Core Components Overview
The Five Safes TES Weave comprises of a number of services which would usually be hosted separately.
These are listed below, along with a short description of their function, and with the local web addresses and user accounts.
These user accounts are only intended to be used in the DemoStack Quickstart for demonstration purposes. If you deploy this stack in a production environment then these must be changed.
Submission Layer
Submission UI
This is the front page of the stack, which any researchers interacting with the service will use. Approved researchers can submit tasks to a Project using the API or by interacting with the UI.
Hosted at : localhost:7220
Login credentials
Username: globaladminuser
Password: password123Submission API
Backend logic for the Submission Layer.
Hosted at: localhost:5034
The Swagger UI for this service is hosted at localhost:5034/swagger.
TRE Layer (a.k.a. TRE Agent)
TRE UI
The TRE UI is a web application that allows users to manage the TRE.
Hosted at : localhost:8989
Login credentials
Username: globaladminuser
Password: password123TRE API
Backend logic for the TRE service.
Hosted at: localhost:8072
The Swagger UI for this service is hosted at localhost:8072/swagger.
TRE-Camunda
This service holds core logic handlers to help TRE-Agent manage user credentials to access the TRE’s database. In combination with Camunda, Vault and LDAP serivces, it facilitates the creation and revoking of ephemeral user accounts to access the TRE’s database.
Camunda
Camunda comprises of a workflow engine and a task list. It is used to manage the workflow of the credential management process. There are three main components to operate with Camunda:
orchestration: a consolidated service that combines Zeebe + Operate + Tasklist. Read more here.connectors: a service that allows for the integration of Camunda with other services. For example,TRE-Agentwill triggerorchestration’s workflows by sending requests toconnectors.elasticsearch: a service that allows for the storage of Camunda’s workflow data.
Vault
Vault is used to store and track the ephemeral user credentials for the credential management process. In short, Camunda will create the ephemeral user credentials and store them in Vault. Then, the TRE-Agent will retrieve the credentials from Vault, pass them to the Executor to access the TRE’s database.
In production, you need to setup Vault and generate a root token. Run the following commands one by one in the terminal to setup Vault using Docker interaction mode:
docker compose up -d vault # start only the Vault server
docker exec -it vault vault operator init -key-shares=1 -key-threshold=1 # this generates and shows on the console the unseal key and the initial root token
docker exec -it vault vault operator unseal <UNSEAL_KEY> # unseal the vault
docker exec -it vault vault login <INITIAL_ROOT_TOKEN> # login to the vault
docker exec -it vault vault secrets enable -path=secret kv-v2 # enable the secret engineCopy the generated root token and paste it into the VaultRootToken environment variable. Also, save the unseal key in a safe place to unseal the vault in the production mode.
Then run docker compose up -d to start all the services.
After you restart the services using docker compose up -d, you may see the vault service keeps waiting. This is because the vault is not unsealed.
To unseal the vault: On another terminal, run the following command: docker exec -it vault vault operator unseal <UNSEAL_KEY>.
After a few seconds, the vault service should start and other services will start as well.
LDAP (openldap and phpldapadmin)
These services are used to manage Trino’s ephemeral user accounts for the stack.
Egress
The Egress API handles egress requests. Once a task is finished executing the results are then waiting for approval in the Egress layer. Once results are approved/rejected it sends an update to the TRE Agent.
Hosted at : localhost:8100
Login credentials
Username: globaladminuser
Password: password123Backend Services
KeyCloak Server
Keycloak is used for user authentication & user management across all three layers.
Hosted at : localhost:8085
Login credentials
Username: admin
Password: adminSeq Activity Logs
Activity logs for the stack.
Hosted at: localhost:5341
S3 storage
These are the Amazon S3 compatible object stores for the stack.
Submission S3
Submission Layer S3 stores any inputs and after execution, stores the results for a submission.
When using Demostack Quickstart, the Submission’s S3 UI is hosted at: localhost:9000
Root Username: s3-submission
Root Password: s3-submission-passTRE S3
TRE Agent S3, stores any inputs copied over from the Submission layer, and the results of the analysis.
When using Demostack Quickstart, the TRE’s S3 UI is hosted at: localhost:9002
Root Username: s3-tre
Root Password: s3-tre-pass