Skip to main content

Fence

What Does it Do

Fence is a core service for a gen3 datacommons which handles authentication. It is necessary for a commons to run and will handle authentication on the /login endpoint as well as creating presigned url's in the presigned-url-fence pods.

How to Configure it

fence:
  # Whether or not to deploy the service or not
  enabled: true

  # What image/ tag to pull
  image:
    tag:
    repository:
  
  # FENCE_CONFIG
  FENCE_CONFIG:
    OPENID_CONNECT:
      google:
        client_id: "insert.google.client_id.here"
        client_secret: "insert.google.client_secret.here"

  # -- (string) USER YAML. Passed in as a multiline string.
  USER_YAML: |
    <the contents of your user.yaml here>


You need to ensure a proper working fence-config file. Fence is highly configurable and a lot of config is commons specific, but some important fields to configure are as follows.

For more infomation see this

For user.yaml see this how to construct one properly. This will control access to your data commons:

https://github.com/uc-cdis/fence/blob/master/docs/user.yaml_guide.md

Extra Information

Fence Pods

  • Fence is split into 2 deployments.
    • There is the regular fence deployment which handles commons authentication.
  • We also split the presigned url feature of fence into a seperate deployment, the presigned-url-fence deployment. They will both get setup/deployed with a gen3 installation.

Troubleshooting Fence

There are some commons sql queries that can be found here.

Setting up OIDC clients

OIDC clients are used by applications to authenticate to fence. Many times this is external users to setup apps which leverage gen3 and an OIDC will have to be client will need to be setup for them. After creation, the client_id/secret will need to be shared with the application owner. To create these clients you will need to exec into a fence container and run the following commands.