vmware · ivakoleva · Mar 22, 2022 · Mar 7, 2022 · Mar 8, 2022 · Mar 11, 2022
diff --git a/...ects/control-service/projects/base/src/main/java/com/vmware/taurus/base/FeatureFlags.java b/...ects/control-service/projects/base/src/main/java/com/vmware/taurus/base/FeatureFlags.java
@@ -30,4 +30,7 @@ public class FeatureFlags {
    @Value("${datajobs.security.kerberos.enabled:false}")
    boolean krbAuthEnabled = false;
 
+   @Value("${datajobs.security.oauth2.enabled:false}")
+   boolean oAuth2Enabled = true;
+
 }
diff --git a/...service/projects/base/src/main/java/com/vmware/taurus/security/SecurityConfiguration.java b/...service/projects/base/src/main/java/com/vmware/taurus/security/SecurityConfiguration.java
@@ -138,9 +138,11 @@ private void enableSecurity(HttpSecurity http) throws Exception {
                             .hasAnyAuthority(authorizedRoles.toArray(String[]::new));
                   }
                   authorizeRequests.anyRequest().authenticated();
-              })
-              .oauth2ResourceServer().jwt()
-              .jwtAuthenticationConverter(jwtAuthenticationConverter());
+              });
+
+        if (featureFlags.isOAuth2Enabled()) {
+            http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
+        }
 
         if (featureFlags.isKrbAuthEnabled()) {
             http.addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()),

diff --git a/...service/projects/pipelines_control_service/src/main/resources/application-prod.properties b/...service/projects/pipelines_control_service/src/main/resources/application-prod.properties
@@ -71,8 +71,20 @@ datajobs.proxy.repositoryUrl=${PROXY_DOCKER_REPO_URL}
 datajobs.git.read.write.username=${GIT_USERNAME_READ_WRITE}
 datajobs.git.read.write.password=${GIT_PASSWORD_READ_WRITE}
 
-# security configurations
-# featureflag.security.enabled - if yes specify:
+
+# Security configuration. Note if you enable security, you may
+# also enable authentication provider(s) and authorization
+# featureflag.security.enabled=true
+
+# Settings for Kerberos authentication provider
+datajobs.security.kerberos.enabled=${SECURITY_KERBEROS_ENABLED:false}
+# Properties mandatory if datajobs.security.kerberos.enabled=true
+datajobs.security.kerberos.kerberosPrincipal=${SECURITY_KERBEROS_SERVICE_PRINCIPAL:""}
+datajobs.security.kerberos.keytabFileLocation=${SECURITY_KERBEROS_SERVICE_KEYTAB_FILE_LOCATION:}
+datajobs.security.kerberos.krb5ConfigLocation=${SECURITY_KERBEROS_KRB5_CONFIG_LOCATION:}
+
+# Settings for OAuth2 authentication provider
+datajobs.security.oauth2.enabled=true
 
 # The JSON Web Key Set (JWKS) is a set of keys which contains the public keys
 # used to verify any JSON Web Token (JWT) issued by the authorization server

diff --git a/...trol-service/projects/pipelines_control_service/src/main/resources/application.properties b/...trol-service/projects/pipelines_control_service/src/main/resources/application.properties
@@ -36,6 +36,27 @@ logging.level.org.hibernate.type.descriptor.sql.BasicBinder=INFO
 
 spring.jpa.open-in-view=false
 
+
+# Security configuration. Note if you enable security, you may
+# also enable authentication provider(s) and authorization
+# featureflag.security.enabled=true
+
+# Settings for Kerberos authentication provider
+datajobs.security.kerberos.enabled=${SECURITY_KERBEROS_ENABLED:false}
+# Properties mandatory if datajobs.security.kerberos.enabled=true
+datajobs.security.kerberos.kerberosPrincipal=${SECURITY_KERBEROS_SERVICE_PRINCIPAL:""}
+datajobs.security.kerberos.keytabFileLocation=${SECURITY_KERBEROS_SERVICE_KEYTAB_FILE_LOCATION:}
+datajobs.security.kerberos.krb5ConfigLocation=${SECURITY_KERBEROS_KRB5_CONFIG_LOCATION:}
+
+# Settings for OAuth2 authentication provider
+datajobs.security.oauth2.enabled=true
+
+# The JSON Web Key Set (JWKS) is a set of keys which contains the public keys
+# used to verify any JSON Web Token (JWT) issued by the authorization server
+# It is required.
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI}
+# spring.security.oauth2.resourceserver.jwt.issuer-uri=${SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI}
+
 # Authorization configuration. Note if you enable authorization you should
 # also point the webhook endpoint against which authorization is delegated
 # in order for the feature to fully work
@@ -145,10 +166,3 @@ mail.smtp.host=smtp.vmware.com
 # Correspond to those defined by kubernetes
 # See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
 datajobs.deployment.builder.imagePullPolicy=IfNotPresent
-
-# Settings for Kerberos authentication provider.
-datajobs.security.kerberos.enabled=${SECURITY_KERBEROS_ENABLED:false}
-# Properties mandatory if datajobs.security.kerberos.enabled=true
-datajobs.security.kerberos.kerberosPrincipal=${SECURITY_KERBEROS_SERVICE_PRINCIPAL:""}
-datajobs.security.kerberos.keytabFileLocation=${SECURITY_KERBEROS_SERVICE_KEYTAB_FILE_LOCATION:}
-datajobs.security.kerberos.krb5ConfigLocation=${SECURITY_KERBEROS_KRB5_CONFIG_LOCATION:}