My comments are inline. On Apr 11, 2012, at 1:06 AM, Saminda Wijeratne wrote:
> Following is a result of a discussion last week on how we could use Apache > Rave to manage Authentication for Airavata. > > There will be 2 servers. An Airavata server & a Rave portal hosted on 2 > Tomcat servers where each configured to trust the SSL certs of the other. > +1. These things are easy to do when we are close to production but with development systems its difficult as you don't want developers to deal with setup problems. > Airavata Server will expose the Airavata API (under construction) > Airavata API - has Airavata related tasks available for 3rd party clients > (eg: registry access, workflow execution/monitoring etc.) > > Using Rave, > Authentication for Airavata users (Airavata doesn't handle this yet) > A portal for the XBaya web application With Xbaya web as PHP application we are introducing another web server. We need to do SSL trust store these also. We need to block all other calls on the apache server. > Rave exposes the same Airavata API but with authentication headers. 3rd party > clients should use this instead of the API exposed in Airavata server. Once > Rave performs proper authentication, the request is forwarded to the Airavata > Client module. Is this mean Airavata API's need to be deployed on same server and all the service ERP's need to be exposed by Rave? My suggestion is to have 2 services in rave 1. Authenticate (which will create a token with life time) and 2. Token validation service called by Airavata API to validate the token. We can discuss more on this and may need other services. > The Airavata Client module (a controller in Rave) invokes the Airavata API in > the Airavata Server. Airavata Server will only accept requests coming from > this Rave instance. Its better if we keep the Airavata API close to Airavata server to avoid SSL authentication and any jar versioning issues. > After authentication, XBaya gadgets can also directory work with the Airavata > Client to perform its' tasks. Xbaya gadget is a good idea and is going to help users to have a central service. We need to address how we will pass security tokens to webserver hosting xbaya. I believe that server also need user information to load user workflows from the registry. > > This is just a sketch of an idea. Any thoughts? > I liked the idea and lets work together to see where Rave need to be extended. Other important thing to consider is Authorization. > Note: the Airavata Server can be considered as the collection of following > services > GFac Service > Workflow interpreter service > XBaya Service > msgbox service > msgbroker service > > Thanks & Regards, > Saminda Thanks Raminder > >
