Project

General

Profile

Federated identity » History » Version 17

Peter Amstutz, 06/20/2017 08:40 PM

1 1 Tom Clegg
h1. Federated identity
2
3 9 Tom Clegg
See
4
* #11453
5 10 Tom Clegg
* #11874
6 9 Tom Clegg
7 1 Tom Clegg
A person should be able to create an account and get a token from a single identity provider, and use that token to access private/protected resources on multiple Arvados clusters.
8
9
Motivating use cases:
10
* A user on cluster B shares a project with a user on cluster A.
11
* A container running on cluster A reads and writes data on cluster B.
12
* A user logged in to Workbench A can search/view/download/upload collections at cluster B.
13
14
Configuration examples:
15
* An organization has 5 clusters, but only one of them has user accounts and roles in its database.
16
* An on-premise cluster runs containers that use public data stored in the cloud (without mirroring the data locally).
17
18
h2. Design sketch
19
20 8 Tom Clegg
Each Arvados client must be able to prove to cluster B that it is authorized by cluster A to act on behalf of a user account which is controlled by cluster A. This must not involve giving enough information to cluster B to act on behalf of the user account: for example, the client cannot simply give cluster B its cluster A token for the purpose of doing a canary query: doing so would allow cluster B to exercise the client's authority on cluster C, D, and E as well.
21
22 6 Tom Clegg
h2. Protocol idea
23 1 Tom Clegg
24
"Salted tokens": instead of passing its literal token, the client passes the token UUID and @HMAC(token, "bbbbb")@ when sending a request to cluster B (where "bbbbb" is cluster B's cluster ID / UUID prefix). Cluster B validates the request by passing those two parameters untouched to a "verify request" ("no-op") endpoint at cluster A.
25 7 Tom Clegg
* API server hands out tokens in the form "tokenUUID <delimiter> secret" instead of just the secret part.
26 6 Tom Clegg
* Cluster B figures out cluster A's API endpoint by looking at the "site ID prefix" of the token UUID.
27
* Cluster B can be configured with a lookup table (clusterID&rarr;apiHost) to override the implicit {id}.arvadosapi.com
28
* Cluster B can be configured to _only_ use the lookup table, i.e., to never use implicit {id}.arvadosapi.com endpoints
29 1 Tom Clegg
30
31 6 Tom Clegg
h2. Adding permissions
32 1 Tom Clegg
33 6 Tom Clegg
There are a few permission-granting cases to consider.
34
35
|grantor|grantee|object|notes|
36
|user on site A|user on site A|object on site A|(existing permission system)|
37
|user on site A|group on site A|object on site A|(existing permission system)|
38
|user on site A|user or group on site A|object on site B|Client creates a link at site B. Site B asks site A whether the grantee user/group is visible to user A.|
39
|user on site A|user or group on site B|object on site B|Client creates a link at site B. Site B asks site A for a list of groups user A can see, then checks whether (possibly via one of those groups) user A can read the grantee user/group according to site B's local database.|
40
|user on site A|user or group on site B|object on site A|Client creates a link at site A. Site A generates a salted token and uses it to ask site B whether user A can read the grantee user/group.|
41
42 13 Peter Amstutz
(PA) The principal is that the site that owns the object is the source of truth about who can access the object.  Permissions on site B  will dictate whether user from A has manage permission on object on B in the first place.
43 12 Peter Amstutz
44 16 Peter Amstutz
(PA) what token is used to make the request on site B?  What token is used by B to contact A?  Is it that the site-B-salted token which establishes identity also allows query if some other group or user is visible to the user?
45 14 Peter Amstutz
46 4 Tom Clegg
h2. TODO
47
48 1 Tom Clegg
Things to address
49 11 Peter Amstutz
50 4 Tom Clegg
* how to sync groups
51
* diagrams
52
* mnemonic cluster names / more concrete examples (including who is reachable on the internet)
53 6 Tom Clegg
* [how] do you get a list of users/groups you can share stuff with?
54 4 Tom Clegg
* clarify what UUIDs look like (some people have A uuids, some have B uuids)
55 11 Peter Amstutz
* [[Cross-cluster delegation]]