Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3EDB311408 for ; Tue, 12 Aug 2014 20:52:58 +0000 (UTC) Received: (qmail 70841 invoked by uid 500); 12 Aug 2014 20:52:57 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 70794 invoked by uid 500); 12 Aug 2014 20:52:57 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 70777 invoked by uid 99); 12 Aug 2014 20:52:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Aug 2014 20:52:57 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of min.chen@citrix.com designates 66.165.176.63 as permitted sender) Received: from [66.165.176.63] (HELO SMTP02.CITRIX.COM) (66.165.176.63) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Aug 2014 20:52:32 +0000 X-IronPort-AV: E=Sophos;i="5.01,852,1400025600"; d="scan'208";a="161783995" From: Min Chen To: "dev@cloudstack.apache.org" Subject: Re: [SHOW] Authentication refactoring Thread-Topic: [SHOW] Authentication refactoring Thread-Index: AQHPteCagiiiwBp+ZUKvnz8BSIC5f5vMrq0AgADEJ4A= Date: Tue, 12 Aug 2014 20:52:14 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.4.3.140616 Content-Type: text/plain; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hi Rohit, My understanding is that you will do this on your feature branch "auth-refactor", then merge them after passing at least some CI automation tests. Today, I saw all these commits already in master: 10 hours ago Rohit Yadav DefaultLoginAPIAuthenticatorCmd: return userId as UUID commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav utils: fix pom.xml to have references for javax.servlet... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiServer: take UTF_8 and other static vars from HttpUtils commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiServlet: use HttpUtils instead of class specific... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiResponseSerializer: Use HttpUtils instead of BaseCmd commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav BaseCmd: Use HttpUtils to have single source of static... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav utils: refactor HTTP transport stuff to HttpUtils commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiServletTest: Fix test, now login/logout have their... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav APIAuthenticator: refactor signature of APIAuthenticato... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiServlet: move setting of response type up in the... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiXmlDocWriter: get rid of hardcoded login/logout... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiServlet: use the new and refactored authentication... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiXmlDocWriter: remove hardcoded login and logout... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiResponseSerializer: Skip extra boxing for Auth responses commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav response: add command response for login and logout... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav APIAuthenticationManagerImpl: add the auth manager... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav DefaultLoginAPIAuthenticatorCmd: Refactor and implement... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav DefaultLogoutAPIAuthenticatorCmd: Refactor and implemen... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav APIAuthenticationManager: Add Auth manager definition commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav APIAuthenticationType: Add auth enum type, login or... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav APIAuthenticator: Add interface definition for the... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav saml2: add opensaml as dependency commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav commands.properties: add login,logout,samlsso,samlslo... commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiErrorCode: Add API error code 401, 405 commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav ApiConstants: add Api constant registered commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav saml2: add spring security saml2 extension 1.0.0.RELEASE commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav client: add saml2 plugin dependency on client artifact commit | commitdiff | tree | snapshot 10 hours ago Rohit Yadav CLOUDSTACK-7083: Add SAML2 SSO plugin skeleton and... commit | commitdiff | tree | snapshot Are these commits related to the refactor you are talking about here? Why are they not going through some merge request? Thanks=09 -min On 8/12/14 2:10 AM, "Rohit Yadav" wrote: >This was done: >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa >ctoring > >This is the branch: >https://git-wip-us.apache.org/repos/asf?p=3Dcloudstack.git;a=3Dshortlog;h= =3Drefs >/heads/auth-refactor > >Updates: >- Every auth mechanism now implements as a APICommand but these are >special APIs are not allowed to execute, i.e. the execute() method >returns with an error >- Existing tests were fixed >- We no longer need to hardcode login/logout for doc generation etc. >- Api discovery now has login/logout docs etc as well >- Since these APIs are tightly coupled with cloud-server artifact, except >for responses all the interface definitions etc are within cloud-server >- This allows for implementation of other login mechanisms such as saml, >oauth, something-custom=81 etc. though implementing it as a plugin is stil= l >tricky now > >I=B9ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret >keys but would welcome help around this area from anyone. I=B9ll merge the >branch later this week if no one objects. > >Cheers. > >On 12-Aug-2014, at 5:50 am, Rohit Yadav wrote: > >> Hi, >> >> The way we handle login and logout is hardcoded and since there is no >>APICommand/BaseCmd implementation the apidoc, apidiscovery and other >>don=B9t discover these apis. For supporting SAML as an authentication >>mechanism, I=B9ve refactored the Auth mechanism as a pluggable service >>that loads with api-server artifact and both login and logout are now >>implemented as a pseduo BaseCmd classes. >> >> I call them pseudo because their execute() is never called, the >>authentication guards in ApiServlet class make sure we call an >>authenticate method of such classes. Since, they are tightly coupled >>with cloud-server=B9s ApiServlet it only made sense to have the interface >>definition and implementation within the same package/artifact as well. >>This also solves the apidoc issue for login/logout and saml related auth >>apis. >> >> I=B9ll merge them after sometime and continue working on saml stuff. Wil= l >>push the code in the branch =B3auth-refactor=B2 in an hour for >>review/testing now. This does not break anything and should not cause >>any auth related issues for all existing clients. >> >> Any suggestions, feedback welcome! Refactoring was pretty straight >>forward but I=B9ll make sure to write a wiki page on this before merging >>to master. >> >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +41 779015219 | rohit.yadav@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> >> >> >> Find out more about ShapeBlue and our range of CloudStack related >>services >> >> IaaS Cloud Design & >>Build >> CSForge =AD rapid IaaS deployment framework >> CloudStack Consulting >> CloudStack Infrastructure >>Support >> CloudStack Bootcamp Training >>Courses >> >> This email and any attachments to it may be confidential and are >>intended solely for the use of the individual to whom it is addressed. >>Any views or opinions expressed are solely those of the author and do >>not necessarily represent those of Shape Blue Ltd or related companies. >>If you are not the intended recipient of this email, you must neither >>take any action based upon its contents, nor copy or show it to anyone. >>Please contact the sender if you believe you have received this email in >>error. Shape Blue Ltd is a company incorporated in England & Wales. >>ShapeBlue Services India LLP is a company incorporated in India and is >>operated under license from Shape Blue Ltd. Shape Blue Brasil >>Consultoria Ltda is a company incorporated in Brasil and is operated >>under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company >>registered by The Republic of South Africa and is traded under license >>from Shape Blue Ltd. ShapeBlue is a registered trademark. > >Regards, >Rohit Yadav >Software Architect, ShapeBlue >M. +41 779015219 | rohit.yadav@shapeblue.com >Blog: bhaisaab.org | Twitter: @_bhaisaab > > > >Find out more about ShapeBlue and our range of CloudStack related services > >IaaS Cloud Design & >Build >CSForge =AD rapid IaaS deployment framework >CloudStack Consulting >CloudStack Infrastructure >Support >CloudStack Bootcamp Training >Courses > >This email and any attachments to it may be confidential and are intended >solely for the use of the individual to whom it is addressed. Any views >or opinions expressed are solely those of the author and do not >necessarily represent those of Shape Blue Ltd or related companies. If >you are not the intended recipient of this email, you must neither take >any action based upon its contents, nor copy or show it to anyone. Please >contact the sender if you believe you have received this email in error. >Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >Services India LLP is a company incorporated in India and is operated >under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is >a company incorporated in Brasil and is operated under license from Shape >Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >South Africa and is traded under license from Shape Blue Ltd. ShapeBlue >is a registered trademark.