On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara <[email protected]>wrote:
> Hi All, > > I encountered few more questions while incorporating gateway id to > incoming request. > > 1. Currently our data model have the concept of gateway id but we dont > have a process to register gateways. So how should we proceed > implementing gateway registration ? > > Some options are; > a. Provide a web interface within Airavata webapp to do the registration > b. Provide an API method to do the registration (As Saminda suggested) > Right now we are not exposing the notion of a gateway to the user through XBaya. We recently introduced passing the gateway id when initiating an Airavata API object. Therefore I think its ok to allow API functionality to manage gateways at first before updating client applications since they anyway does not need to be aware of it yet. > > 2. Multiple gateways are needed if we are hosting a multi-tenanted > (sort of) system. Still there are lot of use cases which needs a > "stand a lone" Airavata instances. So is it ok to have a gateway > called "defaultGateway" ? Default gateway will come with the > distribution and will be there in all Airavata installations. Local > user store will be associated with the "defaultGateway". > yes... Right now it is called "default". > > 3. In the previous mail we discussed about having DNS like names for > gateways. So what is the preferred DNS like name for default gateway ? > (If we decided to have default gateway). > But I like the format of the gateway id suggested in an earlier mail by Amila such as "some-gateway-id.some-domain.some-tld". Infact this can be any string (which avoids special characters). However whether any format would look nice on "username@gateway-id" format is questionable. > > 4. Still we do not have the notion of roles in Airavata. Therefore to > manage local user store i am using a special user name called "admin". > He has privileges to add/delete users from local user store. With the > gateway concept we might need to introduce a "admin" sort of a user > per each gateway. This will be more clean if we can introduce couple > of roles at this point. At least admin role and non-admin role. > Yep... definitely +1... I think this itself deserves a separate mail thread. Saminda > > Appreciate your feedback on above questions. > > Thanks > Amila > > > On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <[email protected]> wrote: > > On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <[email protected]> > wrote: > > > >> Hi Suresh, > >> > >> How should we associate gateway id with user id if user store resides > >> outside of Airavata ? > >> > >> Is it ok to assume that a gateway id is associated with a single > >> external user store ? In that case we can associate gateway id with > >> the user store configuration. > > > > Hi Amila, > > > > Yes, this sounds reasonable right? Since we are assuming gateways do the > authorization and send user identity to Airavata, I think its safe to > assume each gateway has one user store. Gateways might support open id, > incommon like federated identities, but in the end the gateway/portal has > to keep the mapping. These assumptions might change as we see more use > cases, but as of now, these seem to suffice. > > > > Cheers, > > Suresh > > > >> > >> Thanks > >> Amila > >> > >> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <[email protected]> > wrote: > >>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <[email protected]> > wrote: > >>> > >>>> Hi Suresh, > >>>> > >>>> I do prefer gateway DNS name formats such as "gateway.airavata.org" > >>>> (Due to its simplicity compared to entity ids). > >>> > >>> I did not pay attention to the SAML requirements for entity id's as > discussed in the links I sent earlier. But if it doesn't matter, I am + 1 > for using "gateway.airavata.org", this looks much more elegant. > >>> > >>> Suresh > >>> > >>>> But in either case > >>>> there wont be any changes to the logic we are doing at authentication > >>>> stage. Maybe we need to further investigate to figure out what is most > >>>> appropriate as a gateway id. > >>>> > >>>> Thanks > >>>> Amila > >>>> > >>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <[email protected]> > wrote: > >>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara < > [email protected]> wrote: > >>>>> > >>>>>> Hi All, > >>>>>> > >>>>>> We need to send gateway name together with user name for > >>>>>> authentication at Airavata service level. We are thinking of using > >>>>>> following syntax for this, > >>>>>> > >>>>>> username@gatwayId > >>>>>> > >>>>>> So "@" will be a separator for gateway id and user name. In addition > >>>>>> we do authentication based on the gateway id. I am planning to > >>>>>> incorporate this change to existing security implementation. If you > >>>>>> have any objections/feedback please let us know. > >>>>> > >>>>> Hi Amila, > >>>>> > >>>>> Yes this sounds fine to me. But it will work under the assumption of > gateway id being unique. May be we can maintain a wiki page with registered > gateway id's. Can you please refer to [1] which discuss this issues of > mapping end users with gateway identifiers. > >>>>> > >>>>> If you refer to examples at [2], are you proposing to create Entity > ID's or Gateway DNS Domain in the format gateway.airavata.org? > >>>>> > >>>>> Cheers, > >>>>> Suresh > >>>>> > >>>>> [1] - > http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes > >>>>> [2] - > http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status > >>>>> > >>>>> > >>> > > >
