轩辕镜像 官方专业版
轩辕镜像
专业版
轩辕镜像 官方专业版
轩辕镜像
专业版
首页个人中心搜索镜像
交易
充值流量¥7起我的订单
文档
工具
提交工单页面收录
adc-middleware

ros65536/adc-middleware

ros65536

下载次数: 0状态:社区镜像维护者:ros65536仓库类型:镜像最近更新:5 年前
让 AI 帮你使用轩辕镜像? · 展开查看说明 · 点击收起说明

如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。

只需在 AI 对话中先发送下面这句话即可:

请先完整阅读并严格遵守以下文档中的全部规则与要求:

https://xuanyuan.cloud/agents.md

在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。

查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。

镜像简介
下载命令
镜像标签列表与下载命令
轩辕镜像,让镜像更快,让人生更轻。
点击查看

ADC auth extensions middleware

https://gitlab.com/Ross65536/adc-middleware/badges/master/pipeline.svg](https://gitlab.com/Ross65536/adc-middleware/commits/master)

Middleware server for handling access control for ADC v1 HTTP API compliant repositories.

Check out Docker image https://hub.docker.com/repository/docker/ros65536/adc-middleware

Project runs on java 11, with (modified) google java style guide.

Features:

  • Support for all of the AIRR ADC API functionalities except for: tsv format on POST endpoints.
  • Response fields filtering based on provided token access level.
  • Emission of UMA tickets restricted to the fields requested.

You can also checkout this simple https://github.com/Ross65536/adc-middleware-frontend for testing the access control capabilities of this middleware.

Instructions

Example Deployment (for testing)

Example deployment for testing in localhost.

  1. Clone the repository:
shell
git clone https://github.com/Ross65536/adc-middleware
  1. Load repository test data:

iReceptor Turnkey is used in this example.

Download backend data (for testing):

shell
cd example
curl -L https://github.com/Ross65536/adc-middleware/releases/download/data/repository-data.tar.gz > repository-data.tar.gz
tar -xvzf repository-data.tar.gz -C data/
sudo chown -R $(whoami) data/mongodb/
  1. Load all components:

(Optional) build middleware docker image locally:

shell
docker build -t ros65536/adc-middleware .

Load components

shell
cd example

# load all components
MIDDLEWARE_UMA_CLIENT_SECRET=12 docker-compose up # MIDDLEWARE_UMA_CLIENT_SECRET is not important in this step but must be set

You can now make requests to http://localhost/airr/v1/. Try with http://localhost/airr/v1/info to see if there is a connection to the backend.

On boot the middleware server automatically connects to the DB.

  1. Configure keycloak:

Keycloak admin login page is now accessible at http://localhost/auth. Regular user login at http://localhost/auth/realms/master/account. Then see below how to configure keycloak for first use. Make note of the generated client secret ($MIDDLEWARE_UMA_CLIENT_SECRET) for the created adc-middleware client. You also need to create an additional client in the Keycloak's Clients side bar tab, load (import) and save the client from the file ./example/config/keycloak/front-end.json.

  1. Re-Load the server with the client secret

CODE_TOKEN_4

  1. Synchronize middleware and Keycloak state with Repository:

CODE_TOKEN_5

See below for a discussion on when to re-synchronize.

You should now be able to access the frontend on http://localhost, login, and access resources.

Deployment Notes

Important: When deploying it's very important to make the backend's API unavailable to the public

Important: You must generate a new password and hash for the app.synchronizePasswordHash property variable, see below how.

Important: The middleware APIs should be under a SSL connection in order not to leak user credentials or the synchronization password. If it is not under SSL you need to disable SSL connections Keycloak (see below).

Important: The host and port used by the middleware to access keycloak and the host and port used by the user to obtain an RPT token must be the exact same (must have the same Host header) otherwise the solution doesn't work. Check the nginx configuration to see how this was achieved. When deploying, if using the provided nginx config you must update the line marked as VERY IMPORTANT.

Keycloak Configuration

Initial Keycloak Setup

  1. Go to the keycloak login page ($HOSTNAME/auth). Login as admin with admin:admin.
  2. Go to master's Realm Settings in the sidebar and enable User-Managed Access in the General tab.
  3. Create a new client in the Clients side bar tab: load (import) and save the client from the file ./example/config/keycloak/adc-middleware.json. Go to credentials tab in the client and note the generated Secret value which is the client secret while adc-middleware is the client ID.
  4. In the Users tab create a user with username owner, this is the resource owner. Create a user with username user, this is the user that will access resources. For each created user in the user's Credentials tab create the password. A user can then login ($HOSTNAME/auth/realms/master/account), for example as an owner to grant accesses to users.

You can use different values for these strings, but you would need to update a lot of configuration variables.

SSL

If you need to disable Keycloak's SSL for remote connections, for example when acessing a remote server without SSL enabled, you can:

  • Disable using admin panel. You need to access the admin panel in the remote server locally (localhost) and go to Realm Settings -> Login -> Require SSL = none

  • Disable using SQL script. You can connect to keycloak's database (after it has been loaded by keycloak) and the run:

    CODE_TOKEN_6

    You can connect, for example with: CODE_TOKEN_7

Docker image

The docker image for the middleware accepts the following environment variables:

  • CLIENT_SECRET: The UMA client secret for the middleware.
  • DB_PASSWORD: The DB password for the middleware
  • PROPERTIES_PATH: The path for the java properties configuration file.

The remaining configuration is done using java properties (for example see data/config/example.properties, for explanation see below).

Dev Setup:

If using OpenJDK, use minimum of v11.0.7

Configuring keycloak

You need to setup and configure a keycloak server.

Run: CODE_TOKEN_8

Keycloak is now hosted on http://localhost:8082.

Then see above how to configure keycloak.

To install, build and run for development:

CODE_TOKEN_9

With arguments:

CODE_TOKEN_10

Dev properties configuration example

file dev.properties (You need to update uma.clientSecret):

CODE_TOKEN_11

Dev run example

CODE_TOKEN_12

Build deployable jar

The jar uses java 11

CODE_TOKEN_13

Style checks

To run style checker run:

CODE_TOKEN_14

Tests

CODE_TOKEN_15

Pushing docker image

Dockerhub has setup a hook to automatically pull and build images from repository commits that are tagged like v1.0.1 using semantic versioning.

CODE_TOKEN_16

Configuration

Middleware Configuration

You can set these by either adding a custom properties file (using --spring.config.location to inject the file, see example below) or by passing them as CLI options (with -D<property>=<value>). In the properties files you can use the field names directly as displayed here, for the CLI prepend -D, for the gradle CLI prepend -- (see above example).

Required:

  • adc.resourceServerUrl: The url to the underlying resource server (ADC backend) including base path (example http://localhost:80/airr/v1).
  • uma.wellKnownUrl: The url to the keycloak server's UMA well known document (example: http://localhost:8082/auth/realms/master/.well-known/uma2-configuration)
  • uma.clientId: Client ID for this middleware in keycloak
  • uma.clientSecret: Client Secret for the client ID
  • uma.resourceOwner: The Keycloak username who will be the owner of the created resources.
  • spring.datasource.url: The url to the DB
  • spring.datasource.username: DB username
  • spring.datasource.password: DB password
  • spring.datasource.platform: The platform. Omit for H2 DB, set to postgres for PostgreSQL DB.
  • app.synchronizePasswordHash: The sha256 hash of the password protecting the synchronization endpoint. See below how to generate.

Optional:

  • server.servlet.context-path: The base path of the middleware API. Defaults to: /airr/v1
  • server.port: The middleware server port, defaults to 80
  • app.adcCsvConfigPath: The path for the CSV config file containing the custom fields configuration. Example ./field-mapping.csv. Defaults to the file src/main/resources/field-mapping.csv. See below for structure of file.
  • app.facetsEnabled: Boolean, indicates whether the resource server supports facets (and by extension ADC filters). Defaults to true.
  • app.publicEndpointsEnabled: Boolean, indicates whether the resource server supports the public ADC endpoints (/, /info, /swagger). Defaults to true.
  • app.adcFiltersEnabled: Setting this to true will disable POST endpoint's "filters" function which should make oracle attacks unfeasible. Defaults to false.
  • app.filtersOperatorsBlacklist: A comma separated list of "filters" operators that are disabled. Disabling some operators helps mitigate timing attacks. Defaults to `` which disables this feature.
  • app.requestDelaysPoolSize: Positive integer, the delays pool size. Defaults to 10. Set to 0 to disable request delaying when emitting permissions tickets. Mitigates timing attacks.

Optional Dev:

  • (H2 only) spring.h2.console.enabled: Will enable H2 web console on http://localhost:8080/airr/v1/h2-console (default with url jdbc:h2:file:./data/db account sa:password). Defaults to false.

Pay attention to spaces, a space at the end of a property value line will be included in the string

Running with custom properties file (using deployment jar):

CODE_TOKEN_17

DB & Cache configuration

  • Example config for H2 DB

CODE_TOKEN_18

  • Example config for PostgreSQL DB

See data/config/example.properties for example

CODE_TOKEN_19

  • Using Redis as Cache (Optional)

If these values are not set the default spring cache will be used

CODE_TOKEN_20

To use simple in-memory cache set:

CODE_TOKEN_21

CSV field config

Value for the app.adcCsvConfigPath config param. You can use the default provided ./field-mapping.csv or extend it. The CSV must have header:

  • class: Specifies whether the field is a Repertoire or Rearrangement
  • field: The field. For nested objects demark with .. Example subject.age_unit.value or repertoire_id. Supports arrays.
  • protection: Whether the field is publicly access or protected. Public means any user can access this information, protected means only users that were given access to with the specific scope can access the field information. Valid values are public and protected.
  • access_scope: The UMA scope required to be able to access the field. Must be blank if protection is public, cannot be blank if it is not. Values can be any user defined string of pattern [\w_]+. IMPORTANT: make sure that you make no typos here, the values used here are the UMA scopes stored in keycloak and used for access control.
  • field_type: The type of the field. User for input validation. Valid values are string, boolean, number, integer, array_string.
  • include_fields: Can be one of miairr, airr-core, airr-schema or empty. Specifies to which type the field belongs to. A field that belongs to airr-schema belongs also to airr-core and miairr and a field of airr-core also belongs to miairr. Matches with the ADC API query's include_fields JSON parameter.

The CSV is comma separated. For an example see src/main/resources/field-mapping.csv.

The CSV can include other columns after these which are ignored.

Notes

Synchronization

The middleware needs to synchronize with the backend periodically. No automatic synchronization is performed so you must invoke synchronization when data in the resource server changes, namely when: a repertoire or rearrangement ir added, deleted or updated (study, repertoire_id and sequence_id fields).

To synchronize you can make the following request to the /airr/v1/synchronize endpoint using the password as Bearer token:

CODE_TOKEN_22

Generating password

You need to hash a BCrypt password with 10 rounds to use the synchronization endpoint

CODE_TOKEN_23

Public fields

You can use the public endpoint:

CODE_TOKEN_24

to obtain the public fields for each class of resources.

Minimal AIRR ADC compliance necessary

To be able to make use of this middleware the backend MUST implement the following AIRR ADC API endpoints (the URL base-path is configurable):

  1. GET /repertoire/{repertoire_id}
  2. GET /rearrangement/{sequence_id}
  3. POST /repertoire
  4. POST /rearrangement

For endpoints 3. and 4. the backend can discard the other query fields except the "facets" field which must be processed and returned correctly.

The following public endpoints are not mandatory and access to them can be disabled in the middleware:

  • GET /
  • GET /info
  • GET /swagger

The Repertoires regular responses (1. and 3.) must be of (minimal) format: CODE_TOKEN_25

The Rearrangements regular responses (2. and 4.) must be of (minimal) format: CODE_TOKEN_26

Any extra fields used for Repertoire or Rearrangement can be used if they are set in the CSV config file.

As mentioned, facets must be supported. The middleware when receiving a user query for repertoires of the like: CODE_TOKEN_27

Will modify the request to before sending it to the repository: CODE_TOKEN_28

The middleware expects a minimal facets response of the like: CODE_TOKEN_29

In the example above the filters, from and size parameters can be discarded by the repository. If the filters support is not compliant enough as discussed below the facets feature MUST be disabled in the middleware to avoid security issues (even though the middleware makes use of the repository's facets function). The official documentation (ADC v1) does not specify that the parameters from and size can be used with the facets parameter, and they can be safely discarded by the repository, but in order to improve security (by limitting the scope of the emitted tokens) and avoid UI clutter these should be supported and should perform the same query along with filters as done in a regular search without facets, that is, the set of field values returned by a regular search, and by using facets must be the same.

Facets

To use facets the repository backend MUST support the ADC filters query feature as described here, otherwise this feature MUST be disabled in the middleware's config.

More specifically the in filters operator must be supported, and the and operator for chaining with user requests. If a user makes a Repertoires search request like:

CODE_TOKEN_30

The middleware modifies the request and sends: CODE_TOKEN_31

Likewise for Rearrangements but with the repertoire_id value for in's field.

It is assumed that, like in the AIRR ADC API, an empty in: CODE_TOKEN_32 would make the backend return an empty Facet response.

If there are values for the array sent in the in operator the ids MUST be matched against the response, otherwise an information leak is created.

TSV format

TSV format is supported for the POST /v1/rearrangement endpoint.

The user's requested fields cannot be nested documents/objects (in the default CSV configuration no rearrangement fields are nested objects).

TSV support is implemented in the middleware itself by translating JSON to TSV.

Adding OpenID Connect third-party Identity Providers

  1. Login to keycloak's admin panel.
  2. Go to Identity Providers in the side bar and add a OpenID Connect provider, set the alias which will be the display name (for example to orcid) and make note of the generated Redirect URI.
  3. Add keycloak to third party OIDC IdP.

For ORCDID login as an account, go to developer tools, and add keycloak: set the Your website URL to keycloak's host (example http://localhost:8082) and put in Redirect URIs the url generated in keycloak from the previous step (example http://localhost:8082/auth/realms/master/broker/orcid/endpoint). Make note of the Client ID and Client Secret. Save.

For EGI Checkin: In the dashboard from step 2, add generated info from previous step.

For ORCID put [***] URL, [***] Authentication to Client secret sent as post and input the client ID and client secret from the previous step in Client ID and Client Secret. Save

For EGI Checkin put [***] URL, [***] secret sent as post and input client ID and secret. Save

Implementation Details

You can see here a python-like pseudo-code which describes this whole middleware server's working.

Notes

You can obtain the Postman folder that you can use to test the middleware solution's ADC features in more depth https://github.com/Ross65536/adc-middleware/releases/download/docs/adc-middleware.postman_collection.json

镜像拉取方式

您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。

轩辕镜像加速拉取命令点我查看更多 adc-middleware 镜像标签

docker pull docker.xuanyuan.run/ros65536/adc-middleware:<标签>

使用方法:

  • 登录认证方式
  • 免认证方式

DockerHub 原生拉取命令

docker pull ros65536/adc-middleware:<标签>

轩辕镜像配置手册

按平台快速找到配置文档

一键安装

一键安装 Docker

Linux Docker 一键安装

AI

用 AI 使用轩辕镜像

agents.md · AI 对话 · 提示词

Docker

登录仓库拉取

登录认证 · 私有仓库

专属域名拉取

免登录 · 高速拉取

Linux

Docker 镜像配置

Windows / Mac

Docker Desktop 配置

MacOS OrbStack

OrbStack 容器

Apple Container

macOS 原生容器

Docker Compose

Compose 项目配置

NAS

群晖

Synology 配置

飞牛

fnOS 镜像配置

绿联

绿联 NAS

威联通

QNAP 配置

极空间

极空间 NAS

Unraid

Unraid NAS

企业仓库

其他仓库

ghcr · Quay · nvcr

Harbor 镜像源

Proxy Repository 对接

Portainer 镜像源

Registries 配置

Nexus 镜像源

Docker Proxy 缓存

开发工具

Dev Containers

VS Code 开发容器

Podman

Podman 配置指南

Singularity / Apptainer

HPC 科学计算容器

Kubernetes

K8s Containerd

Kubernetes · Containerd

K3s

轻量级集群

面板 / 网络

爱快路由

iKuai 镜像加速

宝塔面板

一键配置镜像源

需要其他帮助?请查看我们的 常见问题Docker 镜像访问常见问题解答 或 提交工单

镜像拉取常见问题

功能

版本功能对比

功能对比 · 版本选择

支持的镜像仓库

Docker Hub · GCR · GHCR

新手拉取配置

登录 · 专属域名 · 配置

docker search 限制

专属域名 · Hub 搜索

不支持 push

仅支持 pull · 不支持

拉取速度原因

带宽 · 缓存 · 冷热镜像

错误码

402 与流量用尽

402 · 流量包 · 充值

401 认证失败

401 · docker login

manifest unknown

标签错误 · 镜像不存在

410 Gone 排查

410 · Docker 升级

429 限流

免费版 · 专业版 · 企业版 · 请求频率

其他报错

DNS 超时

DNS 解析 · 网络超时

TLS 证书失败

no matching manifest(架构)

账号

失败是否计费

manifest · blob · 计费

申请开发票(企业 / 个人)

企业 · 个人 · 工单

修改登录密码

网站 · 仓库 · 重置

注销账户

工单 · 数据 · 注销

原理

mirrors 不生效

daemon.json · 重启

去掉域名前缀

docker tag · 重命名

指定架构拉取

ARM64 · AMD64 · 多架构

latest 与「最新」

digest · 版本号 · 标签

查看全部问题→

用户好评

来自真实用户的反馈,见证轩辕镜像的优质服务

用户头像

oldzhang

运维工程师

Linux服务器

5

"Docker访问体验非常流畅,大镜像也能快速完成下载。"

轩辕镜像
镜像详情
...
ros65536/adc-middleware
定价查看流量套餐与价格
博客Docker 镜像公告与技术博客
专业版 · 高速稳定拉取镜像
高速镜像下载·在线技术支持·99.95% SLA 保障·付费会员免广告
50GB 仅 ¥7/年
专业版 · 高速稳定拉取镜像
50GB 仅 ¥7/年
高速镜像下载·在线技术支持·99.95% SLA 保障·付费会员免广告
用户协议·隐私政策·增值电信业务经营许可证:浙B2-20261007·©2024-2026 源码跳动©2024-2026 杭州源码跳动科技有限公司·商务合作:点击复制邮箱

更多 adc-middleware 镜像推荐

okteto/golang-middleware-template logo

okteto/golang-middleware-template

okteto
暂无描述
693 次下载
6 年前更新
mosipid/registration-processor-abis-middleware-stage logo

mosipid/registration-processor-abis-middleware-stage

mosipid
暂无描述
5万+ 次下载
2 年前更新
mosipint/registration-processor-abis-middleware-stage logo

mosipint/registration-processor-abis-middleware-stage

mosipint
暂无描述
5万+ 次下载
2 年前更新
middlewareeng/middleware logo

middlewareeng/middleware

middlewareeng
MiddlewareHQ开源工具的Docker镜像,用于快速部署和运行该开源项目。
1 次收藏1万+ 次下载
28 天前更新
appsvc/middleware logo

appsvc/middleware

appsvc
暂无描述
3 次收藏1000万+ 次下载
5 年前更新
okteto/golang-middleware-template logo

okteto/golang-middleware-template

okteto
暂无描述
693 次下载
6 年前更新

查看更多 adc-middleware 相关镜像