Skip to content

Add documentation and examples for user auth #1448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kblum wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add documentation and examples for user auth #1448

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7fd858c
Document HTTP Basic Authentication via Nginx.
kblum Jan 12, 2026
ffc6b6f
Document LDAP/AD auth integration.
kblum Jan 12, 2026
4d671f8
Update auth docs to clarify only for custom deployments.
kblum Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions additionaldocs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
- [Development](./development.md)
- [SageMaker](./sagemaker)
- [ECS](./ecs)
- [Auth](./auth.md)
109 changes: 109 additions & 0 deletions additionaldocs/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# Authentication and Authorization

The Graph Explorer UI does not have built-in support for any user authentication or authorization.

Anyone with access to the service URL can access the graph data (even if Neptune database instances are locked down, because the UI is not). This is a security issue if the data is sensitive.
Copy link
Copy Markdown
Contributor

@triggan triggan Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends. If deployed on a Neptune Notebook instance (the default customer experience for using Graph Explorer), the endpoint is protected behind the Neptune (SageMaker) Notebook endpoint (which requires IAM authentication). We use Jupyter Proxy to expose the Graph Explorer container as a path on the SageMaker Notebook endpoint (ex: https://notebook-name.notebook.us-west-2.sagemaker.aws/proxy/9250/explorer/#/graph-explorer). Access to this only works if you pass a valid IAM SigV4 signature with the request to this endpoint.

So this only becomes an issue for custom deployments that are not part of a Neptune Notebook deployment. We should call this out here, as we don't want to give the impression that Graph Explorer has no means of authentication regardless of deployment model.

Copy link
Copy Markdown
Author

@kblum kblum Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@triggan Good point. I have changed the documentation to make it clear that this is only applicable for custom deployments.


Authentication can be added by putting Graph Explorer behind an Nginx reverse proxy server. The Graph Explorer route should only be accessible by Nginx. Nginx can then be configured to add authentication.


## HTTP Basic Authentication

Nginx natively supports HTTP Basic Authentication.

Minimal example Nginx configuration:

```nginx
server {

location / {
auth_basic "Graph Explorer Login";
auth_basic_user_file /etc/nginx/auth/htpasswd;

set $upstream_graph_explorer graph_explorer.svc.cluster.local:8080;
proxy_pass http://$upstream_graph_explorer;
}

}
```

The example configuration assumes that Graph Explorer is running on `http://graph_explorer.svc.cluster.local:8080`, which is only accessible to Nginx.

Create and mount a `/etc/nginx/auth/htpasswd` file on the Nginx pod or server. Passwords can be generated using `pwgen` and encoded using `openssl passwd`.

Example `htpasswd` file contents:

```
# password file
# format USER:PASSWORD:COMMENT
admin:$1$OasDSiq8$E6lJaEHz0rjM5DXj2GwZv.
# username: admin; password: admin
```


## LDAP and Active Directory Authentication

Nginx lacks built-in support for LDAP and Active Directory authentication.

The [`ngx_http_auth_request_module`](https://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module for Nginx can be used to implement client authorization based on the result of a sub-request to another service.

An `nginx-ldap-auth-service` deployment (a project developed and used at Caltech) can be used to authenticate users against LDAP and Active Directory.

References for `nginx-ldap-auth-service`:

- [Documentation](https://nginx-ldap-auth-service.readthedocs.io)
- [Container registry](https://hub.docker.com/r/caltechads/nginx-ldap-auth-service)
- [Source code](https://github.com/caltechads/nginx-ldap-auth-service)

The `nginx-ldap-auth-service` service is configured using environment variables. Please the [environment documentation](https://nginx-ldap-auth-service.readthedocs.io/en/latest/configuration.html#environment) for details on configuring the service.

Minimal example Nginx configuration:

```nginx
server {

location / {
auth_request /check-auth;

# If the auth service returns a 401, redirect to the login page.
error_page 401 =200 /auth/login?service=$request_uri;

set $upstream_app APP_SERVICE_NAME.APP_NAMESPACE.svc.cluster.local:8080;
proxy_pass http://$upstream_app;
}

location /auth {
set $upstream_graph_ldap LDAP_SERVICE_NAME.LDAP_SERVICE_NAMESPACE.svc.cluster.local:8888;
proxy_pass http://$upstream_ldap;

proxy_set_header X-Cookie-Name "nginxauth";
proxy_set_header X-Cookie-Domain "NGINX_GATEWAY_DOMAIN";
proxy_set_header X-Auth-Realm "Restricted Area";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie nginxauth_csrf=$cookie_nginxauth_csrf;
}

location /check-auth {
internal;

set $upstream_graph_ldap LDAP_SERVICE_NAME.LDAP_SERVICE_NAMESPACE.svc.cluster.local:8888;
proxy_pass http://$upstream_ldap/check;

proxy_pass_request_headers off;
proxy_pass_request_body off;
proxy_set_header Content-Length "";

proxy_ignore_headers "Set-Cookie";
proxy_hide_header "Set-Cookie";

proxy_set_header X-Cookie-Name "nginxauth";
proxy_set_header X-Cookie-Domain "NGINX_GATEWAY_DOMAIN";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
}

}
```

The example configuration assumes that Graph Explorer on running on an internal `http://APP_SERVICE_NAME.APP_NAMESPACE.svc.cluster.local:8080` route and that the auth service is running on `http://LDAP_SERVICE_NAME.LDAP_SERVICE_NAMESPACE.svc.cluster.local:8888`.