airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Saminda Wijeratne <samin...@gmail.com>
Subject Re: Gateway id in airavata request
Date Sat, 24 Nov 2012 18:54:59 GMT
On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara
<thejaka.amila@gmail.com>wrote:

> Hi All,
>
> I encountered few more questions while incorporating gateway id to
> incoming request.
>
> 1. Currently our data model have the concept of gateway id but we dont
> have a process to register gateways. So how should we proceed
> implementing gateway registration ?
>
> Some options are;
> a. Provide a web interface within Airavata webapp to do the registration
> b. Provide an API method to do the registration (As Saminda suggested)
>
Right now we are not exposing the notion of a gateway to the user through
XBaya. We recently introduced passing the gateway id when initiating an
Airavata API object. Therefore I think its ok to allow API functionality to
manage gateways at first before updating client applications since they
anyway does not need to be aware of it yet.

>
> 2. Multiple gateways are needed if we are hosting a multi-tenanted
> (sort of) system. Still there are lot of use cases which needs a
> "stand a lone" Airavata instances. So is it ok to have a gateway
> called "defaultGateway" ? Default gateway will come with the
> distribution and will be there in all Airavata installations. Local
> user store will be associated with the "defaultGateway".
>
yes... Right now it is called "default".

>
> 3. In the previous mail we discussed about having DNS like names for
> gateways. So what is the preferred DNS like name for default gateway ?
> (If we decided to have default gateway).
>
But I like the format of the gateway id suggested in an earlier mail by
Amila such as "some-gateway-id.some-domain.some-tld". Infact this can be
any string (which avoids special characters).  However whether any format
would look nice on "username@gateway-id" format is questionable.

>
> 4. Still we do not have the notion of roles in Airavata. Therefore to
> manage local user store i am using a special user name called "admin".
> He has privileges to add/delete users from local user store. With the
> gateway concept we might need to introduce a "admin" sort of a user
> per each gateway. This will be more clean if we can introduce couple
> of roles at this point. At least admin role and non-admin role.
>
Yep... definitely +1... I think this itself deserves a separate mail thread.

Saminda

>
> Appreciate your feedback on above questions.
>
> Thanks
> Amila
>
>
> On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <smarru@apache.org> wrote:
> > On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <thejaka.amila@gmail.com>
> wrote:
> >
> >> Hi Suresh,
> >>
> >> How should we associate gateway id with user id if user store resides
> >> outside of Airavata ?
> >>
> >> Is it ok to assume that a gateway id is associated with a single
> >> external user store ? In that case we can associate gateway id with
> >> the user store configuration.
> >
> > Hi Amila,
> >
> > Yes, this sounds reasonable right? Since we are assuming gateways do the
> authorization and send user identity to Airavata, I think its safe to
> assume each gateway has one user store. Gateways might support open id,
> incommon like federated identities, but in the end the gateway/portal has
> to keep the mapping. These assumptions might change as we see more use
> cases, but as of now, these seem to suffice.
> >
> > Cheers,
> > Suresh
> >
> >>
> >> Thanks
> >> Amila
> >>
> >> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <smarru@apache.org>
> wrote:
> >>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <thejaka.amila@gmail.com>
> wrote:
> >>>
> >>>> Hi Suresh,
> >>>>
> >>>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
> >>>> (Due to its simplicity compared to entity ids).
> >>>
> >>> I did not pay attention to the SAML requirements for entity id's as
> discussed in the links I sent earlier. But if it doesn't matter, I am + 1
> for using "gateway.airavata.org", this looks much more elegant.
> >>>
> >>> Suresh
> >>>
> >>>> But in either case
> >>>> there wont be any changes to the logic we are doing at authentication
> >>>> stage. Maybe we need to further investigate to figure out what is most
> >>>> appropriate as a gateway id.
> >>>>
> >>>> Thanks
> >>>> Amila
> >>>>
> >>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <smarru@apache.org>
> wrote:
> >>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <
> thejaka.amila@gmail.com> wrote:
> >>>>>
> >>>>>> Hi All,
> >>>>>>
> >>>>>> We need to send gateway name together with user name for
> >>>>>> authentication at Airavata service level. We are thinking of
using
> >>>>>> following syntax for this,
> >>>>>>
> >>>>>> username@gatwayId
> >>>>>>
> >>>>>> So "@" will be a separator for gateway id and user name. In
addition
> >>>>>> we do authentication based on the gateway id. I am planning
to
> >>>>>> incorporate this change to existing security implementation.
If you
> >>>>>> have any objections/feedback please let us know.
> >>>>>
> >>>>> Hi Amila,
> >>>>>
> >>>>> Yes this sounds fine to me. But it will work under the assumption
of
> gateway id being unique. May be we can maintain a wiki page with registered
> gateway id's. Can you please refer to [1] which discuss this issues of
> mapping end users with gateway identifiers.
> >>>>>
> >>>>> If you refer to examples at [2], are you proposing to create Entity
> ID's or Gateway DNS Domain in the format gateway.airavata.org?
> >>>>>
> >>>>> Cheers,
> >>>>> Suresh
> >>>>>
> >>>>> [1] -
> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
> >>>>> [2] -
> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
> >>>>>
> >>>>>
> >>>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message