airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Supun Nakandala <supun.nakand...@gmail.com>
Subject Re: Removing IS admin username and password from config files in PGA
Date Fri, 08 May 2015 14:48:04 GMT
Hi Suresh,

I understand the requirement. But according my knowledge on IS there are
certain issues (Hasini can correct me). Consider the following usecases

1. New user comes to PGA and tries to create a new user account - In this
case we have invoke RemoteUserStoreManager service and that has to be done
by including tenant admin's credentials. Basically this API method can only
be invoked by admin.

2. Current user tries to update his profile - Same argument as above

3. Current user login to the system and we need to get the user's roles to
find out what capabilities the user has -  For this user authentication can
be done via AuthenticationAdmin without the admin credentials but to fetch
the user roles we need to invoke RemoteUserStoreManager service which again
needs admin credentials.

According to what I found the API methods exposed by the IS are all Admin
Services and they are designed to be invoked only by the Admin.

So given the above three use cases I think it is not possible to completely
remove admin rights from the PGA.


I don't know whether it is possible to grant fine grained API level access
to user roles. If that is possible we can create a new role 'portal_admin'
and grant access only to the service methods required by the web portal.

On Fri, May 8, 2015 at 7:49 PM, Suresh Marru <smarru@apache.org> wrote:

> On May 8, 2015, at 8:39 AM, Supun Nakandala <supun.nakandala@gmail.com>
> wrote:
>
>
> Hi Hasini,
>
> The requirement was to remove admin credentials from the config files for
> security reasons and call the admin services only when the admin user login.
>
> Hi Supun,
>
> To clarify the use case:
>
> If a user (with non-admin role) logs in, then they should only be allowed
> to perform actions which are allowable by regular users.
> If a admin logs in, they should be do all admin actions, including
> fetching user roles and so forth.
>
> Currently, since we have admin credentials in config files, it allows the
> portal to do all admin actions as well. Ofcourse we can restrict that well
> at the application layer, but its a security hole. I think we should defer
> the authorization to the identity server.
>
> Does this make sense? Are you seeing it differently, or do you have a
> different scenario in mind?
>
> Suresh
>
> Perhaps Suresh can provide more insight on the requirement.
> On May 8, 2015 9:29 AM, "Hasini Gunasinghe" <hasi7786@gmail.com> wrote:
>
>> Hi Supun,
>>
>> Please find the answers inline.
>>
>> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala <
>> supun.nakandala@gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I was looking into the $subject and found some blockers.
>>>
>>> Authenticating a user can be done using AuthenticationAdmin service in
>>> IS without requiring the tenant admin's credentials.
>>>
>>> But in order to fetch the roles of the user (we need them in PGA) or
>>> create a new user account or update current user's information we have to
>>> invoke RemoteUserStroreManager service and according to what I found this
>>> can only be invoked providing tenant admin's credentials.
>>>
>>>  This is the expected behavior. You need to authenticate with the
>> tenant admin's credentials, in order to invoke such functions. What is your
>> issue?
>>
>> Thanks,
>> Hasini.
>>
>
>


-- 
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

Mime
View raw message