5.0.2

• Improved error handling for LDAP queries. Hopefully Gafaelfawr should now recover automatically from LDAP outages.
• Gafaelfawr now uses a pure pyproject.toml build system (using the beta support in setuptools) rather than using setup.cfg or setup.py.
• Substantial improvements to the documentation. Much of the design and implementation information has move to tech notes and the Gafaelfawr documentation references those. The changelog is now maintained in Markdown to ease preparation of GitHub releases.
• Improve logging of exceptions by adding a few more from clauses where appropriate.

5.0.1

• Retry LDAP queries after a bonsai ConnectionError exception, which may happen due to an intervening firewall timing out the TCP connection.
• Improve logging of exceptions by adding from clauses where appropriate to expose the underlying triggering exception.
• Update dependencies.

5.0.0

• Service tokens now must be for bot users, meaning that the username must begin with bot-. This applies to any tokens created via the /auth/api/v1/tokens route or via Kubernetes GafaelfawrServiceToken resources and the Kubernetes controller.
• Drop support for retrieving the username from LDAP. CILogon can do this automatically and put the username in the OpenID Connect ID token, which was the only use case we had for this functionality. Remove it, and the config.ldap.usernameBaseDn and config.ldap.usernameSearchAttr Helm parameters, to reduce complexity.
• The user is now redirected to the enrollment URL, if configured, when the username claim is missing from the upstream OpenID Connect ID token, rather than tying the enrollment URL feature to the (now removed) LDAP lookup of the username.
• Add support for getting the full name and email address from LDAP as well. Those plus numeric UID (if configured) now all use config.ldap.userBaseDn and config.ldap.userSearchAttr to configure how the user's LDAP directory entry is found. Enabling numeric UID lookups now requires setting config.ldap.uidAttr plus config.ldap.userBaseDn, and config.ldap.uidBaseDn is no longer a valid configuration setting.
• LDAP data is cached for up to five minutes to reduce latency and load on the LDAP server.
• Gafaelfawr now uniformly treats data stored with the token as overriding data from external sources, such as LDAP or Firestore. This also applies to tokens created by admins. To create a token but use user data from external sources, omit that data (such as UID or email) in the token creation request.
• Allow data to be missing from LDAP. Users are allowed to not have email addresses or full names.
• Allow users who are not found in LDAP. These will normally be created via the admin token API. User data such as UID, full name, and email address that would normally be retrieved from LDAP (depending on the configuration) will be null instead.
• Rename config.ldap.baseDn to config.ldap.groupBaseDn to make it clearer that it is only used for group membership searches.
• The return status of a successful PATCH /auth/api/v1/users/<username>/tokens/<token> request is now 200 instead of 201. Since this modifies a resource rather than creating one, that status code seems more accurate.
• Add gafaelfawr delete-all-data command-line invocation that deletes all data except Firestore UID/GID assignments. This may be useful when performing destructive updates where everyone's usernames may change.
• Use a connection pool for LDAP queries instead of opening a new connection for each query.
• Fix verification of OpenID Connect ID tokens when the upstream issuer URL has a path component. Previous versions of Gafaelfawr would incorrectly look for standard metadata URLs one path level too high.
• Disallow usernames containing only digits, bringing the username policy in sync with DMTN-225.
• Report better errors to the user if Firestore or LDAP fail during login.
• Add config.oidc.usernameClaim and config.oidc.uidClaim Helm configuration options to customize which claims from the upstream OpenID Connect ID token are used to get the username and UID.
• Update dependencies.

4.1.0

• Support assigning UIDs and GIDs using Google Firestore. When this is enabled, UID and GID information from the upstream OpenID Connect provider or from LDAP is ignored, and instead Gafaelfawr assigns UIDs and GIDs to usernames and group names on first use. UIDs and GIDs for usernames and group names will be retrieved from Firestore on initial authentication if already assigned. Currently, OpenID Connect (via CILogon or a generic server) must be used as the authentication provider to use Google Firestore UID and GID assignment.
• Add an optional enrollment URL configuration when CILogon or generic OpenID Connect is used with LDAP lookups of the username. If this is set and the sub claim in the ID token does not resolve to a user entry in LDAP, the user will be redirected to this URL instead of an error page.
• Group information from LDAP is now retrieved dynamically when needed instead of stored with an authentication token, so it will change dynamically if the user's groups change in LDAP. This does not affect the token's scopes, only the group information retrieved by a user-info API request.
• Support authenticated simple binds to an LDAP server. This requires setting the Helm config.ldap.userDn parameter and adding a new ldap-password secret.
• Support retrieving the username from LDAP when using an upstream OpenID Connect provider. This is configured with the new config.ldap.usernameBaseDn and config.ldap.usernameSearchAttr Helm parameters.
• Use the image from the GitHub Container Registry instead of Docker Hub.
• Update dependencies.

4.0.0

As of this release, the only supported mechanism for installing Gafaelfawr is as part of the Vera C. Rubin Science Platform, using Phalanx.

• The Gafaelfawr token lifetime is now configured with config.tokenLifetimeMinutes instead of config.issuer.expMinutes.
• The internal OpenID Connect server now puts the numeric UID in a uid_number claim rather than uidNumber for consistency with the naming scheme of other claims.
• InfluxDB 1.x token generation is now configured with config.influxdb.enabled and config.influxdb.username without the issuer component.
• Drop support for restricting the upstream OpenID Connect provider to specific key IDs. This prevents upstream key rotation for dubious security benefit given that Gafaelfawr still verifies the issuer URL and then reaches out to its .well-known endpoints to retrieve the public key and verify the key signature.
• Log token scopes as proper lists instead of space- or comma-separated strings.
• Return 404 with a proper error if the OpenID Connect server routes are accessed when Gafaelfawr is not configured to act as an OpenID Connect server.
• Drop support for Python 3.9.
• Update dependencies.

3.6.0

• Add support for retrieving the user's numeric UID from LDAP when authenticating with an OpenID Connect provider.
• Add required dependency for LDAP support to the Docker image.
• Speed up tests somewhat.
• Improve the development documentation.
• Update dependencies.

3.5.0

• Add support for obtaining group membership information from LDAP. Currently, this can only be used in conjunction with the OpenID Connect authentication provider.
• Add Helm chart support for using a generic OpenID Connect provider for authentication.
• Update dependencies.

3.4.1

• Fix database initialization with gafaelfawr init, which is also run on pod startup.
• Update dependencies.

3.4.0

• Gafaelfawr now uses async SQLAlchemy for all database calls, which avoids latency affecting the whole process when a request requires database queries or writes.
• Internal and notebook tokens are now acquired, when needed, while holding a per-user cache lock. This means that when a flood of requests that all require a delegated token come in at the same time, a given Gafaelfawr process allows only the first request to proceed and blocks the rest until it completes. All the other requests are then served from the cache. This fixes a deadlock observed in previous versions of Gafaelfawr under heavy load from a single user who does not have a cached delegated token.
• Update dependencies.

3.3.0

• The Docker image now starts a single async Python process rather than running multiple processes using Gunicorn. This follows the FastAPI upstream recommendations for applications running under Kubernetes. Scaling in Kubernetes is better-handled by spawning multiple pods rather than running multiple frontend processes in each pod.
• Update the base Docker image to Debian bullseye and Python 3.9.
• Require Python 3.9 or later.
• Update dependencies.