view Sphinx/source/plugins/google-cloud-platform.rst @ 1123:292479b06402

security: authentication wrt RemoteAccess
author Alain Mazy <am@orthanc.team>
date Thu, 19 Dec 2024 08:17:02 +0100
parents 60b0b7ea409b
children
line wrap: on
line source

.. _google:


Google Cloud Platform plugin
============================

.. contents::

   
Introduction
------------

The Orthanc project freely provides the `source code
<https://orthanc.uclouvain.be/hg/orthanc-gcp/file/default/>`__ of a plugin
to interface Orthanc with the Healthcare API of `Google Cloud Platform
(GCP) <https://en.wikipedia.org/wiki/Google_Cloud_Platform>`__ through
`DICOMweb <https://www.dicomstandard.org/using/dicomweb>`__.

This GCP plugin turns Orthanc into a DICOMweb client connected to GCP
servers, enabling the upload of DICOM images using STOW-RS, the
querying of the cloud content using QIDO-RS, and the retrieval of
remote content using WADO-RS. These operations can be possibly
:ref:`scripted <dicomweb-client>` thanks to the REST API of Orthanc.

Concretely, the role of the GCP plugin is to `manage the credentials
<https://cloud.google.com/docs/authentication/>`__ to Google Cloud
Platform. It requires the official :ref:`DICOMweb plugin <dicomweb>`
to be installed, as all the user interactions are done through the
latter plugin. As soon as Orthanc is started, the GCP plugin
automatically acquires then periodically refreshes the access tokens,
transparently updating the remote :ref:`DICOMweb servers
<dicomweb-client-config>` that are known to the DICOMweb plugin. The
access tokens can be derived either from service accounts, or from
user accounts.

This page makes the assumption that you have created a Google Cloud
Platform project, in which you have enabled the `Healthcare API
<https://cloud.google.com/healthcare/>`__, and in which you have
created a `DICOM store
<https://cloud.google.com/healthcare/docs/how-tos/dicom>`__.


Pre-compiled binaries
---------------------

As of today, there are no known distribution of pre-compiled binaries
for this plugin.


Compilation
-----------

.. highlight:: text

The procedure to compile the GCP plugin is similar of that for the
:ref:`core of Orthanc <compiling>`. The following commands should work
on any recent UNIX-like distribution (including GNU/Linux)::

  $ mkdir Build
  $ cd Build
  $ cmake .. -DSTATIC_BUILD=ON -DCMAKE_BUILD_TYPE=Release
  $ make

The compilation produces a shared library
``OrthancGoogleCloudPlatform`` that contains the GCP
plugin. 

Under the hood, the GCP plugin is built on the top of the official
`Google Cloud Platform C++ Client Libraries
<https://github.com/googleapis/google-cloud-cpp>`__.


Configuration
-------------

Dependencies
^^^^^^^^^^^^

As explained above, the GCP plugin requires Orthanc (with version
above 1.5.4), and the :ref:`official DICOMweb plugin <dicomweb>` to be
installed (with version above 1.0). All the communications with Google
Cloud Platform are done using the DICOMweb plugin, and the
responsibility of the GCP plugin is to aquire and periodically refresh
the access tokens whose lifetime is limited.


Common parameters
^^^^^^^^^^^^^^^^^

There are some common parameters to be set. Firstly, the ``Plugins``
:ref:`configuration option <configuration>` of Orthanc must contain
the path that contains the ``OrthancGoogleCloudPlatform`` shared
library.

Secondly, obtaining the access tokens for Google Cloud Platform
necessitates a sequence of HTTPS requests. As a consequence, the
Orthanc configuration must specify how the authenticity of the Google
servers is verified. You have two possibilities to that end:

1. Disabling the verification of the remote servers (**not recommended
   in production**). This is done by setting option ``HttpsVerifyPeers``
   to ``false``.

2. Providing a list of `trusted Certificate Authorities (CA)
   <https://curl.haxx.se/docs/sslcerts.html>`__ to the HTTPS client
   that is internally used by Orthanc (namely, `cURL
   <https://en.wikipedia.org/wiki/CURL>`__). This is done by properly
   setting ``HttpsCACertificates`` option, so that it points to a file
   containing a store of CA certificates. Depending on your operating
   system, this file can be found as follows:

   * On Debian-based system, the standard file
     ``/etc/ssl/certs/ca-certificates.crt`` can be used.
   * On other systems (including Microsoft Windows), the cURL project
     provides `CA certificates
     <https://curl.haxx.se/docs/caextract.html>`__ that are extracted
     from Mozilla.

Note that to debug HTTPS communications, you have the possibility of
setting the ``HttpVerbose`` configuration option of Orthanc to
``true``. It can also be useful to run Orthanc in ``--verbose`` mode
(check out :ref:`this page <log>`).



Service account
^^^^^^^^^^^^^^^

As explained on the `Google documentation
<https://cloud.google.com/docs/authentication>`__, *"a service account
is a Google account that represents an application, as opposed to
representing an end user"*. This is presumably the most common
situation in the case of Orthanc.

You first have to `create a service account
<https://cloud.google.com/docs/authentication/getting-started>`__ for
your application. This will produce a JSON file (say,
``dicom-osimis.json``) that you have to store securely on the server
that will run Orthanc.

.. highlight:: json

Secondly, you have to modify the :ref:`Orthanc configuration
<configuration>` in order to provide the GCP plugin with your service
account file and with the parameters of your `DICOM store
<https://cloud.google.com/healthcare/docs/how-tos/dicom>`__. Here is a
sample, minimalist configuration of Orthanc::

  {
    "HttpsCACertificates": "/etc/ssl/certs/ca-certificates.crt",
    "Plugins" : [ "." ],
    "GoogleCloudPlatform" : {
      "Accounts": {
        "my-google" : {
          "Project" : "osimis-test",
          "Location" : "europe-west2",
          "Dataset" : "test",
          "DicomStore" : "dicom",
          "ServiceAccountFile" : "dicom-osimis.json"
        }
      }
    }
  }


In this example, once the GCP plugin has succeeded to authenticate
using the service account, the DICOMweb plugin will provide access to
the cloud DICOM store at URI ``/dicom-web/servers/my-google/`` of the
REST API of Orthanc.


User account
^^^^^^^^^^^^

User account is an alternative to service account, and can be used
*"when the application needs to access resources on behalf of an end
user"* (check out the `Google documentation
<https://cloud.google.com/docs/authentication/end-user>`__).

.. highlight:: json

The easiest way of setting up a user account is through the `gcloud
command-line tool <https://cloud.google.com/sdk/gcloud/>`__.
`Google's quick-starts
<https://cloud.google.com/sdk/docs/quickstarts>`__ explain how to
initialize the environment depending on your operating system (check
out the "Initialize the SDK" sections, which essentially boil down to
calling ``gcloud init``).


.. highlight:: bash

Once the ``gcloud init`` command-line has been invoked, you can
extract credentials to be used by Orthanc by typing the following
command::

  $ gcloud auth print-access-token --format json


.. highlight:: json

This command generates a JSON file containing all the required
information, that can be written to a file (say,
``dicom-user.json``). Given this file, here is a sample, minimalist
configuration of Orthanc::

  {
    "HttpsCACertificates": "/etc/ssl/certs/ca-certificates.crt",
    "Plugins" : [ "." ],
    "GoogleCloudPlatform" : {
      "Accounts": {
        "my-google" : {
          "Project" : "osimis-test",
          "Location" : "europe-west2",
          "Dataset" : "test",
          "DicomStore" : "dicom",
          "AuthorizedUserFile" : "dicom-osimis.json"
        }
      }
    }
  }

In this example, once the GCP plugin has succeeded to authenticate
using the user account, the DICOMweb plugin will provide access to the
cloud DICOM store at URI ``/dicom-web/servers/my-google/`` of the REST
API of Orthanc.


.. highlight:: bash

Note that only 3 fields in the JSON file produced by the ``gcloud auth
print-access-token`` command are required: ``client_id``,
``client_secret``, and ``refresh_token``. Instead of using the full
JSON file, you can extract only these fields, e.g. using the `jq
<https://stedolan.github.io/jq/>`__ command-line tool::

  $ gcloud auth print-access-token --format json | jq '{ AuthorizedUserClientId: .client_id, AuthorizedUserClientSecret:.client_secret, AuthorizedUserRefreshToken:.refresh_token }'
  {
    "AuthorizedUserClientId": "XXXXXXXXXX.apps.googleusercontent.com",
    "AuthorizedUserClientSecret": "ZmssLNXXXXXX",
    "AuthorizedUserRefreshToken": "1/e2ngXXXXXX"
  }


.. highlight:: json

These fields can then be copied/pasted as follows in order to create a
configuration for Orthanc that is equivalent to the one using the
separate JSON file::
  
  {
    "HttpsCACertificates": "/etc/ssl/certs/ca-certificates.crt",
    "Plugins" : [ "." ],
    "GoogleCloudPlatform" : {
      "Accounts": {
        "my-google" : {
          "Project" : "osimis-test",
          "Location" : "europe-west2",
          "Dataset" : "test",
          "DicomStore" : "dicom",
          "AuthorizedUserClientId": "XXXXXXXXXX.apps.googleusercontent.com",
          "AuthorizedUserClientSecret": "ZmssLNXXXXXX",
          "AuthorizedUserRefreshToken": "1/e2ngXXXXXX"
        }
      }
    }
  }


Advanced options
^^^^^^^^^^^^^^^^

.. highlight:: json

Some advanced configuration options are available as well, as
summarized in this excerpt::

  {
    ...
    // In seconds, must be large enough to send/receive your largest studies
    // using WADO or STOW, depending on the speed of your Internet connection
    "HttpTimeout" : 600,

    "GoogleCloudPlatform" : {
      ...
       // Path to the URL of the GCP services
      "BaseUrl" : "https://healthcare.googleapis.com/v1beta1/"
    }
  }