airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: Removing IS admin username and password from config files in PGA
Date Fri, 08 May 2015 14:19:01 GMT
On May 8, 2015, at 8:39 AM, Supun Nakandala <supun.nakandala@gmail.com> wrote:
> 
> Hi Hasini,
> 
> The requirement was to remove admin credentials from the config files for security reasons
and call the admin services only when the admin user login.
> 
Hi Supun, 

To clarify the use case: 

If a user (with non-admin role) logs in, then they should only be allowed to perform actions
which are allowable by regular users. 
If a admin logs in, they should be do all admin actions, including fetching user roles and
so forth.

Currently, since we have admin credentials in config files, it allows the portal to do all
admin actions as well. Ofcourse we can restrict that well at the application layer, but its
a security hole. I think we should defer the authorization to the identity server. 

Does this make sense? Are you seeing it differently, or do you have a different scenario in
mind?

Suresh 
> Perhaps Suresh can provide more insight on the requirement.
> 
> On May 8, 2015 9:29 AM, "Hasini Gunasinghe" <hasi7786@gmail.com <mailto:hasi7786@gmail.com>>
wrote:
> Hi Supun,
> 
> Please find the answers inline.
> 
> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala <supun.nakandala@gmail.com <mailto:supun.nakandala@gmail.com>>
wrote:
> Hi All,
> 
> I was looking into the $subject and found some blockers.
> 
> Authenticating a user can be done using AuthenticationAdmin service in IS without requiring
the tenant admin's credentials.
> 
> But in order to fetch the roles of the user (we need them in PGA) or create a new user
account or update current user's information we have to invoke RemoteUserStroreManager service
and according to what I found this can only be invoked providing tenant admin's credentials.
> 
> This is the expected behavior. You need to authenticate with the tenant admin's credentials,
in order to invoke such functions. What is your issue?
> 
> Thanks,
> Hasini.


Mime
View raw message