On Jun 20, 2014, at 3:13 PM, Supun Nakandala <supun.nakand...@gmail.com> wrote:
> On Sat, Jun 21, 2014 at 12:11 AM, Reagan, David Michael <dmrea...@iu.edu> > wrote: > Thanks for the clarification, Supun. Let me see if I understand things > correctly: > > > > - The gateway will authenticate with the userAPI using credentials > stored in a config file (via adminLogin) > > - Once authenticated, the userAPI will replace the > PHP-Reference-Gateway’s id_utilities interface for authenticating/adding/etc > users > > > > So the gateway itself is an admin, but how can an individual user become an > admin? > > > > When an admin user logs in to the gateway, how will the gateway know the user > is an admin? Perhaps like this: > > > > - The user authenticates in the normal login page, and both > authenticateUser and adminLogin functions are called. > > o If authenticateUser returns true, the user is logged in (setting the > username and logged_in session variables) > > o If adminLogin returns the token, the user is logged in with admin > priviledges (probably by storing the token in a session variable). If no > token is returned, the session variable remains null and the user is treated > as a standard user. > > > > Does that sound correct? > > > Yes this will work. But it has some drawbacks. > > -> In order for a user to do an admin login he should provide his username > and also the tenant domain. For example in the PHP-Reference-Gateway the > admin should use <adminusername>@phprg.scigap.org as the username . But for > the authenticateUser only the username should be provided. This is because > authenticateUser method is performed in the specific context of the logged in > tenant admin > > -> This will work only if we want distinguish admin users and non admin users. > > As per my understanding the most elegant way to solve this issue is to add > the capability of creating user roles in the UserAPI. If so upon > authenticating a user we can fetch the list of roles of that particular user > and act accordingly. We can reserve the tenant admin user only to the gateway > and use different roles such gateway_admin, privileged_user, restricted_user > for all other users who are using the gateway. > > What do you think? + 1. I was in the middle of typing the same reply. I think the notion of user roles and the API to query for them seems to be a good way to handle these use cases. Suresh > > > Dave > > > > From: Supun Nakandala [mailto:supun.nakand...@gmail.com] > Sent: Friday, June 20, 2014 1:20 PM > To: dev@airavata.apache.org > > > Subject: Re: [GSoC] Status Update > > > > Hi Dave, > > > > I was planning to have a separate tenant for each gateway. For example > PHP-Reference-Gateway has a separate tenant in the WSO2 IS. Each of these > have a tenant admin (can have more than one). And gateways has to use the > tenant admin credentials to use the UserAPI. > > > > The adminLogin and adminLogout functions are for the gateways to authenticate > with the UserAPI using the given tenant admin credentials. > > > > After authenticating using the tenant admin credentials gateways can use the > API to do the given operations. Standard users cannot log in to the UserAPI > (only the tenant admin can login). But the gateways can authenticate uses via > the API given the user's username and password. > > > > If we need to distinguish different users separately we can create user > groups and add users to groups. But still I don't have added this > functionality to the UserAPI. > > > > On Fri, Jun 20, 2014 at 8:17 PM, Reagan, David Michael <dmrea...@iu.edu> > wrote: > > Hi, Supun. Are the adminLogin and adminLogout functions just for admin users? > Can you explain a bit about how the ID server differentiates standard vs > admin users, and how you think the gateway should be able to tell which kind > a user a person is? > > > > Thanks, > > Dave > > > > From: Amila Jayasekara [mailto:thejaka.am...@gmail.com] > Sent: Friday, June 20, 2014 9:31 AM > To: dev > Subject: Re: [GSoC] Status Update > > > > Nice ! > > > > Thanks > > Amila > > > > On Fri, Jun 20, 2014 at 7:16 AM, Supun Nakandala <supun.nakand...@gmail.com> > wrote: > > Hi All, > > > > I have added some php client sample code to the repository [1]. > > > > Thank you > > Supun > > > > [1] - > https://github.com/scnakandala/airavata-userapi/tree/master/clients/php-client > > > > On Wed, Jun 18, 2014 at 10:05 PM, Supun Nakandala <supun.nakand...@gmail.com> > wrote: > > Hi All, > > > > During the last week I drafted a basic user api description for Airavata user > management. You can find the thrift descriptor files at [1]. I have also > implemented the server side code and hosted in the same github repository. I > did not tried to come up with a complete list of user management requirements > but rather implemented the most frequently required ones. As the requirements > change I plan to modify the api iteratively. I appreciate if you can provide > feedback on the drafted user management api. > > > > My next target is to implement a php client for this api and integrate it > with the PHP-Reference-Gateway > > > > Thank you > > Supun > > > > > > [1] - > https://github.com/scnakandala/airavata-userapi/blob/master/thrift-interface-descriptors/userAPI.thrift > > > > > > > -- > Thank you > Supun Nakandala > Dept. Computer Science and Engineering > University of Moratuwa > > > > > > > > > -- > Thank you > Supun Nakandala > Dept. Computer Science and Engineering > University of Moratuwa > > > > > -- > Thank you > Supun Nakandala > Dept. Computer Science and Engineering > University of Moratuwa
