airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Supun Nakandala <supun.nakand...@gmail.com>
Subject Re: Notion of user roles in the PHP Reference Gateway
Date Mon, 30 Jun 2014 20:00:30 GMT
The gateway admin can query the list of roles for a particular user given
the username. Then the gateway admin can iterate through the list of roles
and retrieve the capabilities to each role.


On Tue, Jul 1, 2014 at 1:17 AM, Marlon Pierce <marpierc@iu.edu> wrote:

> A little question, maybe premature: how are these roles going to be
> communicated over the Thrift-based API?
>
> Marlon
>
>
>
> On 6/30/14, 3:43 PM, Supun Nakandala wrote:
>
>> Hi Suresh,
>>
>>
>> On Mon, Jun 30, 2014 at 5:57 PM, Suresh Marru <smarru@apache.org> wrote:
>>
>>  Hi Supun,
>>>
>>> Amila is right on. To your question on what roles PHP Gateway will need,
>>> I
>>> will make a first order approximation and suggest the following:
>>>
>>> Casual Users - When users stumble upon a gateway, provide basic
>>> tutorials.
>>> For example, we used to allow casual users execute educational
>>> experiments
>>> - http://www.atmos.millersville.edu/~lead/modules.htm
>>>
>>
>> I think in Casual Users the requirement is to have experiment level access
>> control and not API level access controlling. So I think in addition to
>> considering the API level functions as resources (as Amila suggested) we
>> may have to define several other resources which does not have a direct
>> mapping to API level functions but will require in order to handle this
>> type of scenarios.
>>
>>
>>  Gateway Users - These users are vetted by the administrators and pretty
>>> much have permission to execute all applications and charge to
>>> allocations.
>>>
>>> Application Providers - This role will allow to register new applications
>>> and workflows (as opposed to only using them by gateway users).
>>>
>>> Gateway Administrators - essentially tenant admins. Manage community
>>> account credentials, add remove user roles and other admin functions.
>>>
>>> Gateway Operators - Typically this is done by gateway administrators
>>> themselves, but better to have a separate role. These role will be used
>>> for
>>> notifying when user experiments go wrong due to infrastructure reasons.
>>> Enable/Disable compute resources, applications.
>>>
>>> A users may be in one or more roles.
>>>
>>> Suresh
>>>
>>>
>>> On Jun 30, 2014, at 3:53 AM, Amila Jayasekara <thejaka.amila@gmail.com>
>>> wrote:
>>>
>>>  Hi Supun,
>>>>
>>>> I would expect following; (others please correct me if I am wrong)
>>>>
>>>> We need to control access to API functions through roles. Also IS has a
>>>>
>>> notion of permissions and resources. So the resources are mapped to
>>> functions defined in thrift API. So a permission would look like follows
>>> (hypothetically);
>>>
>>>> permission = ("execute", /scigap/thrift/executeExperiment);
>>>>
>>>> We should be able to attach such permissions to roles. So when user
>>>>
>>> invokes an API function we need to do following;
>>>
>>>> 1. find user's role
>>>> 2. examine role's permissions
>>>> 3. check whether any role has permission relevant to invoking function
>>>>
>>>> AFAIK IS provided a way to define permissions and attach them to roles.
>>>>
>>> You may need to check how those can be used through APIs and how achieve
>>> above described functionality.
>>>
>>>> Thanks
>>>> Regards
>>>> -Thejaka Amila
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Jun 29, 2014 at 2:19 PM, Supun Nakandala <
>>>>
>>> supun.nakandala@gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I am in the process of incorporating the notion of roles to the PHP
>>>>
>>> Reference Gateway using the proxy user api that I am developing. WSO2 IS
>>> enables the tenant admin (gateway admin) to create roles and assign users
>>> to roles (many to many mapping). From the gateway side we can consume
>>> these
>>> services and implement role based user functionality. The roles defined
>>> will only be visible to that particular gateway(tenant).
>>>
>>>> I would like to know what type of role based functionality is required
>>>>
>>> in the context of the PHP Reference Gateway.
>>>
>>>> Thank you.
>>>> Supun
>>>>
>>>>
>>>
>>
>


-- 
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

Mime
View raw message