airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christie, Marcus Aaron" <machr...@iu.edu>
Subject Re: Problem with Keycloak converting usernames to lowercase
Date Wed, 14 Jun 2017 17:58:42 GMT
Kenneth,

Good point. But just to be clear I’m only proposing that the portal username and hence the
Airavata internal user id be lowercase.  Airavata also stores usernames for logging into remote
compute resources, etc., and I’m not proposing that we make those usernames lowercase. 
So Airavata should still be able to authenticate to and interoperate with external services
that allow for case sensitive usernames.  I expect we would do something similar for a jupyterhub
integration.


> On Jun 14, 2017, at 12:17 PM, K Yoshimoto <kenneth@sdsc.edu> wrote:
> 
> Requiring case-insensitive usernames might make it a bit
> more difficult for existing systems with case-sensitive
> usernames.  For example, I think jupyterhub servers can be
> set up to use unix usernames, which would be case-sensitive.
> 
> On Wed, Jun 14, 2017 at 10:18:52AM -0400, Suresh Marru wrote:
>> Hi Marcus,
>> 
>> Interesting problem. Your conclusion seems to be the right approach. 
>> 
>> + 1 for fixing the legacy data and also for employing lowercasing all the tables
you identified.
>> 
>> Suresh
>> 
>>> On Jun 14, 2017, at 10:14 AM, Christie, Marcus Aaron <machrist@iu.edu>
wrote:
>>> 
>>> Dev,
>>> 
>>> During testing integration with Keycloak, Eroma discovered several issues [1]
[2] [3] [4] related to having a legacy username with mixed upper and lower case characters.
 WSO2 IS allowed users to have usernames with upper case characters.  However, Keycloak lowercases
the username when a user is created so all usernames in Keycloak are lowercase.  This causes
a problem when code compares a user’s logged in username with usernames in the Airavata
database that have upper case characters.  For example, the PGA when trying to determine if
the logged in user can write to a project gets all of the accessible users and compares the
logged in username against the list of accessible usernames.
>>> 
>>> After some thought I’ve come around to thinking that Keycloak lowercasing usernames
is a good idea. It could cause confusion and potential security issues to allow users to have
case-sensistive usernames.  Two usernames could be identical except for case and it would
be reasonable for users to assume that they represent the same user.
>>> 
>>> So I think Airavata and specifically the User Profile service should adopt the
same policy and lowercase usernames.
>>> 
>>> For legacy data, to fix the issues Eroma encountered, we would need to do a one-time
conversion of legacy usernames to lowercase.  This would involve:
>>> * lowercasing all usernames in Airavata database. See [5] for list of tables
that would be affected
>>> * lowercase the user directory names in gateway user storage on the PGA servers
>>>  * likewise lowercase the user directory names in DATA_REPLICA_LOCATION
>>> 
>>> I’m open to any feedback.
>>> 
>>> Thanks,
>>> 
>>> Marcus
>>> 
>>> [1] https://issues.apache.org/jira/browse/AIRAVATA-2437 <https://issues.apache.org/jira/browse/AIRAVATA-2437>
>>> [2] https://issues.apache.org/jira/browse/AIRAVATA-2438 <https://issues.apache.org/jira/browse/AIRAVATA-2438>
>>> [3] https://issues.apache.org/jira/browse/AIRAVATA-2439 <https://issues.apache.org/jira/browse/AIRAVATA-2439>
>>> [4] https://issues.apache.org/jira/browse/AIRAVATA-2440 <https://issues.apache.org/jira/browse/AIRAVATA-2440>
>>> [5] https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210
<https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210>
>>> 
>>> 
>> 

Mime
View raw message