Github user amiryesh commented on the issue:
https://github.com/apache/incubator-trafficcontrol/pull/567
@limited Hi, I agree with your view on the benefits of using industry
standard software wherever applicable. Let me share my view on how the API GW
and the auth server are to be considered.
IMO, the auth server and API GW implementation is to be considered as an
entry point towards breaking the TO monolith into microservice architecture.
The auth server is far from being production grade. It does not support
standard OAuth2 flows. It probably has security flaws. More than that, users
management and access control is implemented as a part of TC.
I believe that in production, one would want to use different identity
services to manage her users, and implement more complex authentication flows.
The API GW architecture allows you to manage your users externally and provide
a JWT with proper TO claims.
However, this is a very complex setup. We would want users to be able to
run a simple working TC instance as easy as possible. This is why the auth
server was implemented.
The same rational applies also to the API GW implementation. I agree that
if we can configure nginx to do what we need it is most likely a better fit for
production.
What we do get from the API GW is custom authorization code. We have our
own simple code that can verify our custom claims. I don't have much nginx
experience, I think that custom authorization logic is likely to be harder to
configure, but maybe I'm wrong.
Hope that makes sense,
/amiry
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
