airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <thejaka.am...@gmail.com>
Subject Re: Gateway id in airavata request
Date Fri, 23 Nov 2012 16:55:17 GMT
Hi All,

I encountered few more questions while incorporating gateway id to
incoming request.

1. Currently our data model have the concept of gateway id but we dont
have a process to register gateways. So how should we proceed
implementing gateway registration ?

Some options are;
a. Provide a web interface within Airavata webapp to do the registration
b. Provide an API method to do the registration (As Saminda suggested)

2. Multiple gateways are needed if we are hosting a multi-tenanted
(sort of) system. Still there are lot of use cases which needs a
"stand a lone" Airavata instances. So is it ok to have a gateway
called "defaultGateway" ? Default gateway will come with the
distribution and will be there in all Airavata installations. Local
user store will be associated with the "defaultGateway".

3. In the previous mail we discussed about having DNS like names for
gateways. So what is the preferred DNS like name for default gateway ?
(If we decided to have default gateway).

4. Still we do not have the notion of roles in Airavata. Therefore to
manage local user store i am using a special user name called "admin".
He has privileges to add/delete users from local user store. With the
gateway concept we might need to introduce a "admin" sort of a user
per each gateway. This will be more clean if we can introduce couple
of roles at this point. At least admin role and non-admin role.

Appreciate your feedback on above questions.

Thanks
Amila


On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <smarru@apache.org> wrote:
> On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <thejaka.amila@gmail.com> wrote:
>
>> Hi Suresh,
>>
>> How should we associate gateway id with user id if user store resides
>> outside of Airavata ?
>>
>> Is it ok to assume that a gateway id is associated with a single
>> external user store ? In that case we can associate gateway id with
>> the user store configuration.
>
> Hi Amila,
>
> Yes, this sounds reasonable right? Since we are assuming gateways do the authorization
and send user identity to Airavata, I think its safe to assume each gateway has one user store.
Gateways might support open id, incommon like federated identities, but in the end the gateway/portal
has to keep the mapping. These assumptions might change as we see more use cases, but as of
now, these seem to suffice.
>
> Cheers,
> Suresh
>
>>
>> Thanks
>> Amila
>>
>> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <smarru@apache.org> wrote:
>>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <thejaka.amila@gmail.com>
wrote:
>>>
>>>> Hi Suresh,
>>>>
>>>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
>>>> (Due to its simplicity compared to entity ids).
>>>
>>> I did not pay attention to the SAML requirements for entity id's as discussed
in the links I sent earlier. But if it doesn't matter, I am + 1 for using "gateway.airavata.org",
this looks much more elegant.
>>>
>>> Suresh
>>>
>>>> But in either case
>>>> there wont be any changes to the logic we are doing at authentication
>>>> stage. Maybe we need to further investigate to figure out what is most
>>>> appropriate as a gateway id.
>>>>
>>>> Thanks
>>>> Amila
>>>>
>>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <smarru@apache.org>
wrote:
>>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <thejaka.amila@gmail.com>
wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> We need to send gateway name together with user name for
>>>>>> authentication at Airavata service level. We are thinking of using
>>>>>> following syntax for this,
>>>>>>
>>>>>> username@gatwayId
>>>>>>
>>>>>> So "@" will be a separator for gateway id and user name. In addition
>>>>>> we do authentication based on the gateway id. I am planning to
>>>>>> incorporate this change to existing security implementation. If you
>>>>>> have any objections/feedback please let us know.
>>>>>
>>>>> Hi Amila,
>>>>>
>>>>> Yes this sounds fine to me. But it will work under the assumption of
gateway id being unique. May be we can maintain a wiki page with registered gateway id's.
Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>>>>>
>>>>> If you refer to examples at [2], are you proposing to create Entity ID's
or Gateway DNS Domain in the format gateway.airavata.org?
>>>>>
>>>>> Cheers,
>>>>> Suresh
>>>>>
>>>>> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
>>>>> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>>>>>
>>>>>
>>>
>

Mime
View raw message