Cylc-flow: Authentication, and fine-grained authorization

Created on 21 Jun 2016  路  7Comments  路  Source: cylc/cylc-flow

Supersedes #1475 and #1520.
Choose and use existing web-based authentication technologies; ~depends on #1872~.

See also #526.

(EDIT Bruno): see also discussion in cylc-web and in cylc-jupyterhub

picture hjoliver

Most helpful comment

(Note comment above is now outdated).

Now: call-out to authenticate at the Hub (co-opting JupyterHub for this). Then Hub-UIServer trust is by token, not SSL Client Cert.

picture hjoliver on 11 Mar 2019
👍2

All 7 comments

Some ideas discussed:

  1. We'll need to extend the current set of privilege levels - the grains should be individual API methods, although it should still be able to group them together into coarser categories.
  2. The easiest and most portable way to support authentication is via a private-public key pair. We can have a simple command for a user to create a private-public key pair in a standard location. The user can then send requests to a suite requesting authorisation for certain actions using the public key. The suite owner can then decide to authorise each requested action for the user.
matthewrmshin picture matthewrmshin on 12 Jun 2017

It seems we need to be able to work with standard site "identity management" systems. Primary use case: production suites under role accounts that need to handle restricted access from multiple operators, and unrestricted access from expert support people. Hopefully a generic interface in cylc, with simple plugins for external interaction. Defaulting to something very simple that does not complicate life for "normal" users. More to come on this...

hjoliver picture hjoliver on 5 Jun 2018
👍1

Current thinking on this:

In the web GUI era we need a "reverse proxy server" as a gateway between the in-browser GUI and the suite server programs. Authentication can probably (hopefully?) be done at the proxy server - rather than at the suites as now - by calling out (via some off-the-shelf plugin, perhaps) to site identity management. Then an SSL Client Certificate held by the proxy server will allow suite server programs to simply trust all communications from the proxy.

hjoliver picture hjoliver on 6 Jul 2018

(Note comment above is now outdated).

Now: call-out to authenticate at the Hub (co-opting JupyterHub for this). Then Hub-UIServer trust is by token, not SSL Client Cert.

hjoliver picture hjoliver on 11 Mar 2019
👍2

Then Hub-UIServer trust is by token, not SSL Client Cert.

Definitely better this way.

matthewrmshin picture matthewrmshin on 11 Mar 2019

This can be closed as superseded, as soon as I find the superseding issues (which may still be coming into existence).

hjoliver picture hjoliver on 7 Aug 2019

In Cylc 8 authorization will be handled by the new UI Server component. Closing this as superseded by https://github.com/cylc/cylc-uiserver/issues/10

hjoliver picture hjoliver on 5 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kinow picture kinow  路  4Comments
dpmatthews picture dpmatthews  路  3Comments
oliver-sanders picture oliver-sanders  路  3Comments
kinow picture kinow  路  3Comments
sadielbartholomew picture sadielbartholomew  路  5Comments