Project

General

Profile

Federated identity » History » Version 6

Tom Clegg, 06/19/2017 07:45 PM

1 1 Tom Clegg
h1. Federated identity
2
3
A person should be able to create an account and get a token from a single identity provider, and use that token to access private/protected resources on multiple Arvados clusters.
4
5
Motivating use cases:
6
* A user on cluster B shares a project with a user on cluster A.
7
* A container running on cluster A reads and writes data on cluster B.
8
* A user logged in to Workbench A can search/view/download/upload collections at cluster B.
9
10
Configuration examples:
11
* An organization has 5 clusters, but only one of them has user accounts and roles in its database.
12
* An on-premise cluster runs containers that use public data stored in the cloud (without mirroring the data locally).
13
14
h2. Design sketch
15
16
Each Arvados client must be able to prove to cluster B that it is authorized by cluster A to act on behalf of a user account which is controlled by cluster A. This must not involve giving enough information to cluster B to act on behalf of the user account: for example, the client cannot simply give cluster B its cluster A token for the purpose of doing a canary query.
17 2 Tom Clegg
18 6 Tom Clegg
h2. Protocol idea
19 1 Tom Clegg
20
"Salted tokens": instead of passing its literal token, the client passes the token UUID and @HMAC(token, "bbbbb")@ when sending a request to cluster B (where "bbbbb" is cluster B's cluster ID / UUID prefix). Cluster B validates the request by passing those two parameters untouched to a "verify request" ("no-op") endpoint at cluster A.
21 6 Tom Clegg
* Cluster B figures out cluster A's API endpoint by looking at the "site ID prefix" of the token UUID.
22
* Cluster B can be configured with a lookup table (clusterID→apiHost) to override the implicit {id}.arvadosapi.com
23
* Cluster B can be configured to _only_ use the lookup table, i.e., to never use implicit {id}.arvadosapi.com endpoints
24 1 Tom Clegg
25 4 Tom Clegg
(PA) an even simpler approach would be be to contact cluster A to get a scoped token which only allows "GET /users/current" on cluster A but is accepted by cluster B as an [all] token for that user.
26 1 Tom Clegg
27 6 Tom Clegg
h2. Adding permissions
28 1 Tom Clegg
29 6 Tom Clegg
There are a few permission-granting cases to consider.
30
31
|grantor|grantee|object|notes|
32
|user on site A|user on site A|object on site A|(existing permission system)|
33
|user on site A|group on site A|object on site A|(existing permission system)|
34
|user on site A|user or group on site A|object on site B|Client creates a link at site B. Site B asks site A whether the grantee user/group is visible to user A.|
35
|user on site A|user or group on site B|object on site B|Client creates a link at site B. Site B asks site A for a list of groups user A can see, then checks whether (possibly via one of those groups) user A can read the grantee user/group according to site B's local database.|
36
|user on site A|user or group on site B|object on site A|Client creates a link at site A. Site A generates a salted token and uses it to ask site B whether user A can read the grantee user/group.|
37
38 4 Tom Clegg
h2. TODO
39
40 1 Tom Clegg
Things to address
41 4 Tom Clegg
* how to sync groups
42
* diagrams
43
* mnemonic cluster names / more concrete examples (including who is reachable on the internet)
44 6 Tom Clegg
* [how] do you get a list of users/groups you can share stuff with?
45 4 Tom Clegg
* clarify what UUIDs look like (some people have A uuids, some have B uuids)