Feedback on Usergrid Central SSO?

[Dave <sn...@gmail.com>]

I'm working on something I'm calling Usergrid Central SSO and I'd like to
get your feedback.

The requirement is to have multiple Usergrid systems, each with its own
Cassandra cluster, be able to authenticate Admin Users with one central
Usergrid system -- giving Admin Users single-sign-on across all of those
systems.

I think we can do this by adding one new end-point to Usergrid. This Google
Doc explains the complete design:

https://docs.google.com/document/d/12kXgaYcB6L9JoTyRGn0ZHEMg3vL1LJDqvtnltIBDa1Y/edit?usp=sharing

Nate and Ed: I'm especially interested in your feedback since the design is
based on your earlier work in this area.

Thanks,
Dave


The JIRA issue: https://issues.apache.org/jira/browse/USERGRID-567

Re: Feedback on Usergrid Central SSO?

[Ed Anuff <ed...@anuff.com>]

Ah, yes, good point.  We should be not just doing instrumentation but also passing back useful information in the error responses because the calling client webapp will need to display appropriate user messages and also be the typical first thing an ops team will get alerted to and they'll need to quickly determine which downstream UG cluster caused the problem.

Ed

On Apr 10, 2015, at 9:44 AM, Nate McCall <zz...@gmail.com> wrote:

>> Nate, that's typically the nature of SSO.  However, this coupling only happens during the auth flow.  Once the flow is successfully completed, the calling client has obtained a token that is now usable for subsequent requests for a period of time without requiring interaction between the systems.
>> 
> 
> I get that. I should have been a bit more specific: I meant more along
> the lines of instrumentation so we can pass along response times to
> monitoring, or even trigger a circuit breaker past a threshold.

Re: Feedback on Usergrid Central SSO?

[Nate McCall <zz...@gmail.com>]

> Nate, that's typically the nature of SSO.  However, this coupling only happens during the auth flow.  Once the flow is successfully completed, the calling client has obtained a token that is now usable for subsequent requests for a period of time without requiring interaction between the systems.
>

I get that. I should have been a bit more specific: I meant more along
the lines of instrumentation so we can pass along response times to
monitoring, or even trigger a circuit breaker past a threshold.

Re: Feedback on Usergrid Central SSO?

[Ed Anuff <ed...@anuff.com>]

Nate, that's typically the nature of SSO.  However, this coupling only happens during the auth flow.  Once the flow is successfully completed, the calling client has obtained a token that is now usable for subsequent requests for a period of time without requiring interaction between the systems.

Ed


> On Apr 10, 2015, at 9:11 AM, Nate McCall <zz...@gmail.com> wrote:
> 
> I put a comment on the sequence diagram as the final two steps weren't
> quite clear to me.
> 
> A quick thing to point out, is that this will couple separate
> distributed systems together in a critical path. Correctly handling
> the failure scenarios programmatically in such a way that they provide
> details operationally where needed will be extremely important.
> 
>> On Fri, Apr 10, 2015 at 9:14 AM, Ed Anuff <ed...@anuff.com> wrote:
>> Looks good to me.
>> 
>> Ed
>> 
>> 
>> 
>> 
>>> On Fri, Apr 10, 2015 at 6:45 AM -0700, "Dave" <sn...@gmail.com> wrote:
>>> 
>>> I'm working on something I'm calling Usergrid Central SSO and I'd like to
>>> get your feedback.
>>> 
>>> The requirement is to have multiple Usergrid systems, each with its own
>>> Cassandra cluster, be able to authenticate Admin Users with one central
>>> Usergrid system -- giving Admin Users single-sign-on across all of those
>>> systems.
>>> 
>>> I think we can do this by adding one new end-point to Usergrid. This
>>> Google Doc explains the complete design:
>>> 
>>> 
>>> https://docs.google.com/document/d/12kXgaYcB6L9JoTyRGn0ZHEMg3vL1LJDqvtnltIBDa1Y/edit?usp=sharing
>>> 
>>> Nate and Ed: I'm especially interested in your feedback since the design
>>> is based on your earlier work in this area.
>>> 
>>> Thanks,
>>> Dave
>>> 
>>> 
>>> The JIRA issue: https://issues.apache.org/jira/browse/USERGRID-567
>> 

Re: Feedback on Usergrid Central SSO?

[Nate McCall <zz...@gmail.com>]

I put a comment on the sequence diagram as the final two steps weren't
quite clear to me.

A quick thing to point out, is that this will couple separate
distributed systems together in a critical path. Correctly handling
the failure scenarios programmatically in such a way that they provide
details operationally where needed will be extremely important.

On Fri, Apr 10, 2015 at 9:14 AM, Ed Anuff <ed...@anuff.com> wrote:
> Looks good to me.
>
> Ed
>
>
>
>
> On Fri, Apr 10, 2015 at 6:45 AM -0700, "Dave" <sn...@gmail.com> wrote:
>
>> I'm working on something I'm calling Usergrid Central SSO and I'd like to
>> get your feedback.
>>
>> The requirement is to have multiple Usergrid systems, each with its own
>> Cassandra cluster, be able to authenticate Admin Users with one central
>> Usergrid system -- giving Admin Users single-sign-on across all of those
>> systems.
>>
>> I think we can do this by adding one new end-point to Usergrid. This
>> Google Doc explains the complete design:
>>
>>
>> https://docs.google.com/document/d/12kXgaYcB6L9JoTyRGn0ZHEMg3vL1LJDqvtnltIBDa1Y/edit?usp=sharing
>>
>> Nate and Ed: I'm especially interested in your feedback since the design
>> is based on your earlier work in this area.
>>
>> Thanks,
>> Dave
>>
>>
>> The JIRA issue: https://issues.apache.org/jira/browse/USERGRID-567
>>
>>
>

Re: Feedback on Usergrid Central SSO?

[Ed Anuff <ed...@anuff.com>]

Looks good to me.

Ed




On Fri, Apr 10, 2015 at 6:45 AM -0700, "Dave" <sn...@gmail.com> wrote:










I'm working on something I'm calling Usergrid Central SSO and I'd like to get your feedback.
The requirement is to have multiple Usergrid systems, each with its own Cassandra cluster, be able to authenticate Admin Users with one central Usergrid system -- giving Admin Users single-sign-on across all of those systems.
I think we can do this by adding one new end-point to Usergrid. This Google Doc explains the complete design:
https://docs.google.com/document/d/12kXgaYcB6L9JoTyRGn0ZHEMg3vL1LJDqvtnltIBDa1Y/edit?usp=sharing
Nate and Ed: I'm especially interested in your feedback since the design is based on your earlier work in this area.
Thanks,Dave

The JIRA issue: https://issues.apache.org/jira/browse/USERGRID-567