research and Innovation under Specific Grant Agreements No. 720270, No. 785907 and No. 945539 (Human Brain Project SGA1, SGA2 and SGA3).