Idea #15529
closed
[API] [Controller] Share user account database with a group of trusted clusters
Added by Peter Amstutz over 5 years ago.
Updated about 5 years ago.
Release relationship:
Auto
Description
Multi-cluster user database
Configuration¶
Add Login.LoginCluster config mentioned on the Multi-cluster user database wiki
Login¶
- Instead of logging in to a local SSO provider, can designate a home cluster (cluster A) where login is always sent
- After logging in, user is sent to original cluster (cluster B) with a token issued by the home cluster (cluster A)
- Users from LoginCluster (cluster A) have extra trust on cluster B (respects admin flag)
- Description updated (diff)
- Related to Idea #15477: Use email address for Arvados account linking added
- Related to Feature #15531: [SDK] Migrate federation to central LoginCluster added
- Description updated (diff)
- Subject changed from Federated users to Trust federated users from other clusters
- Subject changed from Trust federated users from other clusters to [API] [Controller] Share user account database with a group of trusted clusters
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Target version changed from To Be Groomed to 2019-08-28 Sprint
- Assigned To set to Peter Amstutz
There is a feature to "pre-register" a user by creating a permission link from the user email to the user uuid.
It seems that with deterministic user uuids this feature could be superceded by giving the admin a way to create an account with the uuid that would be generated for a given email address?
After spending a while mulling over implementation strategy, I think we want to create a new API endpoint called "fedlogin" (only enabled on the master cluster). This new endpoint will allow the subordinate clusters to forward along the 'info' hash we get from SSO (contains user name, email) and return the user record to use.
The rationale is that if a user with multiple email aliases logs in for the first time on a subordinate cluster, the action of probing for potential user record, creating records on the master cluster, and setting up redirects is complicated, risky, and slow if spread across multiple API calls, any of which could fail and result in inconsistent state or behavior. A single call is transactional and ensures consistent behavior.
Revised design for delegating user accounts to master cluster.
- Instead of logging in to a local SSO provider, designate a home cluster (cluster A) where login is always sent (this is 'AssignUUIDPrefix' but it should probably be called something else like 'LoginCluster' or 'MasterCluster')
- After logging in, user is sent to original cluster (cluster B) with a token issued by the home cluster (cluster A)
- If cluster A's RemoteHosts for cluster B has a 'trusted' flag, send unsalted token (this is 'AuthenticateLocalUsers' but it should probably be called something else like 'TrustWithUnsaltedToken')
- Users from master cluster A have extra trust on cluster B (respects admin flag)
- Tokens get a 'refresh_at' date in addition to existing expires_at. Attempt to contact master cluster after 'refresh_at', succeed or fail it sets a new 'refresh_at', does not prevent login until past 'expires_at'
Multi-email login should be done in a separate branch.
- Start by looking up identity_url
- If identity_url is not found, look up records for each email address in the 'info' field
- If there's more than one user with the same email address and it is ambiguous which record to use, login fails.
- If no user record is found, create user records for each email address and link the alternate ones to the primary one
- Sync identity_url, email address, name on the user record that was selected.
- Make sure 'email' field is not user editable (when we actually need to send mail, check user preferences?)
Migration.
- Need to be able to create user accounts through the API with just an email address
- Merge account feature must be able to have local user account take over a remote account
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Related to Idea #15558: [SSO] [API] Identify users by (alternate) email addresses added
- Target version changed from 2019-08-28 Sprint to 2019-09-11 Sprint
The existing token validation code uses ApiClientAuthorization.remote_host(id) to get the configured Host, fall back to {id}.arvadosapi.com. Seems like we should use the same strategy/function when finding a remote cluster's endpoint for LoginCluster purposes. (That remote_host() function also requires Proxy: true, which seems like a sensible requirement for using a remote as a LoginCluster -- e.g., "get current user record after logging in" won't work without it.)
I probably shouldn't care so much about comments, but Invarient → Invariant
Rest LGTM, thanks!
Tom Clegg wrote:
The existing token validation code uses ApiClientAuthorization.remote_host(id) to get the configured Host, fall back to {id}.arvadosapi.com. Seems like we should use the same strategy/function when finding a remote cluster's endpoint for LoginCluster purposes. (That remote_host() function also requires Proxy: true, which seems like a sensible requirement for using a remote as a LoginCluster -- e.g., "get current user record after logging in" won't work without it.)
Fixed.
I probably shouldn't care so much about comments, but Invarient → Invariant
Fixed.
Rest LGTM, thanks!
15529-federated-user-accounts @ 068e72307f9ce91538e45cb461b99cf92d2f5666
https://ci.curoverse.com/view/Developer/job/developer-run-tests/1502/
- Status changed from New to Resolved
Also available in: Atom
PDF
Updated by Tom Clegg over 5 years ago
Updated by Peter Amstutz over 5 years ago
Updated by Tom Morris over 5 years ago