Yes that is a possibility. But that will require a significant integration between those components and NextCloud. I don't know how flexible NextCloud will be. Maybe Karan can shed some insight.
On Wed, May 23, 2018 at 8:29 PM, Marru, Suresh <[email protected]> wrote: > Hi Supun, > > Yes there is and I agree we need a complex authorization mechanism. My > tentative thinking is to integrate with replica catalog and sharing service > so we enforce data sharing at API level. Any other ideas? > > Suresh > > > On May 23, 2018, at 10:26 PM, Supun Nakandala <[email protected]> > wrote: > > @Karan, @Suresh > > Is there a plan to enable data sharing at the raw file level using > NextCloud? If so we may need a more complex authorization mechanism. > > On Wed, May 23, 2018 at 3:07 PM, Kotabagi, Karan <[email protected]> wrote: > >> @Supun, @Suresh and Sudhakar, >> >> >> Thanks!, for your inputs, I will have more questions moving ahead. >> >> >> Regards >> >> Karan​ >> ------------------------------ >> *From:* Supun Nakandala <[email protected]> >> *Sent:* Wednesday, May 23, 2018 4:42 PM >> *To:* Kotabagi, Karan >> >> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache >> Airavata >> >> Hi Karan, >> >> On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <[email protected]> wrote: >> >>> Hi Supun, >>> >>> >>> I have followed the steps that Sachin gave and was able to configure the >>> nextcloud with the keycloak server locally. The nextcloud interface will >>> re-direct to the keycloak server to authenticate with the username and >>> password. >>> >>> >>> Since, we have a file upload service code that will upload the file into >>> the nextcloud without the keycloak authentication, I have few of the >>> following questions that I need your help with respect to the seagrid-rich >>> client, we need to integrate this in such a way that the fileupload service >>> will get authenticated with the keycloak server and then proceed to be >>> upload the file. >>> >>> >>> 1>Does the seagrid-rich client is currently configured to be >>> authenticated with the keycloak server? >>> >>> Yes. In the login process seagrid client obtains an access token and it >>> uses this access token as the password for the SFTP server. The SFTP server >>> (Apache Mina implementation) verifies this access token from SFTP server >>> end. https://github.com/SciGaP/airavata-file-manager/blob/ >>> master/src/main/java/org/apache/airavata/filemgr/AuthenticationMgr.java. >>> You can do something similar in NextCloud. I hope NextCloud would support >>> some form of pluggable authentication model (PAM). >>> >>> 2>I looked into the following code:- >>> >>> *https://github.com/SciGaP/seagrid-rich-client/blob/mast >>> er/src/main/java/org/seagrid/desktop/connectors/storage/GuiFileTask.java >>> >>> In this, the sftp session is getting authenticated with the oauth >>> token. >>> >>> In the same way, is it possible to use the existing authentication >>> mechanism to get the nextcloud authenticated? (by configuring the nextcloud >>> login endpoint as the client in the existing keycloak server). >>> >>> The client should be the desktop client. Not the NextCloud server. >>> NextCloud server will be the resource which has to enforce authentication >>> and authorization using the access token. >>> >>> 3> The token is being received from the Airvata Manager at >>> >>> *https://github.com/SciGaP/seagrid-rich-client/blob/master/ >>> src/main/java/org/seagrid/desktop/connectors/airavata/Airava >>> taManager.java >>> >>> and I believe the token is set during the intial login. >>> >>> Yes you are correct. >>> >>> Do you have any more of the details that I can look into to integrate >>> the existing authentication mechanism in seagrid-rich client to login to >>> the nextcloud server? >>> >>> >>> Regards >>> >>> Karan >>> ------------------------------ >>> *From:* Kotabagi, Karan <[email protected]> >>> *Sent:* Saturday, May 19, 2018 11:03 AM >>> *To:* Kariyattin, Sachin; Supun Nakandala >>> *Cc:* Marru, Suresh; [email protected] >>> >>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache >>> Airavata >>> >>> >>> @Sachin, @Supun, >>> >>> >>> Thanks for the information, I will look into the same. >>> >>> >>> Regards >>> >>> Karan >>> ------------------------------ >>> *From:* Supun Nakandala <[email protected]> >>> *Sent:* Saturday, May 19, 2018 12:07 AM >>> *To:* dev >>> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache >>> Airavata >>> >>> Hi Karan, >>> >>> In my opinion, the ideal approach to use in this scenario would be OAuth >>> based authorization. KeyCloak supports OAuth and you can register a service >>> provider and use that to give a prompt to the user to authorize the desktop >>> client to communicate with the NextCloud server. >>> After the user authorizes the client, KeyCloak will issue an access >>> token which can be used on behalf of the user. NextCloud server will have >>> to use this token and get it validated from the KeyCloak server to ensure >>> the token bearer is authorized to access the NextCloud server. >>> >>> For obtaining this access token there several grant flows in OAuth that >>> you can use. Based on the type of the client and the level of security you >>> can decide which grant flow to use. >>> >>> https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary >>> of OAuth grant flows. I think the implicit grant flow will be most >>> appropriate in this scenario. >>> >>> >>> >>> [1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/2 >>> 1092/airavata-security-escience16.pdf?sequence=1 >>> >>> On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <[email protected] >>> > wrote: >>> >>>> Hi Karan, >>>> >>>> The following wiki lists the basic steps to configure keycloak with >>>> NextCloud >>>> >>>> https://github.com/sachinkariyattin/NextCloud/wiki >>>> >>>> This can get you started >>>> >>>> On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> >>>>> I am working with the following Seagrid-rich client to replace the >>>>> file upload mechanism with the next cloud instead of the SFTP. >>>>> >>>>> >>>>> I have the different nextcloud API code set-up that uploads the file >>>>> to the Nextcloud server that is set-up locally in Ubuntu. At present the >>>>> password is hardcoded, so this should be authenticated with the help of >>>>> keycloak as discussed with Suresh. >>>>> >>>>> >>>>> I have discussed the things with Sachin and I have received some >>>>> inputs to proceed with keycloak authentication and after that I can >>>>> proceed >>>>> to implement the same with the nextcloud API, after this is successful I >>>>> need to integrate nextcloud API with the Seagrid-rich client. >>>>> >>>>> >>>>> Further steps will also include to set-up Nextcloud in the existing >>>>> file server and point the upload of the input files from the client to the >>>>> same location where the existing files are saved (This needs to be further >>>>> looked into with all the configurations). >>>>> >>>>> >>>>> Any suggestions or inputs to proceed with the keycloak authentication >>>>> mechanism to work instead of the password would be appreciated. >>>>> >>>>> >>>>> Regards >>>>> >>>>> Karan >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> >>>> *Regards, Sachin Kariyattin * >>>> >>> >>> >> > >
