airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasini Gunasinghe <hasi7...@gmail.com>
Subject Re: Removing IS admin username and password from config files in PGA
Date Wed, 13 May 2015 18:05:35 GMT
Hi Supun,

On Fri, May 8, 2015 at 10:48 AM, Supun Nakandala <supun.nakandala@gmail.com>
wrote:

> Hi Suresh,
>
> I understand the requirement. But according my knowledge on IS there are
> certain issues (Hasini can correct me). Consider the following usecases
>
> 1. New user comes to PGA and tries to create a new user account - In this
> case we have invoke RemoteUserStoreManager service and that has to be done
> by including tenant admin's credentials. Basically this API method can only
> be invoked by admin.
>

There is a self-registration feature provided by IS which doesn't need
admin credentials to create user accounts when the users self register.

>
> 2. Current user tries to update his profile - Same argument as above
>

Same as above, there is a feature in IS which allows user to update some of
the information in his/her own profile.
I can not tell the service names and method names off the top of my head,
but you can find them out by trying out those features through IS.

>
> 3. Current user login to the system and we need to get the user's roles to
> find out what capabilities the user has -  For this user authentication can
> be done via AuthenticationAdmin without the admin credentials but to fetch
> the user roles we need to invoke RemoteUserStoreManager service which again
> needs admin credentials.
>

Yes, fetching user's roles is an admin-only function, as far as I know.

Thanks,
Hasini.

>
> According to what I found the API methods exposed by the IS are all Admin
> Services and they are designed to be invoked only by the Admin.
>
> So given the above three use cases I think it is not possible to
> completely remove admin rights from the PGA.
>
>
> I don't know whether it is possible to grant fine grained API level access
> to user roles. If that is possible we can create a new role 'portal_admin'
> and grant access only to the service methods required by the web portal.
>
> On Fri, May 8, 2015 at 7:49 PM, Suresh Marru <smarru@apache.org> wrote:
>
>> On May 8, 2015, at 8:39 AM, Supun Nakandala <supun.nakandala@gmail.com>
>> wrote:
>>
>>
>> Hi Hasini,
>>
>> The requirement was to remove admin credentials from the config files for
>> security reasons and call the admin services only when the admin user login.
>>
>> Hi Supun,
>>
>> To clarify the use case:
>>
>> If a user (with non-admin role) logs in, then they should only be allowed
>> to perform actions which are allowable by regular users.
>> If a admin logs in, they should be do all admin actions, including
>> fetching user roles and so forth.
>>
>> Currently, since we have admin credentials in config files, it allows the
>> portal to do all admin actions as well. Ofcourse we can restrict that well
>> at the application layer, but its a security hole. I think we should defer
>> the authorization to the identity server.
>>
>> Does this make sense? Are you seeing it differently, or do you have a
>> different scenario in mind?
>>
>> Suresh
>>
>> Perhaps Suresh can provide more insight on the requirement.
>> On May 8, 2015 9:29 AM, "Hasini Gunasinghe" <hasi7786@gmail.com> wrote:
>>
>>> Hi Supun,
>>>
>>> Please find the answers inline.
>>>
>>> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala <
>>> supun.nakandala@gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I was looking into the $subject and found some blockers.
>>>>
>>>> Authenticating a user can be done using AuthenticationAdmin service in
>>>> IS without requiring the tenant admin's credentials.
>>>>
>>>> But in order to fetch the roles of the user (we need them in PGA) or
>>>> create a new user account or update current user's information we have to
>>>> invoke RemoteUserStroreManager service and according to what I found this
>>>> can only be invoked providing tenant admin's credentials.
>>>>
>>>>  This is the expected behavior. You need to authenticate with the
>>> tenant admin's credentials, in order to invoke such functions. What is your
>>> issue?
>>>
>>> Thanks,
>>> Hasini.
>>>
>>
>>
>
>
> --
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
>

Mime
View raw message