Project

General

Profile

Actions

Bug #13368

closed

[API] Add "authorizations" table

Added by Tom Clegg almost 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
-
Story points:
-

Description

The login process needs to unambiguously map an authentication result ("caller authenticated as ") to a user account ("issue a token for zzzzz-tpzed-exampleuseruuid"). In the general case this is a many-to-many relationship. Currently the "identity_url" field in the users table only permits a one-to-one mapping.

A separate table should express the many-to-many relationship in order to support these situations:
  • a person has multiple Google accounts, all of which should provide access to the same Arvados account
  • a person can access multiple Arvados accounts without making additional Google accounts.
"authorizations" table:
  • uuid
  • user_uuid
  • method -- google, ldap, etc.
  • authenticator_id -- an identifier unique to this method
  • unique (user_uuid, method, authenticator_id)

Initially method will always be SSO provider (method="proxy", authenticator_id="https://sso.example.com/user/$sso_provided_uuid"?). When authentication mechanisms are implemented in Arvados proper, they will get their own methods.


Related issues

Related to Arvados - Feature #12626: [API] Merge user accounts (redirect=true case)ResolvedTom Clegg05/03/2018Actions
Actions #1

Updated by Tom Clegg almost 6 years ago

  • Description updated (diff)
Actions #2

Updated by Tom Clegg almost 6 years ago

  • Related to Feature #12626: [API] Merge user accounts (redirect=true case) added
Actions #3

Updated by Tom Morris almost 6 years ago

  • Target version set to To Be Groomed
Actions #4

Updated by Peter Amstutz over 4 years ago

  • Target version deleted (To Be Groomed)
  • Status changed from New to Closed
Actions

Also available in: Atom PDF