Project

General

Profile

Multi-cluster user database » History » Version 7

Tom Morris, 07/25/2019 03:09 PM
Add JWT link

1 1 Tom Clegg
h1. Multi-cluster user database
2
3
It is sometimes desirable to share a single user database across multiple Arvados clusters. For example:
4 6 Tom Clegg
* Clusters aaaaa, bbbbb, ccccc, ddddd, eeeee are on different continents, but they use the same upstream authentication providers (ldap/google).
5
* A down/unreachable cluster should not prevent any user from using _other_ clusters in the group -- even if the down/unreachable cluster is the one where the user's account was initially created.
6 1 Tom Clegg
7 6 Tom Clegg
This requires some changes to login and token validation. (Currently, any given user account has a single "home cluster" that can issue or validate tokens for it.)
8 1 Tom Clegg
9 6 Tom Clegg
h2. Logging in
10 1 Tom Clegg
11 6 Tom Clegg
Each user should be able to log in to their account using any cluster, regardless of where/whether they have logged in previously.
12 1 Tom Clegg
13
To achieve this (without depending real-time communication between clusters) we need all of the participating clusters to agree on a mapping of upstream authentication results to Arvados user UUIDs. For example, if the upstream authentication result is @"ldap://ldap.example foo@bar.example"@ ("ldap://ldap.example assures us this user is foo@bar.example"):
14
# If a row already exists in the users table with <code>upstream == "ldap://ldap.example foo@bar.example"</code> then use that row
15 4 Tom Clegg
# Otherwise, create a new row with user UUID "eeeee-tpzed-${sha1part(upstream)}" (where eeeee is a common prefix used by all participating clusters and sha1part() is the first 15 chars of base-36-encoded sha1())
16 1 Tom Clegg
17 4 Tom Clegg
To avoid changing existing user accounts' UUIDs to @eeeee-*@, we would do a one-time synchronization of user accounts (and their upstreams) across all participating clusters. For example, if aaaaa-tpzed-012340123401234 exists on cluster aaaaa, we would add that row to bbbbb and ccccc as well. Next time a user logs in to bbbbb with an upstream account matching aaaaa-tpzed-012340123401234, bbbbb would issue a token itself, rather than deferring to aaaaa.
18 1 Tom Clegg
19 2 Tom Clegg
Untrusted remote accounts (the kind that we already have in the users table with foreign UUIDs) have a null upstream field.
20
21 1 Tom Clegg
|uuid                        |upstream                            |significance                                |
22 2 Tom Clegg
|aaaaa-tpzed-aaaaaaaaaaaaaaa |google:// foo@bar.example           |Imported/migrated from remote cluster aaaaa |
23 1 Tom Clegg
|eeeee-tpzed-012340123401234 |ldap://ldap.example foo@baz.example |User didn't exist before the multi-cluster user db system arrived |
24
|ooooo-tpzed-ooooooooooooooo |NULL                                |Remote user from cluster ooooo (not part of our multi-cluster group) |
25
26 4 Tom Clegg
h2. Configuration
27 2 Tom Clegg
28
Each cluster needs to know
29
* the uuid prefix to use when creating a new account, e.g., "eeeee"
30 3 Tom Clegg
* additional user uuid prefixes that remote clusters are trusted to validate
31 4 Tom Clegg
32 3 Tom Clegg
<pre><code class="yaml">
33 2 Tom Clegg
Clusters:
34
  aaaaa:
35 6 Tom Clegg
    Login:
36
      AssignUUIDPrefix: eeeee
37 1 Tom Clegg
    RemoteClusters:
38
      bbbbb:
39
        Proxy: true
40
        Authenticate:
41
          aaaaa: {} # accept tokens issued by bbbbb for users with uuid aaaaa-*
42
          bbbbb: {} # (implied)
43
          eeeee: {} # accept tokens issued by bbbbb for users with uuid eeeee-*
44
</code></pre>
45
46
Example: aaaaa needs to validate a token issued by bbbbb.
47
* Do a callback to bbbbb (or check JWT signature) to confirm bbbbb really issued this token and get the relevant user UUID (result: yes, user uuid is eeeee-tpzed-012340123401234)
48
* If config Clusters.aaaaa.RemoteClusters.bbbbb.Authenticate.eeeee is present, accept the token
49 4 Tom Clegg
* Otherwise, fetch eeeee's config; if RemoteClusters.bbbbb.Authenticate.eeeee is present, accept the token
50 1 Tom Clegg
* Otherwise, reject the token
51 6 Tom Clegg
52
h2. Validating tokens
53
54
Each cluster should be able to validate a token that was issued by a different, currently unreachable, cluster. This contrasts with the current setup, where aaaaa validates tokens issued by bbbbb by doing a callback to bbbbb.
55
56 7 Tom Morris
This seems easy enough: instead of random strings, tokens can be [like] "JSON Web Tokens":https://jwt.io/, signed by a private key whose public part is known by all clusters. (This would also be more efficient than callbacks, benefiting the mutually-untrusted cluster scenario too.)