airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: Notion of user roles in the PHP Reference Gateway
Date Mon, 30 Jun 2014 12:27:25 GMT
Hi Supun,

Amila is right on. To your question on what roles PHP Gateway will need, I will make a first
order approximation and suggest the following:

Casual Users - When users stumble upon a gateway, provide basic tutorials. For example, we
used to allow casual users execute educational experiments - http://www.atmos.millersville.edu/~lead/modules.htm

Gateway Users - These users are vetted by the administrators and pretty much have permission
to execute all applications and charge to allocations. 

Application Providers - This role will allow to register new applications and workflows (as
opposed to only using them by gateway users).

Gateway Administrators - essentially tenant admins. Manage community account credentials,
add remove user roles and other admin functions. 

Gateway Operators - Typically this is done by gateway administrators themselves, but better
to have a separate role. These role will be used for notifying when user experiments go wrong
due to infrastructure reasons. Enable/Disable compute resources, applications. 

A users may be in one or more roles.

Suresh


On Jun 30, 2014, at 3:53 AM, Amila Jayasekara <thejaka.amila@gmail.com> wrote:

> Hi Supun,
> 
> I would expect following; (others please correct me if I am wrong)
> 
> We need to control access to API functions through roles. Also IS has a notion of permissions
and resources. So the resources are mapped to functions defined in thrift API. So a permission
would look like follows (hypothetically);
> 
> permission = ("execute", /scigap/thrift/executeExperiment);
> 
> We should be able to attach such permissions to roles. So when user invokes an API function
we need to do following;
> 1. find user's role
> 2. examine role's permissions
> 3. check whether any role has permission relevant to invoking function
> 
> AFAIK IS provided a way to define permissions and attach them to roles. You may need
to check how those can be used through APIs and how achieve above described functionality.
> 
> Thanks
> Regards
> -Thejaka Amila
> 
>  
> 
> 
> On Sun, Jun 29, 2014 at 2:19 PM, Supun Nakandala <supun.nakandala@gmail.com> wrote:
> Hi all,
> 
> I am in the process of incorporating the notion of roles to the PHP Reference Gateway
using the proxy user api that I am developing. WSO2 IS enables the tenant admin (gateway admin)
to create roles and assign users to roles (many to many mapping). From the gateway side we
can consume these services and implement role based user functionality. The roles defined
will only be visible to that particular gateway(tenant).
> 
> I would like to know what type of role based functionality is required in the context
of the PHP Reference Gateway.
> 
> Thank you.
> Supun
> 


Mime
View raw message