airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: [GSoC] Status Update
Date Fri, 20 Jun 2014 19:18:25 GMT
On Jun 20, 2014, at 3:13 PM, Supun Nakandala <supun.nakandala@gmail.com> wrote:

> On Sat, Jun 21, 2014 at 12:11 AM, Reagan, David Michael <dmreagan@iu.edu> wrote:
> Thanks for the clarification, Supun. Let me see if I understand things correctly:
> 
>  
> 
> -          The gateway will authenticate with the userAPI using credentials stored in
a config file (via adminLogin)
> 
> -          Once authenticated, the userAPI will replace the PHP-Reference-Gateway’s
id_utilities interface for authenticating/adding/etc users
> 
>  
> 
> So the gateway itself is an admin, but how can an individual user become an admin?
> 
>  
> 
> When an admin user logs in to the gateway, how will the gateway know the user is an admin?
Perhaps like this:
> 
>  
> 
> -          The user authenticates in the normal login page, and both authenticateUser
and adminLogin functions are called.
> 
> o   If authenticateUser returns true, the user is logged in (setting the username and
logged_in session variables)
> 
> o   If adminLogin returns the token, the user is logged in with admin priviledges (probably
by storing the token in a session variable). If no token is returned, the session variable
remains null and the user is treated as a standard user.
> 
>  
> 
> Does that sound correct?
> 
> 
> Yes this will work. But it has some drawbacks.
> 
> -> In order for a user to do an admin login he should provide his username and also
the tenant domain. For example in the PHP-Reference-Gateway the admin should use <adminusername>@phprg.scigap.org
as the username . But for the authenticateUser only the username should be provided. This
is because authenticateUser method is performed in the specific context of the logged in tenant
admin
> 
> -> This will work only if we want distinguish admin users and non admin users.
> 
> As per my understanding the most elegant way to solve this issue is to add the capability
of creating user roles in the UserAPI. If so upon authenticating a user we can fetch the list
of roles of that particular user and act accordingly. We can reserve the tenant admin user
only to the gateway and use different roles such gateway_admin, privileged_user, restricted_user
for all other users who are using the gateway.
> 
> What do you think?

+ 1. I was in the middle of typing the same reply. I think the notion of user roles and the
API to query for them seems to be a good way to handle these use cases. 

Suresh


>  
> 
> Dave
> 
>  
> 
> From: Supun Nakandala [mailto:supun.nakandala@gmail.com] 
> Sent: Friday, June 20, 2014 1:20 PM
> To: dev@airavata.apache.org
> 
> 
> Subject: Re: [GSoC] Status Update
> 
>  
> 
> Hi Dave,
> 
>  
> 
> I was planning to have a separate tenant for each gateway. For example PHP-Reference-Gateway
has a separate tenant in the WSO2 IS. Each of these have a tenant admin (can have more than
one). And gateways has to use the tenant admin credentials to use the UserAPI.
> 
>  
> 
> The adminLogin and adminLogout functions are for the gateways to authenticate with the
UserAPI using the given tenant admin credentials.
> 
>  
> 
> After authenticating using the tenant admin credentials gateways can use the API to do
the given operations. Standard users cannot log in to the UserAPI (only the tenant admin can
login). But the gateways can authenticate uses via the API given the user's username and password.
> 
>  
> 
> If we need to distinguish different users separately  we can create user groups and add
users to groups. But still I don't have added this functionality to the UserAPI.
> 
>  
> 
> On Fri, Jun 20, 2014 at 8:17 PM, Reagan, David Michael <dmreagan@iu.edu> wrote:
> 
> Hi, Supun. Are the adminLogin and adminLogout functions just for admin users? Can you
explain a bit about how the ID server differentiates standard vs admin users, and how you
think the gateway should be able to tell which kind a user a person is?
> 
>  
> 
> Thanks,
> 
> Dave
> 
>  
> 
> From: Amila Jayasekara [mailto:thejaka.amila@gmail.com] 
> Sent: Friday, June 20, 2014 9:31 AM
> To: dev
> Subject: Re: [GSoC] Status Update
> 
>  
> 
> Nice !
> 
>  
> 
> Thanks
> 
> Amila
> 
>  
> 
> On Fri, Jun 20, 2014 at 7:16 AM, Supun Nakandala <supun.nakandala@gmail.com> wrote:
> 
> Hi All,
> 
>  
> 
> I have added some php client sample code to the repository [1].
> 
>  
> 
> Thank you
> 
> Supun
> 
>  
> 
> [1] - https://github.com/scnakandala/airavata-userapi/tree/master/clients/php-client
> 
>  
> 
> On Wed, Jun 18, 2014 at 10:05 PM, Supun Nakandala <supun.nakandala@gmail.com> wrote:
> 
> Hi All,
> 
>  
> 
> During the last week I drafted a basic user api description for Airavata user management.
You can find the thrift descriptor files at [1]. I have also implemented the server side code
and hosted in the same github repository. I did not tried to come up with a complete list
of user management requirements but rather implemented the most frequently required ones.
As the requirements change I plan to modify the api iteratively. I appreciate if you can provide
feedback on the drafted user management api.
> 
>  
> 
> My next target is to implement a php client for this api and integrate it with the PHP-Reference-Gateway
> 
>  
> 
> Thank you
> 
> Supun
> 
>  
> 
>  
> 
> [1] - https://github.com/scnakandala/airavata-userapi/blob/master/thrift-interface-descriptors/userAPI.thrift
> 
> 
> 
> 
>  
> 
> -- 
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
> 
>  
> 
> 
> 
> 
>  
> 
> -- 
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
> 
> 
> 
> 
> -- 
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa


Mime
View raw message