Hi All, I encountered few more questions while incorporating gateway id to incoming request.
1. Currently our data model have the concept of gateway id but we dont have a process to register gateways. So how should we proceed implementing gateway registration ? Some options are; a. Provide a web interface within Airavata webapp to do the registration b. Provide an API method to do the registration (As Saminda suggested) 2. Multiple gateways are needed if we are hosting a multi-tenanted (sort of) system. Still there are lot of use cases which needs a "stand a lone" Airavata instances. So is it ok to have a gateway called "defaultGateway" ? Default gateway will come with the distribution and will be there in all Airavata installations. Local user store will be associated with the "defaultGateway". 3. In the previous mail we discussed about having DNS like names for gateways. So what is the preferred DNS like name for default gateway ? (If we decided to have default gateway). 4. Still we do not have the notion of roles in Airavata. Therefore to manage local user store i am using a special user name called "admin". He has privileges to add/delete users from local user store. With the gateway concept we might need to introduce a "admin" sort of a user per each gateway. This will be more clean if we can introduce couple of roles at this point. At least admin role and non-admin role. Appreciate your feedback on above questions. Thanks Amila On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <[email protected]> wrote: > On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <[email protected]> wrote: > >> Hi Suresh, >> >> How should we associate gateway id with user id if user store resides >> outside of Airavata ? >> >> Is it ok to assume that a gateway id is associated with a single >> external user store ? In that case we can associate gateway id with >> the user store configuration. > > Hi Amila, > > Yes, this sounds reasonable right? Since we are assuming gateways do the > authorization and send user identity to Airavata, I think its safe to assume > each gateway has one user store. Gateways might support open id, incommon > like federated identities, but in the end the gateway/portal has to keep the > mapping. These assumptions might change as we see more use cases, but as of > now, these seem to suffice. > > Cheers, > Suresh > >> >> Thanks >> Amila >> >> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <[email protected]> wrote: >>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <[email protected]> >>> wrote: >>> >>>> Hi Suresh, >>>> >>>> I do prefer gateway DNS name formats such as "gateway.airavata.org" >>>> (Due to its simplicity compared to entity ids). >>> >>> I did not pay attention to the SAML requirements for entity id's as >>> discussed in the links I sent earlier. But if it doesn't matter, I am + 1 >>> for using "gateway.airavata.org", this looks much more elegant. >>> >>> Suresh >>> >>>> But in either case >>>> there wont be any changes to the logic we are doing at authentication >>>> stage. Maybe we need to further investigate to figure out what is most >>>> appropriate as a gateway id. >>>> >>>> Thanks >>>> Amila >>>> >>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <[email protected]> wrote: >>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> We need to send gateway name together with user name for >>>>>> authentication at Airavata service level. We are thinking of using >>>>>> following syntax for this, >>>>>> >>>>>> username@gatwayId >>>>>> >>>>>> So "@" will be a separator for gateway id and user name. In addition >>>>>> we do authentication based on the gateway id. I am planning to >>>>>> incorporate this change to existing security implementation. If you >>>>>> have any objections/feedback please let us know. >>>>> >>>>> Hi Amila, >>>>> >>>>> Yes this sounds fine to me. But it will work under the assumption of >>>>> gateway id being unique. May be we can maintain a wiki page with >>>>> registered gateway id's. Can you please refer to [1] which discuss this >>>>> issues of mapping end users with gateway identifiers. >>>>> >>>>> If you refer to examples at [2], are you proposing to create Entity ID's >>>>> or Gateway DNS Domain in the format gateway.airavata.org? >>>>> >>>>> Cheers, >>>>> Suresh >>>>> >>>>> [1] - >>>>> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes >>>>> [2] - >>>>> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status >>>>> >>>>> >>> >
