Does that mean particular gateway can get experiment information of another gateway? If so, For a multi-tenant situation this needs to change.
Thanks -Thejaka On Sun, Dec 13, 2015 at 3:16 PM, Supun Nakandala <supun.nakand...@gmail.com> wrote: > Currently we send the gatewayId for the API method as a parameter. This is > not sent to all API methods but only for the required ones such as > createExeriment. But for other methods like getExperiment we don't require > only the experimentId. So users can access other gateway's experiments if > they know the experimentId. > > The idea is to make gatewayId a mandatory field in SecurityToken and > validate it at the API security manager. > > On Sun, Dec 13, 2015 at 12:23 PM, Amila Jayasekara < > thejaka.am...@gmail.com> wrote: > >> >> >> On Fri, Dec 11, 2015 at 10:17 PM, Supun Nakandala < >> supun.nakand...@gmail.com> wrote: >> >>> Hi devs, >>> >>> Currently in the Airavata API we use the gatewayId only for some API >>> methods like createExperiment, registerApplication etc.. I would like to >>> suggest that we move this field to SecurityToken and make it mandatory for >>> all API methods. For API methods which requires the gatewayId we can read >>> it from there. >>> >> >> So, currently how does other methods figure out on which gateway id the >> operation should be performed ? >> >> -Thejaka >> >> >>> >>> By making gatewayId a mandatory field in SecurityToken, in the API it is >>> easy to implement access control to the API in a multi tenanted scenario. >>> >>> Any Concerns? >>> >>> Thanks >>> Supun >>> >> >> > > > -- > Thank you > Supun Nakandala > Dept. Computer Science and Engineering > University of Moratuwa >
