airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: Problem with Keycloak converting usernames to lowercase
Date Wed, 14 Jun 2017 14:18:52 GMT
Hi Marcus,

Interesting problem. Your conclusion seems to be the right approach. 

+ 1 for fixing the legacy data and also for employing lowercasing all the tables you identified.

Suresh

> On Jun 14, 2017, at 10:14 AM, Christie, Marcus Aaron <machrist@iu.edu> wrote:
> 
> Dev,
> 
> During testing integration with Keycloak, Eroma discovered several issues [1] [2] [3]
[4] related to having a legacy username with mixed upper and lower case characters.  WSO2
IS allowed users to have usernames with upper case characters.  However, Keycloak lowercases
the username when a user is created so all usernames in Keycloak are lowercase.  This causes
a problem when code compares a user’s logged in username with usernames in the Airavata
database that have upper case characters.  For example, the PGA when trying to determine if
the logged in user can write to a project gets all of the accessible users and compares the
logged in username against the list of accessible usernames.
> 
> After some thought I’ve come around to thinking that Keycloak lowercasing usernames
is a good idea. It could cause confusion and potential security issues to allow users to have
case-sensistive usernames.  Two usernames could be identical except for case and it would
be reasonable for users to assume that they represent the same user.
> 
> So I think Airavata and specifically the User Profile service should adopt the same policy
and lowercase usernames.
> 
> For legacy data, to fix the issues Eroma encountered, we would need to do a one-time
conversion of legacy usernames to lowercase.  This would involve:
> * lowercasing all usernames in Airavata database. See [5] for list of tables that would
be affected
> * lowercase the user directory names in gateway user storage on the PGA servers
>   * likewise lowercase the user directory names in DATA_REPLICA_LOCATION
> 
> I’m open to any feedback.
> 
> Thanks,
> 
> Marcus
> 
> [1] https://issues.apache.org/jira/browse/AIRAVATA-2437 <https://issues.apache.org/jira/browse/AIRAVATA-2437>
> [2] https://issues.apache.org/jira/browse/AIRAVATA-2438 <https://issues.apache.org/jira/browse/AIRAVATA-2438>
> [3] https://issues.apache.org/jira/browse/AIRAVATA-2439 <https://issues.apache.org/jira/browse/AIRAVATA-2439>
> [4] https://issues.apache.org/jira/browse/AIRAVATA-2440 <https://issues.apache.org/jira/browse/AIRAVATA-2440>
> [5] https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210
<https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210>
> 
> 


Mime
View raw message