airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From K Yoshimoto <kenn...@sdsc.edu>
Subject Re: Problem with Keycloak converting usernames to lowercase
Date Wed, 14 Jun 2017 16:17:28 GMT
 Requiring case-insensitive usernames might make it a bit
more difficult for existing systems with case-sensitive
usernames.  For example, I think jupyterhub servers can be
set up to use unix usernames, which would be case-sensitive.

On Wed, Jun 14, 2017 at 10:18:52AM -0400, Suresh Marru wrote:
> Hi Marcus,
> 
> Interesting problem. Your conclusion seems to be the right approach. 
> 
> + 1 for fixing the legacy data and also for employing lowercasing all the tables you
identified.
> 
> Suresh
> 
> > On Jun 14, 2017, at 10:14 AM, Christie, Marcus Aaron <machrist@iu.edu> wrote:
> > 
> > Dev,
> > 
> > During testing integration with Keycloak, Eroma discovered several issues [1] [2]
[3] [4] related to having a legacy username with mixed upper and lower case characters.  WSO2
IS allowed users to have usernames with upper case characters.  However, Keycloak lowercases
the username when a user is created so all usernames in Keycloak are lowercase.  This causes
a problem when code compares a user’s logged in username with usernames in the Airavata
database that have upper case characters.  For example, the PGA when trying to determine if
the logged in user can write to a project gets all of the accessible users and compares the
logged in username against the list of accessible usernames.
> > 
> > After some thought I’ve come around to thinking that Keycloak lowercasing usernames
is a good idea. It could cause confusion and potential security issues to allow users to have
case-sensistive usernames.  Two usernames could be identical except for case and it would
be reasonable for users to assume that they represent the same user.
> > 
> > So I think Airavata and specifically the User Profile service should adopt the same
policy and lowercase usernames.
> > 
> > For legacy data, to fix the issues Eroma encountered, we would need to do a one-time
conversion of legacy usernames to lowercase.  This would involve:
> > * lowercasing all usernames in Airavata database. See [5] for list of tables that
would be affected
> > * lowercase the user directory names in gateway user storage on the PGA servers
> >   * likewise lowercase the user directory names in DATA_REPLICA_LOCATION
> > 
> > I’m open to any feedback.
> > 
> > Thanks,
> > 
> > Marcus
> > 
> > [1] https://issues.apache.org/jira/browse/AIRAVATA-2437 <https://issues.apache.org/jira/browse/AIRAVATA-2437>
> > [2] https://issues.apache.org/jira/browse/AIRAVATA-2438 <https://issues.apache.org/jira/browse/AIRAVATA-2438>
> > [3] https://issues.apache.org/jira/browse/AIRAVATA-2439 <https://issues.apache.org/jira/browse/AIRAVATA-2439>
> > [4] https://issues.apache.org/jira/browse/AIRAVATA-2440 <https://issues.apache.org/jira/browse/AIRAVATA-2440>
> > [5] https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210
<https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210>
> > 
> > 
> 

Mime
View raw message