Project

General

Profile

Bug #13368

Updated by Tom Clegg over 6 years ago

[API] Add "authorizations" table 

 The login process needs to unambiguously map an authentication result ("caller authenticated as example@gmail.com") to a user account ("issue a token for zzzzz-tpzed-exampleuseruuid"). In the general case this is a many-to-many relationship. Currently the "identity_url" field in the users table only permits a one-to-one mapping. 

 A separate table should express the many-to-many relationship in order to support these situations: 
 * a person has multiple Google accounts, all of which should provide access to the same Arvados account 
 * a person can access multiple Arvados accounts without making additional Google accounts. 

 "authorizations" table: 
 * uuid 
 * user_uuid 
 * method -- google, ldap, etc. 
 * authenticator_id -- an identifier unique to this method 
 * unique (user_uuid, method, authenticator_id) 

 Initially method will always be SSO provider (method="proxy", authenticator_id="https://sso.example.com/user/$sso_provided_uuid"?). When authentication mechanisms are implemented in Arvados proper, they will get their own methods. 

Back