Re: Removing IS admin username and password from config files in PGA

[Hasini Gunasinghe]

Hi Supun,

On Fri, May 8, 2015 at 10:48 AM, Supun Nakandala 
wrote:

> Hi Suresh,
>
> I understand the requirement. But according my knowledge on IS there are
> certain issues (Hasini can correct me). Consider the following usecases
>
> 1. New user comes to PGA and tries to create a new user account - In this
> case we have invoke RemoteUserStoreManager service and that has to be done
> by including tenant admin's credentials. Basically this API method can only
> be invoked by admin.
>

There is a self-registration feature provided by IS which doesn't need
admin credentials to create user accounts when the users self register.

>
> 2. Current user tries to update his profile - Same argument as above
>

Same as above, there is a feature in IS which allows user to update some of
the information in his/her own profile.
I can not tell the service names and method names off the top of my head,
but you can find them out by trying out those features through IS.

>
> 3. Current user login to the system and we need to get the user's roles to
> find out what capabilities the user has -  For this user authentication can
> be done via AuthenticationAdmin without the admin credentials but to fetch
> the user roles we need to invoke RemoteUserStoreManager service which again
> needs admin credentials.
>

Yes, fetching user's roles is an admin-only function, as far as I know.

Thanks,
Hasini.

>
> According to what I found the API methods exposed by the IS are all Admin
> Services and they are designed to be invoked only by the Admin.
>
> So given the above three use cases I think it is not possible to
> completely remove admin rights from the PGA.
>
>
> I don't know whether it is possible to grant fine grained API level access
> to user roles. If that is possible we can create a new role 'portal_admin'
> and grant access only to the service methods required by the web portal.
>
> On Fri, May 8, 2015 at 7:49 PM, Suresh Marru  wrote:
>
>> On May 8, 2015, at 8:39 AM, Supun Nakandala 
>> wrote:
>>
>>
>> Hi Hasini,
>>
>> The requirement was to remove admin credentials from the config files for
>> security reasons and call the admin services only when the admin user login.
>>
>> Hi Supun,
>>
>> To clarify the use case:
>>
>> If a user (with non-admin role) logs in, then they should only be allowed
>> to perform actions which are allowable by regular users.
>> If a admin logs in, they should be do all admin actions, including
>> fetching user roles and so forth.
>>
>> Currently, since we have admin credentials in config files, it allows the
>> portal to do all admin actions as well. Ofcourse we can restrict that well
>> at the application layer, but its a security hole. I think we should defer
>> the authorization to the identity server.
>>
>> Does this make sense? Are you seeing it differently, or do you have a
>> different scenario in mind?
>>
>> Suresh
>>
>> Perhaps Suresh can provide more insight on the requirement.
>> On May 8, 2015 9:29 AM, "Hasini Gunasinghe"  wrote:
>>
>>> Hi Supun,
>>>
>>> Please find the answers inline.
>>>
>>> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala <
>>> supun.nakand...@gmail.com> wrote:
>>>
 Hi All,

 I was looking into the $subject and found some blockers.

 Authenticating a user can be done using AuthenticationAdmin service in
 IS without requiring the tenant admin's credentials.

 But in order to fetch the roles of the user (we need them in PGA) or
 create a new user account or update current user's information we have to
 invoke RemoteUserStroreManager service and according to what I found this
 can only be invoked providing tenant admin's credentials.

  This is the expected behavior. You need to authenticate with the
>>> tenant admin's credentials, in order to invoke such functions. What is your
>>> issue?
>>>
>>> Thanks,
>>> Hasini.
>>>
>>
>>
>
>
> --
> Thank you
> Supun Nakandala
> Dept. Computer Science and Engineering
> University of Moratuwa
>

Re: Removing IS admin username and password from config files in PGA

[Supun Nakandala]

Hi Suresh,

I understand the requirement. But according my knowledge on IS there are
certain issues (Hasini can correct me). Consider the following usecases

1. New user comes to PGA and tries to create a new user account - In this
case we have invoke RemoteUserStoreManager service and that has to be done
by including tenant admin's credentials. Basically this API method can only
be invoked by admin.

2. Current user tries to update his profile - Same argument as above

3. Current user login to the system and we need to get the user's roles to
find out what capabilities the user has -  For this user authentication can
be done via AuthenticationAdmin without the admin credentials but to fetch
the user roles we need to invoke RemoteUserStoreManager service which again
needs admin credentials.

According to what I found the API methods exposed by the IS are all Admin
Services and they are designed to be invoked only by the Admin.

So given the above three use cases I think it is not possible to completely
remove admin rights from the PGA.


I don't know whether it is possible to grant fine grained API level access
to user roles. If that is possible we can create a new role 'portal_admin'
and grant access only to the service methods required by the web portal.

On Fri, May 8, 2015 at 7:49 PM, Suresh Marru  wrote:

> On May 8, 2015, at 8:39 AM, Supun Nakandala 
> wrote:
>
>
> Hi Hasini,
>
> The requirement was to remove admin credentials from the config files for
> security reasons and call the admin services only when the admin user login.
>
> Hi Supun,
>
> To clarify the use case:
>
> If a user (with non-admin role) logs in, then they should only be allowed
> to perform actions which are allowable by regular users.
> If a admin logs in, they should be do all admin actions, including
> fetching user roles and so forth.
>
> Currently, since we have admin credentials in config files, it allows the
> portal to do all admin actions as well. Ofcourse we can restrict that well
> at the application layer, but its a security hole. I think we should defer
> the authorization to the identity server.
>
> Does this make sense? Are you seeing it differently, or do you have a
> different scenario in mind?
>
> Suresh
>
> Perhaps Suresh can provide more insight on the requirement.
> On May 8, 2015 9:29 AM, "Hasini Gunasinghe"  wrote:
>
>> Hi Supun,
>>
>> Please find the answers inline.
>>
>> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala <
>> supun.nakand...@gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I was looking into the $subject and found some blockers.
>>>
>>> Authenticating a user can be done using AuthenticationAdmin service in
>>> IS without requiring the tenant admin's credentials.
>>>
>>> But in order to fetch the roles of the user (we need them in PGA) or
>>> create a new user account or update current user's information we have to
>>> invoke RemoteUserStroreManager service and according to what I found this
>>> can only be invoked providing tenant admin's credentials.
>>>
>>>  This is the expected behavior. You need to authenticate with the
>> tenant admin's credentials, in order to invoke such functions. What is your
>> issue?
>>
>> Thanks,
>> Hasini.
>>
>
>


-- 
Thank you
Supun Nakandala
Dept. Computer Science and Engineering
University of Moratuwa

Re: Removing IS admin username and password from config files in PGA

[Suresh Marru]

On May 8, 2015, at 8:39 AM, Supun Nakandala  wrote:
> 
> Hi Hasini,
> 
> The requirement was to remove admin credentials from the config files for 
> security reasons and call the admin services only when the admin user login.
> 
Hi Supun, 

To clarify the use case: 

If a user (with non-admin role) logs in, then they should only be allowed to 
perform actions which are allowable by regular users. 
If a admin logs in, they should be do all admin actions, including fetching 
user roles and so forth.

Currently, since we have admin credentials in config files, it allows the 
portal to do all admin actions as well. Ofcourse we can restrict that well at 
the application layer, but its a security hole. I think we should defer the 
authorization to the identity server. 

Does this make sense? Are you seeing it differently, or do you have a different 
scenario in mind?

Suresh 
> Perhaps Suresh can provide more insight on the requirement.
> 
> On May 8, 2015 9:29 AM, "Hasini Gunasinghe"  > wrote:
> Hi Supun,
> 
> Please find the answers inline.
> 
> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala  > wrote:
> Hi All,
> 
> I was looking into the $subject and found some blockers.
> 
> Authenticating a user can be done using AuthenticationAdmin service in IS 
> without requiring the tenant admin's credentials.
> 
> But in order to fetch the roles of the user (we need them in PGA) or create a 
> new user account or update current user's information we have to invoke 
> RemoteUserStroreManager service and according to what I found this can only 
> be invoked providing tenant admin's credentials.
> 
> This is the expected behavior. You need to authenticate with the tenant 
> admin's credentials, in order to invoke such functions. What is your issue?
> 
> Thanks,
> Hasini.

Re: Removing IS admin username and password from config files in PGA

[Supun Nakandala]

Hi Hasini,

The requirement was to remove admin credentials from the config files for
security reasons and call the admin services only when the admin user login.

Perhaps Suresh can provide more insight on the requirement.
On May 8, 2015 9:29 AM, "Hasini Gunasinghe"  wrote:

> Hi Supun,
>
> Please find the answers inline.
>
> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala  > wrote:
>
>> Hi All,
>>
>> I was looking into the $subject and found some blockers.
>>
>> Authenticating a user can be done using AuthenticationAdmin service in IS
>> without requiring the tenant admin's credentials.
>>
>> But in order to fetch the roles of the user (we need them in PGA) or
>> create a new user account or update current user's information we have to
>> invoke RemoteUserStroreManager service and according to what I found this
>> can only be invoked providing tenant admin's credentials.
>>
>>  This is the expected behavior. You need to authenticate with the tenant
> admin's credentials, in order to invoke such functions. What is your issue?
>
> Thanks,
> Hasini.
>

Re: Removing IS admin username and password from config files in PGA

[Hasini Gunasinghe]

Hi Supun,

Please find the answers inline.

On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala 
wrote:

> Hi All,
>
> I was looking into the $subject and found some blockers.
>
> Authenticating a user can be done using AuthenticationAdmin service in IS
> without requiring the tenant admin's credentials.
>
> But in order to fetch the roles of the user (we need them in PGA) or
> create a new user account or update current user's information we have to
> invoke RemoteUserStroreManager service and according to what I found this
> can only be invoked providing tenant admin's credentials.
>
>  This is the expected behavior. You need to authenticate with the tenant
admin's credentials, in order to invoke such functions. What is your issue?

Thanks,
Hasini.

Removing IS admin username and password from config files in PGA

[Supun Nakandala]

Hi All,

I was looking into the $subject and found some blockers.

Authenticating a user can be done using AuthenticationAdmin service in IS
without requiring the tenant admin's credentials.

But in order to fetch the roles of the user (we need them in PGA) or create
a new user account or update current user's information we have to invoke
RemoteUserStroreManager service and according to what I found this can only
be invoked providing tenant admin's credentials.