airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Supun Nakandala <supun.nakand...@gmail.com>
Subject Re: [GSoC] Status Update
Date Fri, 20 Jun 2014 19:13:01 GMT
On Sat, Jun 21, 2014 at 12:11 AM, Reagan, David Michael <dmreagan@iu.edu>
wrote:

>  Thanks for the clarification, Supun. Let me see if I understand things
> correctly:
>
>
>
> -          The gateway will authenticate with the userAPI using
> credentials stored in a config file (via adminLogin)
>
> -          Once authenticated, the userAPI will replace the
> PHP-Reference-Gateway’s id_utilities interface for
> authenticating/adding/etc users
>
>
>
> So the gateway itself is an admin, but how can an individual user become
> an admin?
>
>
>
> When an admin user logs in to the gateway, how will the gateway know the
> user is an admin? Perhaps like this:
>
>
>
> -          The user authenticates in the normal login page, and both
> authenticateUser and adminLogin functions are called.
>
> o   If authenticateUser returns true, the user is logged in (setting the
> username and logged_in session variables)
>
> o   If adminLogin returns the token, the user is logged in with admin
> priviledges (probably by storing the token in a session variable). If no
> token is returned, the session variable remains null and the user is
> treated as a standard user.
>
>
>
> Does that sound correct?
>
> Yes this will work. But it has some drawbacks.

-> In order for a user to do an admin login he should provide his username
and also the tenant domain. For example in the PHP-Reference-Gateway the
admin should use <adminusername>@phprg.scigap.org as the username . But for
the authenticateUser only the username should be provided. This is because
authenticateUser method is performed in the specific context of the logged
in tenant admin

-> This will work only if we want distinguish admin users and non admin
users.

As per my understanding the most elegant way to solve this issue is to add
the capability of creating user roles in the UserAPI. If so upon
authenticating a user we can fetch the list of roles of that particular
user and act accordingly. We can reserve the tenant admin user only to the
gateway and use different roles such gateway_admin, privileged_user,
restricted_user for all other users who are using the gateway.

What do you think?

>
>
> Dave
>
>
>
> *From:* Supun Nakandala [mailto:supun.nakandala@gmail.com]
> *Sent:* Friday, June 20, 2014 1:20 PM
> *To:* dev@airavata.apache.org
>
> *Subject:* Re: [GSoC] Status Update
>
>
>
> Hi Dave,
>
>
>
> I was planning to have a separate tenant for each gateway. For example
> PHP-Reference-Gateway has a separate tenant in the WSO2 IS. Each of these
> have a tenant admin (can have more than one). And gateways has to use the
> tenant admin credentials to use the UserAPI.
>
>
>
> The adminLogin and adminLogout functions are for the gateways to
> authenticate with the UserAPI using the given tenant admin credentials.
>
>
>
> After authenticating using the tenant admin credentials gateways can use
> the API to do the given operations. Standard users cannot log in to the
> UserAPI (only the tenant admin can login). But the gateways can
> authenticate uses via the API given the user's username and password.
>
>
>
> If we need to distinguish different users separately  we can create user
> groups and add users to groups. But still I don't have added this
> functionality to the UserAPI.
>
>
>
> On Fri, Jun 20, 2014 at 8:17 PM, Reagan, David Michael <dmreagan@iu.edu>
> wrote:
>
>  Hi, Supun. Are the adminLogin and adminLogout functions just for admin
> users? Can you explain a bit about how the ID server differentiates
> standard vs admin users, and how you think the gateway should be able to
> tell which kind a user a person is?
>
>
>
> Thanks,
>
> Dave
>
>
>
> *From:* Amila Jayasekara [mailto:thejaka.amila@gmail.com]
> *Sent:* Friday, June 20, 2014 9:31 AM
> *To:* dev
> *Subject:* Re: [GSoC] Status Update
>
>
>
> Nice !
>
>
>
> Thanks
>
> Amila
>
>
>
> On Fri, Jun 20, 2014 at 7:16 AM, Supun Nakandala <
> supun.nakandala@gmail.com> wrote:
>
>  Hi All,
>
>
>
> I have added some php client sample code to the repository [1].
>
>
>
> Thank you
>
> Supun
>
>
>
> [1] -
> https://github.com/scnakandala/airavata-userapi/tree/master/clients/php-client
>
>
>
> On Wed, Jun 18, 2014 at 10:05 PM, Supun Nakandala <
> supun.nakandala@gmail.com> wrote:
>
>  Hi All,
>
>
>
> During the last week I drafted a basic user api description for Airavata
> user management. You can find the thrift descriptor files at [1]. I have
> also implemented the server side code and hosted in the same github
> repository. I did not tried to come up with a complete list of user
> management requirements but rather implemented the most frequently required
> ones. As the requirements change I plan to modify the api iteratively. I
> appreciate if you can provide feedback on the drafted user management api.
>
>
>
> My next target is to implement a php client for this api and integrate it
> with the PHP-Reference-Gateway
>
>
>
> Thank you
>
> Supun
>
>
>
>
>
> [1] -
> https://github.com/scnakandala/airavata-userapi/blob/master/thrift-interface-descriptors/userAPI.thrift
>
>
>
>
>
> --
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
>
>
>
>
>
>
>
> --
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
>



-- 
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

Mime
View raw message