airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christie, Marcus Aaron" <>
Subject Problem with Keycloak converting usernames to lowercase
Date Wed, 14 Jun 2017 14:14:51 GMT

During testing integration with Keycloak, Eroma discovered several issues [1] [2] [3] [4]
related to having a legacy username with mixed upper and lower case characters.  WSO2 IS allowed
users to have usernames with upper case characters.  However, Keycloak lowercases the username
when a user is created so all usernames in Keycloak are lowercase.  This causes a problem
when code compares a user’s logged in username with usernames in the Airavata database that
have upper case characters.  For example, the PGA when trying to determine if the logged in
user can write to a project gets all of the accessible users and compares the logged in username
against the list of accessible usernames.

After some thought I’ve come around to thinking that Keycloak lowercasing usernames is a
good idea. It could cause confusion and potential security issues to allow users to have case-sensistive
usernames.  Two usernames could be identical except for case and it would be reasonable for
users to assume that they represent the same user.

So I think Airavata and specifically the User Profile service should adopt the same policy
and lowercase usernames.

For legacy data, to fix the issues Eroma encountered, we would need to do a one-time conversion
of legacy usernames to lowercase.  This would involve:
* lowercasing all usernames in Airavata database. See [5] for list of tables that would be
* lowercase the user directory names in gateway user storage on the PGA servers
  * likewise lowercase the user directory names in DATA_REPLICA_LOCATION

I’m open to any feedback.




View raw message