As per meeting ( Sanjiva, Shankar, Sumedha, Anjana, Miyuru, Seshika, Suho, Nirmal, Nuwan)
We need APIM and IOT Server to be able to publish events as "system user", but ask DAS to place data under Ann's ( related user) account. We need Devices to be able to *directly* send a event to DAS with an Oauth token. Following is the picture describing full scenario [image: DASSecuirtyScenarios.png] --Srinath On Thu, Mar 24, 2016 at 9:38 AM, Srinath Perera <srin...@wso2.com> wrote: > This thread described the authorization issue when reading data for > gadgets ( as I mentioned in Dashboard server product council). > > When IoT server/ API manager publish events, it need to tell DAS whose > data it is. ( however, server cannot login using that user, as then it will > need to keep passwords and also end up having to keep too many > connections). > > Gadget, when requesting data, has to tell DAS on whose behalf it is > requesting the data. DAS has to verify and show visible data. ( also DAS > data API need to be secured so that random users cannot call it and look at > other people's data). > > --Srinath > > > > > > > > > > On Sat, Mar 19, 2016 at 9:13 PM, Srinath Perera <srin...@wso2.com> wrote: > >> Yes, and Ann can also generate a token and share with Smith, to send with >> his requests. >> >> Also, IMO the most Dashboard requests would come from a browser ( in a >> phone or PC), not from simple device. So storing or locating the token >> should not be a problem. >> >> On Fri, Mar 18, 2016 at 3:21 PM, Chathura Ekanayake <chath...@wso2.com> >> wrote: >> >>> >>> >>> >>>> I think we should go for a taken based approach (e.g. OAuth) to handle >>>> these scenarios. Following are few ideas >>>> >>>> >>>> 1. >>>> >>>> Using a token ( Ann attesting system user can do publish/ access to >>>> this stream on her behalf), Ann let the “system user“ publish data into >>>> Ann’s account >>>> >>>> >>> If a device can store a token, Ann can generate a token with necessary >>> scope (to access Ann's event store) and store the token in the device >>> itself. In that case, device can send the token with each event, so that >>> IoT platform can decide permissions based on the token. >>> >>> >>>> >>>> 1. >>>> >>>> When we give user Smith access to a gadget, we generate a token, >>>> which he will send when he is accessing the gadget, which the gadget >>>> will >>>> send to the DAS backend to get access to correct tables >>>> 2. >>>> >>>> Same token can be used for API access as well >>>> 3. >>>> >>>> We need to manage the tokens issued to each user so this happen >>>> transparently to the end user as much as possible. >>>> >>>> >>>> >>> >> >> >> -- >> ============================ >> Blog: http://srinathsview.blogspot.com twitter:@srinath_perera >> Site: http://people.apache.org/~hemapani/ >> Photos: http://www.flickr.com/photos/hemapani/ >> Phone: 0772360902 >> > > > > -- > ============================ > Blog: http://srinathsview.blogspot.com twitter:@srinath_perera > Site: http://home.apache.org/~hemapani/ > Photos: http://www.flickr.com/photos/hemapani/ > Phone: 0772360902 > -- ============================ Blog: http://srinathsview.blogspot.com twitter:@srinath_perera Site: http://home.apache.org/~hemapani/ Photos: http://www.flickr.com/photos/hemapani/ Phone: 0772360902
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
