You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (JIRA)" <ji...@apache.org> on 2018/10/12 22:08:00 UTC
[jira] [Created] (AIRAVATA-2908) Improve SecurityCheck, generalize
it, and apply to Profile Service API methods
Marcus Christie created AIRAVATA-2908:
-----------------------------------------
Summary: Improve SecurityCheck, generalize it, and apply to Profile Service API methods
Key: AIRAVATA-2908
URL: https://issues.apache.org/jira/browse/AIRAVATA-2908
Project: Airavata
Issue Type: Improvement
Reporter: Marcus Christie
Profile Service methods are annotated with @SecurityCheck but the Profile Service isn't configured with an interceptor like AiravataServerHandler: https://github.com/apache/airavata/blob/970dc68e659daf8d633e7aaeb6dceaac063d6725/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/AiravataAPIServer.java#L186-L186, so it isn't really doing anything.
But just wiring up the interceptor won't work. We need to rethink what @SecurityCheck is doing. The KeyCloakSecurityManager is written such that it whitelists several API server methods, but that approach won't scale if we start adding other services.
I would like to see @SecurityCheck/SecurityInterceptor do the following:
* validate the token and store that in the cache up to the token expiration time
* if an API method is annotated with {{@SecurityCheck}} then it simply checks the token
* if an API method is annotated with {{@SecurityCheck(groups={ADMIN, READ_ONLY_ADMIN})}} then it checks the GatewayGroups to see if the user is in one of those groups
This will allow us to simplify KeyCloakSecurityManager: it won't need to have a whitelist of API methods and the group based auth on an API method is configured right on the method.
For example, in API server
{code:java}
@Override
@SecurityCheck(groups={ADMIN})
public boolean deleteComputeResource(AuthzToken authzToken, String computeResourceId) throws InvalidRequestException,
AiravataClientException, AiravataSystemException, AuthorizationException, TException {
...
}
{code}
Some other thoughts:
* NOTE: the Profile Service may end up being broken out into a separate security project ("Custos"), so this may not be necessary. However, there are definite benefits to the API server too and future public APIs
* We could keep going with this and have @SecurityCheck also check the sharing registry. We would need to annotate the API method parameter that is the entity id and also provide the required permission, for example:
{code:java}
@Override
@SecurityCheck(permission=READ)
public ExperimentModel getExperiment(AuthzToken authzToken, @SharingEntityId String airavataExperimentId) throws InvalidRequestException,
ExperimentNotFoundException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
...
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)