You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2014/08/12 05:50:48 UTC
[SHOW] Authentication refactoring
Hi,
The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don’t discover these apis. For supporting SAML as an authentication mechanism, I’ve refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server’s ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
I’ll merge them after sometime and continue working on saml stuff. Will push the code in the branch “auth-refactor” in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
Any suggestions, feedback welcome! Refactoring was pretty straight forward but I’ll make sure to write a wiki page on this before merging to master.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Adrian,
On 12-Aug-2014, at 2:12 pm, Adrian Lewis <ad...@alsiconsulting.co.uk> wrote:
> Hi Rohit,
>
> Not a very constructive email I'm afraid but I too would be very
> interested in one-time password authentication for CS. Is anyone that you
> know of working on RADIUS auth as this would be a relatively easy way to
Not that I know of, this would be fairly easily using the new auth classes. I’ll update on wiki how one can add new API authenticators once I’m done with some $dayjob tasks.
> integrate a wide number of OTP systems that rely on a secondary auth
> challenge for the OTP. This secondary auth mechanism is part of the RADIUS
> standard and would cover RSA as well as the system that I'm interested in
> implementing (Fortinet's FortiAuthenticator) and many other
> enterprise-focussed OTP systems.
Sure, would be very easy to do IMO.
> Not sure if OTP/2FA would be suitable for API access so a second question
> is: Would it be feasible to use different auth backends for the GUI vs the
> API?
Yes! The UI pretty much uses the login and logout API passed as params, a query API. Though you won’t be able to have a RESTful etc kind of auth. It pretty much uses the same query param based API, just that some of the command/queries would have ability to authenticate ACS.
> As I understand it, the GUI is simply a 'wrapper' for the API so
> perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
> even at the expense of API access. Contrary to popular belief within the
> CS community, not everyone uses the API (shock horror!).
Well, I think most of us do use it, especially those doing repeated dev-testing, infra deployment etc.
But yeah the UI is pretty neat for small deployments.
> Maybe OTP/2FA is
> not an issue for API access but I assume it would be a problem for the use
> of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only specified
> IPs can use a standard auth method but all other access mandates OTP/2FA?
> Not sure how AWS works with their MFA feature - anyone?
2FA authentication can be implemented fairly easily to. And the thing with certain IPs using the auth is already available too via CIDRs.
For something specific we can always fix it.
> I'm afraid I'm just a (ab)user and couldn't program anything myself - just
> curious to see if anyone has any thoughts or existing efforts in this
> area?
What you’re suggesting — integration with other auth services in order to integrate ACS in an organization is do-able.
Others can update if they are doing something in this regard. I’m working around a general purpose SAML SSO/SLO integration (branch: origin/saml2) right now which is a sponsored project that we’re working in open, contributing directly to ACS and was a reason for me to do the refactoring.
Cheers.
> Cheers,
>
> Adrian
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: 12 August 2014 11:41
> To: dev@cloudstack.apache.org
> Subject: Re: [SHOW] Authentication refactoring
>
> From the user end there is no change, not in UI or any change expected in
> clients except one:
> Since login and logout are now implemented like your regular api, we don't
> allow uses to call login and logout and other such AuthenticatorAPIs
> directly like via integration port
>
> Stephen, I'm not sure if we natively support RSA and other things at
> present we only have our custom login auth mechanism, signature/key based
> auth and a simple SSO (pre-shared key) methods. This refactoring will open
> doors for saml, oauth and possibly others.
>
> This is merged on master now, even though I did testing at my end please
> let me know if something got broke? From the outside world nothing should
> break, i.e. refactoring.
>
> Cheers.
>
> On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com>
> wrote:
>
>> Are there any UI changes? Some auth mechanisms might need more than just
> username and password (RSA token, for example, or even just "give the 1st,
> 4th and 5th characters").
>>
>> --
>> Stephen Turner
>>
>>
>> -----Original Message-----
>> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
>> Sent: 12 August 2014 04:51
>> To: dev
>> Subject: [SHOW] Authentication refactoring
>>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no
> APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't
> discover these apis. For supporting SAML as an authentication mechanism,
> I've refactored the Auth mechanism as a pluggable service that loads with
> api-server artifact and both login and logout are now implemented as a
> pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the
> authentication guards in ApiServlet class make sure we call an
> authenticate method of such classes. Since, they are tightly coupled with
> cloud-server's ApiServlet it only made sense to have the interface
> definition and implementation within the same package/artifact as well.
> This also solves the apidoc issue for login/logout and saml related auth
> apis.
>>
>> I'll merge them after sometime and continue working on saml stuff. Will
> push the code in the branch "auth-refactor" in an hour for review/testing
> now. This does not break anything and should not cause any auth related
> issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight
> forward but I'll make sure to write a wiki page on this before merging to
> master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
> services
>>
>> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated
> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the
> sender if you believe you have received this email in error. Shape Blue
> Ltd is a company incorporated in England & Wales. ShapeBlue Services India
> LLP is a company incorporated in India and is operated under license from
> Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
> incorporated in Brasil and is operated under license from Shape Blue Ltd.
> ShapeBlue SA Pty Ltd is a company registered by The Republic of South
> Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Silvano,
in-line;
On 12-Aug-2014, at 11:50 pm, Silvano Nogueira Buback <si...@corp.globo.com> wrote:
> Rohit,
>
> When I started implementing OAuth2 integration I faced this problem,
> but I had other things to do first, now I am back to this problem too. I
> took a look at your implementation and it's almost fit for OAuth2. I have a
> few comments:
>
> Some authentication mechanisms may not work as a command. I proposed to use
I agree, you may want a different URL path in which case it makes sense to implement your own Servlet or when such a situation comes we can try if any refactoring can support old and new mechanisms.
> commands to implement OAuth2 to not change ApiServlet (before knowing the
> real problem with unauthenticated command), but I think this is not a good
> implementation (for OAuth2). If the idea is to refactor to support multiple
> authentication mechanisms, maybe a filter can be better. Take a look in
> Spring Security implementation [1].
Yes, I’ve looked at Spring security and it was not pleasure to work with it.
> So, using your implementation, I would suggest:
>
> 1. When a new request arrives, If user is not authenticated,
> APIAuthenticatorManager is called and should iterate over all
> APIAuthenticator instances, one by one, in the order specified by
> user.authenticators.order global setting (do not forget this, please).
Right now, we assume and check by command (name) and break when we find a class that handles that command.
But, sure we can do that but I’m interested only when we’ve something to implement that would consume this design instead of going around abstracting things which we may not even use.
> 1. In each APIAuthenticator, it can analyze the HttpRequest and if it
> should authenticate, it must return an UserAccount object. If the
> authenticator doesn't authenticate it raises some exception like Spring
> does.
Sure.
> 2. As all existed authenticators inheriting today
> from DefaultUserAuthenticator, this authenticator can implement the
> APIAuthenticator interface and if there is a parameter with
> command=login,
> username, password the abstract method "authenticate"
> from UserAuthenticator must be called. So, all existing authentication
> mechanisms will work as today, respecting the order
> from user.authenticators.order global setting.
> 2. After authentication, the name of the APIAuthenticator that
> authenticated must be kept in session. User, and other objects must be kept
> as well. In logout, the APIAuthenticator used can be called.
This would be tricky and not scalable (I would prefer statelessness, and not having to burden JVM heaps).
But that would work as well using some context/registry store.
> 3. When a new request arrives, if user is authenticated, it works as
> today.
>
>
> If everybody agrees on the solution I can work together with you to
> finish this if you want. I need to finish OAuth2 integration in the next 15
> days... and I don't want to change my implementation later on.
>
> If it's possible to work together, we need do this in a separated fork
> of ACS, since I'm not a committer yet.
If it does not take much time, go ahead and implement something (proof of concept) in your fork that I can play with too. If it’s useful we’ll get that in ACS as well and I can help you with reviewing and merging your stuff into ACS.
Cheers.
>
> Regards,
>
> Silvano Buback
> [1]
> http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html
>
>
>
> On Tue, Aug 12, 2014 at 11:20 AM, Carlos Reategui <cr...@me.com> wrote:
>
>>
>>
>>> On Aug 12, 2014, at 5:12 AM, Adrian Lewis <ad...@alsiconsulting.co.uk>
>> wrote:
>>>
>>> Hi Rohit,
>>>
>>> Not a very constructive email I'm afraid but I too would be very
>>> interested in one-time password authentication for CS. Is anyone that you
>>> know of working on RADIUS auth as this would be a relatively easy way to
>>> integrate a wide number of OTP systems that rely on a secondary auth
>>> challenge for the OTP. This secondary auth mechanism is part of the
>> RADIUS
>>> standard and would cover RSA as well as the system that I'm interested in
>>> implementing (Fortinet's FortiAuthenticator) and many other
>>> enterprise-focussed OTP systems.
>>>
>>> Not sure if OTP/2FA would be suitable for API access so a second question
>>> is: Would it be feasible to use different auth backends for the GUI vs
>> the
>>> API? As I understand it, the GUI is simply a 'wrapper' for the API so
>>> perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
>>> even at the expense of API access. Contrary to popular belief within the
>>> CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is
>>> not an issue for API access but I assume it would be a problem for the
>> use
>>> of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only
>> specified
>>> IPs can use a standard auth method but all other access mandates OTP/2FA?
>>> Not sure how AWS works with their MFA feature - anyone?
>> MFA is used for accessing UI console where you manage your keys for API
>> usage.
>> API access is controlled via IAM or key/secret which you manage from the UI
>>>
>>> I'm afraid I'm just a (ab)user and couldn't program anything myself -
>> just
>>> curious to see if anyone has any thoughts or existing efforts in this
>>> area?
>>>
>>> Cheers,
>>>
>>> Adrian
>>>
>>> -----Original Message-----
>>> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
>>> Sent: 12 August 2014 11:41
>>> To: dev@cloudstack.apache.org
>>> Subject: Re: [SHOW] Authentication refactoring
>>>
>>> From the user end there is no change, not in UI or any change expected in
>>> clients except one:
>>> Since login and logout are now implemented like your regular api, we
>> don't
>>> allow uses to call login and logout and other such AuthenticatorAPIs
>>> directly like via integration port
>>>
>>> Stephen, I'm not sure if we natively support RSA and other things at
>>> present we only have our custom login auth mechanism, signature/key based
>>> auth and a simple SSO (pre-shared key) methods. This refactoring will
>> open
>>> doors for saml, oauth and possibly others.
>>>
>>> This is merged on master now, even though I did testing at my end please
>>> let me know if something got broke? From the outside world nothing should
>>> break, i.e. refactoring.
>>>
>>> Cheers.
>>>
>>> On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com>
>>> wrote:
>>>
>>>> Are there any UI changes? Some auth mechanisms might need more than just
>>> username and password (RSA token, for example, or even just "give the
>> 1st,
>>> 4th and 5th characters").
>>>>
>>>> --
>>>> Stephen Turner
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
>>>> Sent: 12 August 2014 04:51
>>>> To: dev
>>>> Subject: [SHOW] Authentication refactoring
>>>>
>>>> Hi,
>>>>
>>>> The way we handle login and logout is hardcoded and since there is no
>>> APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>> don't
>>> discover these apis. For supporting SAML as an authentication mechanism,
>>> I've refactored the Auth mechanism as a pluggable service that loads with
>>> api-server artifact and both login and logout are now implemented as a
>>> pseduo BaseCmd classes.
>>>>
>>>> I call them pseudo because their execute() is never called, the
>>> authentication guards in ApiServlet class make sure we call an
>>> authenticate method of such classes. Since, they are tightly coupled with
>>> cloud-server's ApiServlet it only made sense to have the interface
>>> definition and implementation within the same package/artifact as well.
>>> This also solves the apidoc issue for login/logout and saml related auth
>>> apis.
>>>>
>>>> I'll merge them after sometime and continue working on saml stuff. Will
>>> push the code in the branch "auth-refactor" in an hour for review/testing
>>> now. This does not break anything and should not cause any auth related
>>> issues for all existing clients.
>>>>
>>>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>> forward but I'll make sure to write a wiki page on this before merging to
>>> master.
>>>>
>>>> Regards,
>>>> Rohit Yadav
>>>> Software Architect, ShapeBlue
>>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>>
>>>>
>>>>
>>>> Find out more about ShapeBlue and our range of CloudStack related
>>> services
>>>>
>>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>>> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/
>>>
>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>>
>>>> This email and any attachments to it may be confidential and are
>>> intended solely for the use of the individual to whom it is addressed.
>> Any
>>> views or opinions expressed are solely those of the author and do not
>>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you
>>> are not the intended recipient of this email, you must neither take any
>>> action based upon its contents, nor copy or show it to anyone. Please
>>> contact the sender if you believe you have received this email in error.
>>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>>> Services India LLP is a company incorporated in India and is operated
>>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a
>>> company incorporated in Brasil and is operated under license from Shape
>>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>> is
>>> a registered trademark.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related
>> services
>>>
>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are intended
>>> solely for the use of the individual to whom it is addressed. Any views
>> or
>>> opinions expressed are solely those of the author and do not necessarily
>>> represent those of Shape Blue Ltd or related companies. If you are not
>> the
>>> intended recipient of this email, you must neither take any action based
>>> upon its contents, nor copy or show it to anyone. Please contact the
>>> sender if you believe you have received this email in error. Shape Blue
>>> Ltd is a company incorporated in England & Wales. ShapeBlue Services
>> India
>>> LLP is a company incorporated in India and is operated under license from
>>> Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
>>> incorporated in Brasil and is operated under license from Shape Blue Ltd.
>>> ShapeBlue SA Pty Ltd is a company registered by The Republic of South
>>> Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
>>> registered trademark.
>>
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Silvano Nogueira Buback <si...@corp.globo.com>.
Rohit,
When I started implementing OAuth2 integration I faced this problem,
but I had other things to do first, now I am back to this problem too. I
took a look at your implementation and it's almost fit for OAuth2. I have a
few comments:
Some authentication mechanisms may not work as a command. I proposed to use
commands to implement OAuth2 to not change ApiServlet (before knowing the
real problem with unauthenticated command), but I think this is not a good
implementation (for OAuth2). If the idea is to refactor to support multiple
authentication mechanisms, maybe a filter can be better. Take a look in
Spring Security implementation [1].
So, using your implementation, I would suggest:
1. When a new request arrives, If user is not authenticated,
APIAuthenticatorManager is called and should iterate over all
APIAuthenticator instances, one by one, in the order specified by
user.authenticators.order global setting (do not forget this, please).
1. In each APIAuthenticator, it can analyze the HttpRequest and if it
should authenticate, it must return an UserAccount object. If the
authenticator doesn't authenticate it raises some exception like Spring
does.
2. As all existed authenticators inheriting today
from DefaultUserAuthenticator, this authenticator can implement the
APIAuthenticator interface and if there is a parameter with
command=login,
username, password the abstract method "authenticate"
from UserAuthenticator must be called. So, all existing authentication
mechanisms will work as today, respecting the order
from user.authenticators.order global setting.
2. After authentication, the name of the APIAuthenticator that
authenticated must be kept in session. User, and other objects must be kept
as well. In logout, the APIAuthenticator used can be called.
3. When a new request arrives, if user is authenticated, it works as
today.
If everybody agrees on the solution I can work together with you to
finish this if you want. I need to finish OAuth2 integration in the next 15
days... and I don't want to change my implementation later on.
If it's possible to work together, we need do this in a separated fork
of ACS, since I'm not a committer yet.
Regards,
Silvano Buback
[1]
http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html
On Tue, Aug 12, 2014 at 11:20 AM, Carlos Reategui <cr...@me.com> wrote:
>
>
> > On Aug 12, 2014, at 5:12 AM, Adrian Lewis <ad...@alsiconsulting.co.uk>
> wrote:
> >
> > Hi Rohit,
> >
> > Not a very constructive email I'm afraid but I too would be very
> > interested in one-time password authentication for CS. Is anyone that you
> > know of working on RADIUS auth as this would be a relatively easy way to
> > integrate a wide number of OTP systems that rely on a secondary auth
> > challenge for the OTP. This secondary auth mechanism is part of the
> RADIUS
> > standard and would cover RSA as well as the system that I'm interested in
> > implementing (Fortinet's FortiAuthenticator) and many other
> > enterprise-focussed OTP systems.
> >
> > Not sure if OTP/2FA would be suitable for API access so a second question
> > is: Would it be feasible to use different auth backends for the GUI vs
> the
> > API? As I understand it, the GUI is simply a 'wrapper' for the API so
> > perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
> > even at the expense of API access. Contrary to popular belief within the
> > CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is
> > not an issue for API access but I assume it would be a problem for the
> use
> > of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only
> specified
> > IPs can use a standard auth method but all other access mandates OTP/2FA?
> > Not sure how AWS works with their MFA feature - anyone?
> MFA is used for accessing UI console where you manage your keys for API
> usage.
> API access is controlled via IAM or key/secret which you manage from the UI
> >
> > I'm afraid I'm just a (ab)user and couldn't program anything myself -
> just
> > curious to see if anyone has any thoughts or existing efforts in this
> > area?
> >
> > Cheers,
> >
> > Adrian
> >
> > -----Original Message-----
> > From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> > Sent: 12 August 2014 11:41
> > To: dev@cloudstack.apache.org
> > Subject: Re: [SHOW] Authentication refactoring
> >
> > From the user end there is no change, not in UI or any change expected in
> > clients except one:
> > Since login and logout are now implemented like your regular api, we
> don't
> > allow uses to call login and logout and other such AuthenticatorAPIs
> > directly like via integration port
> >
> > Stephen, I'm not sure if we natively support RSA and other things at
> > present we only have our custom login auth mechanism, signature/key based
> > auth and a simple SSO (pre-shared key) methods. This refactoring will
> open
> > doors for saml, oauth and possibly others.
> >
> > This is merged on master now, even though I did testing at my end please
> > let me know if something got broke? From the outside world nothing should
> > break, i.e. refactoring.
> >
> > Cheers.
> >
> > On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com>
> > wrote:
> >
> >> Are there any UI changes? Some auth mechanisms might need more than just
> > username and password (RSA token, for example, or even just "give the
> 1st,
> > 4th and 5th characters").
> >>
> >> --
> >> Stephen Turner
> >>
> >>
> >> -----Original Message-----
> >> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> >> Sent: 12 August 2014 04:51
> >> To: dev
> >> Subject: [SHOW] Authentication refactoring
> >>
> >> Hi,
> >>
> >> The way we handle login and logout is hardcoded and since there is no
> > APICommand/BaseCmd implementation the apidoc, apidiscovery and other
> don't
> > discover these apis. For supporting SAML as an authentication mechanism,
> > I've refactored the Auth mechanism as a pluggable service that loads with
> > api-server artifact and both login and logout are now implemented as a
> > pseduo BaseCmd classes.
> >>
> >> I call them pseudo because their execute() is never called, the
> > authentication guards in ApiServlet class make sure we call an
> > authenticate method of such classes. Since, they are tightly coupled with
> > cloud-server's ApiServlet it only made sense to have the interface
> > definition and implementation within the same package/artifact as well.
> > This also solves the apidoc issue for login/logout and saml related auth
> > apis.
> >>
> >> I'll merge them after sometime and continue working on saml stuff. Will
> > push the code in the branch "auth-refactor" in an hour for review/testing
> > now. This does not break anything and should not cause any auth related
> > issues for all existing clients.
> >>
> >> Any suggestions, feedback welcome! Refactoring was pretty straight
> > forward but I'll make sure to write a wiki page on this before merging to
> > master.
> >>
> >> Regards,
> >> Rohit Yadav
> >> Software Architect, ShapeBlue
> >> M. +41 779015219 | rohit.yadav@shapeblue.com
> >> Blog: bhaisaab.org | Twitter: @_bhaisaab
> >>
> >>
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> > services
> >>
> >> IaaS Cloud Design &
> > Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Infrastructure
> > Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training
> > Courses<http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> > intended solely for the use of the individual to whom it is addressed.
> Any
> > views or opinions expressed are solely those of the author and do not
> > necessarily represent those of Shape Blue Ltd or related companies. If
> you
> > are not the intended recipient of this email, you must neither take any
> > action based upon its contents, nor copy or show it to anyone. Please
> > contact the sender if you believe you have received this email in error.
> > Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> > Services India LLP is a company incorporated in India and is operated
> > under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
> a
> > company incorporated in Brasil and is operated under license from Shape
> > Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> > South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
> is
> > a registered trademark.
> >
> > Regards,
> > Rohit Yadav
> > Software Architect, ShapeBlue
> > M. +41 779015219 | rohit.yadav@shapeblue.com
> > Blog: bhaisaab.org | Twitter: @_bhaisaab
> >
> >
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design &
> > Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Infrastructure
> > Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training
> > Courses<http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are intended
> > solely for the use of the individual to whom it is addressed. Any views
> or
> > opinions expressed are solely those of the author and do not necessarily
> > represent those of Shape Blue Ltd or related companies. If you are not
> the
> > intended recipient of this email, you must neither take any action based
> > upon its contents, nor copy or show it to anyone. Please contact the
> > sender if you believe you have received this email in error. Shape Blue
> > Ltd is a company incorporated in England & Wales. ShapeBlue Services
> India
> > LLP is a company incorporated in India and is operated under license from
> > Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
> > incorporated in Brasil and is operated under license from Shape Blue Ltd.
> > ShapeBlue SA Pty Ltd is a company registered by The Republic of South
> > Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
> > registered trademark.
>
Re: [SHOW] Authentication refactoring
Posted by Carlos Reategui <cr...@me.com>.
> On Aug 12, 2014, at 5:12 AM, Adrian Lewis <ad...@alsiconsulting.co.uk> wrote:
>
> Hi Rohit,
>
> Not a very constructive email I'm afraid but I too would be very
> interested in one-time password authentication for CS. Is anyone that you
> know of working on RADIUS auth as this would be a relatively easy way to
> integrate a wide number of OTP systems that rely on a secondary auth
> challenge for the OTP. This secondary auth mechanism is part of the RADIUS
> standard and would cover RSA as well as the system that I'm interested in
> implementing (Fortinet's FortiAuthenticator) and many other
> enterprise-focussed OTP systems.
>
> Not sure if OTP/2FA would be suitable for API access so a second question
> is: Would it be feasible to use different auth backends for the GUI vs the
> API? As I understand it, the GUI is simply a 'wrapper' for the API so
> perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
> even at the expense of API access. Contrary to popular belief within the
> CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is
> not an issue for API access but I assume it would be a problem for the use
> of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only specified
> IPs can use a standard auth method but all other access mandates OTP/2FA?
> Not sure how AWS works with their MFA feature - anyone?
MFA is used for accessing UI console where you manage your keys for API usage.
API access is controlled via IAM or key/secret which you manage from the UI
>
> I'm afraid I'm just a (ab)user and couldn't program anything myself - just
> curious to see if anyone has any thoughts or existing efforts in this
> area?
>
> Cheers,
>
> Adrian
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: 12 August 2014 11:41
> To: dev@cloudstack.apache.org
> Subject: Re: [SHOW] Authentication refactoring
>
> From the user end there is no change, not in UI or any change expected in
> clients except one:
> Since login and logout are now implemented like your regular api, we don't
> allow uses to call login and logout and other such AuthenticatorAPIs
> directly like via integration port
>
> Stephen, I'm not sure if we natively support RSA and other things at
> present we only have our custom login auth mechanism, signature/key based
> auth and a simple SSO (pre-shared key) methods. This refactoring will open
> doors for saml, oauth and possibly others.
>
> This is merged on master now, even though I did testing at my end please
> let me know if something got broke? From the outside world nothing should
> break, i.e. refactoring.
>
> Cheers.
>
> On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com>
> wrote:
>
>> Are there any UI changes? Some auth mechanisms might need more than just
> username and password (RSA token, for example, or even just "give the 1st,
> 4th and 5th characters").
>>
>> --
>> Stephen Turner
>>
>>
>> -----Original Message-----
>> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
>> Sent: 12 August 2014 04:51
>> To: dev
>> Subject: [SHOW] Authentication refactoring
>>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no
> APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't
> discover these apis. For supporting SAML as an authentication mechanism,
> I've refactored the Auth mechanism as a pluggable service that loads with
> api-server artifact and both login and logout are now implemented as a
> pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the
> authentication guards in ApiServlet class make sure we call an
> authenticate method of such classes. Since, they are tightly coupled with
> cloud-server's ApiServlet it only made sense to have the interface
> definition and implementation within the same package/artifact as well.
> This also solves the apidoc issue for login/logout and saml related auth
> apis.
>>
>> I'll merge them after sometime and continue working on saml stuff. Will
> push the code in the branch "auth-refactor" in an hour for review/testing
> now. This does not break anything and should not cause any auth related
> issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight
> forward but I'll make sure to write a wiki page on this before merging to
> master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
> services
>>
>> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated
> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended
> solely for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of Shape Blue Ltd or related companies. If you are not the
> intended recipient of this email, you must neither take any action based
> upon its contents, nor copy or show it to anyone. Please contact the
> sender if you believe you have received this email in error. Shape Blue
> Ltd is a company incorporated in England & Wales. ShapeBlue Services India
> LLP is a company incorporated in India and is operated under license from
> Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
> incorporated in Brasil and is operated under license from Shape Blue Ltd.
> ShapeBlue SA Pty Ltd is a company registered by The Republic of South
> Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
> registered trademark.
RE: [SHOW] Authentication refactoring
Posted by Adrian Lewis <ad...@alsiconsulting.co.uk>.
Hi Rohit,
Not a very constructive email I'm afraid but I too would be very
interested in one-time password authentication for CS. Is anyone that you
know of working on RADIUS auth as this would be a relatively easy way to
integrate a wide number of OTP systems that rely on a secondary auth
challenge for the OTP. This secondary auth mechanism is part of the RADIUS
standard and would cover RSA as well as the system that I'm interested in
implementing (Fortinet's FortiAuthenticator) and many other
enterprise-focussed OTP systems.
Not sure if OTP/2FA would be suitable for API access so a second question
is: Would it be feasible to use different auth backends for the GUI vs the
API? As I understand it, the GUI is simply a 'wrapper' for the API so
perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps
even at the expense of API access. Contrary to popular belief within the
CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is
not an issue for API access but I assume it would be a problem for the use
of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only specified
IPs can use a standard auth method but all other access mandates OTP/2FA?
Not sure how AWS works with their MFA feature - anyone?
I'm afraid I'm just a (ab)user and couldn't program anything myself - just
curious to see if anyone has any thoughts or existing efforts in this
area?
Cheers,
Adrian
-----Original Message-----
From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
Sent: 12 August 2014 11:41
To: dev@cloudstack.apache.org
Subject: Re: [SHOW] Authentication refactoring
>From the user end there is no change, not in UI or any change expected in
clients except one:
Since login and logout are now implemented like your regular api, we don't
allow uses to call login and logout and other such AuthenticatorAPIs
directly like via integration port
Stephen, I'm not sure if we natively support RSA and other things at
present we only have our custom login auth mechanism, signature/key based
auth and a simple SSO (pre-shared key) methods. This refactoring will open
doors for saml, oauth and possibly others.
This is merged on master now, even though I did testing at my end please
let me know if something got broke? From the outside world nothing should
break, i.e. refactoring.
Cheers.
On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com>
wrote:
> Are there any UI changes? Some auth mechanisms might need more than just
username and password (RSA token, for example, or even just "give the 1st,
4th and 5th characters").
>
> --
> Stephen Turner
>
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: 12 August 2014 04:51
> To: dev
> Subject: [SHOW] Authentication refactoring
>
> Hi,
>
> The way we handle login and logout is hardcoded and since there is no
APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't
discover these apis. For supporting SAML as an authentication mechanism,
I've refactored the Auth mechanism as a pluggable service that loads with
api-server artifact and both login and logout are now implemented as a
pseduo BaseCmd classes.
>
> I call them pseudo because their execute() is never called, the
authentication guards in ApiServlet class make sure we call an
authenticate method of such classes. Since, they are tightly coupled with
cloud-server's ApiServlet it only made sense to have the interface
definition and implementation within the same package/artifact as well.
This also solves the apidoc issue for login/logout and saml related auth
apis.
>
> I'll merge them after sometime and continue working on saml stuff. Will
push the code in the branch "auth-refactor" in an hour for review/testing
now. This does not break anything and should not cause any auth related
issues for all existing clients.
>
> Any suggestions, feedback welcome! Refactoring was pretty straight
forward but I'll make sure to write a wiki page on this before merging to
master.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related
services
>
> IaaS Cloud Design &
Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed. Any
views or opinions expressed are solely those of the author and do not
necessarily represent those of Shape Blue Ltd or related companies. If you
are not the intended recipient of this email, you must neither take any
action based upon its contents, nor copy or show it to anyone. Please
contact the sender if you believe you have received this email in error.
Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
company incorporated in Brasil and is operated under license from Shape
Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design &
Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure
Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training
Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Shape Blue Ltd or related companies. If you are not the
intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the
sender if you believe you have received this email in error. Shape Blue
Ltd is a company incorporated in England & Wales. ShapeBlue Services India
LLP is a company incorporated in India and is operated under license from
Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company
incorporated in Brasil and is operated under license from Shape Blue Ltd.
ShapeBlue SA Pty Ltd is a company registered by The Republic of South
Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a
registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
>From the user end there is no change, not in UI or any change expected in clients except one:
Since login and logout are now implemented like your regular api, we don’t allow uses to call login and logout and other such AuthenticatorAPIs directly like via integration port
Stephen, I’m not sure if we natively support RSA and other things at present we only have our custom login auth mechanism, signature/key based auth and a simple SSO (pre-shared key) methods. This refactoring will open doors for saml, oauth and possibly others.
This is merged on master now, even though I did testing at my end please let me know if something got broke? From the outside world nothing should break, i.e. refactoring.
Cheers.
On 12-Aug-2014, at 12:32 pm, Stephen Turner <St...@citrix.com> wrote:
> Are there any UI changes? Some auth mechanisms might need more than just username and password (RSA token, for example, or even just "give the 1st, 4th and 5th characters").
>
> --
> Stephen Turner
>
>
> -----Original Message-----
> From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
> Sent: 12 August 2014 04:51
> To: dev
> Subject: [SHOW] Authentication refactoring
>
> Hi,
>
> The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't discover these apis. For supporting SAML as an authentication mechanism, I've refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
>
> I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server's ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
>
> I'll merge them after sometime and continue working on saml stuff. Will push the code in the branch "auth-refactor" in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
>
> Any suggestions, feedback welcome! Refactoring was pretty straight forward but I'll make sure to write a wiki page on this before merging to master.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
RE: [SHOW] Authentication refactoring
Posted by Stephen Turner <St...@citrix.com>.
Are there any UI changes? Some auth mechanisms might need more than just username and password (RSA token, for example, or even just "give the 1st, 4th and 5th characters").
--
Stephen Turner
-----Original Message-----
From: Rohit Yadav [mailto:rohit.yadav@shapeblue.com]
Sent: 12 August 2014 04:51
To: dev
Subject: [SHOW] Authentication refactoring
Hi,
The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don't discover these apis. For supporting SAML as an authentication mechanism, I've refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server's ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
I'll merge them after sometime and continue working on saml stuff. Will push the code in the branch "auth-refactor" in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
Any suggestions, feedback welcome! Refactoring was pretty straight forward but I'll make sure to write a wiki page on this before merging to master.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge - rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
On 12-Aug-2014, at 11:32 am, Daan Hoogland <da...@gmail.com> wrote:
> looks alright at first glance. did you considder IAM/is it going to
> give conflicts there? I don't suppose so as this work is more of a
> front end thing and IAM should be more based in the background but
> keep it in mind anyway;)
> No reason why you shouldn't merge, except feature freeze..
I think the IAM stuff is still WIP and we’ll need to check with Min and Prachi on the current status. This was mostly for introducing new auth mechanisms, IAM is more for managing user and resources I think. In either case, if they can take a look over this we can fix it to support their use cases (if any) as well. I would still consider this version 1, probably needs more iteration as we go.
This was purely done to support OAuth, SAML and other auth mechanism since adding an API won’t just work without it having a valid sessionKey so I had to refactor out the ApiServlet where login/logout actually happens.
Regards.
>
> On Tue, Aug 12, 2014 at 11:10 AM, Rohit Yadav <ro...@shapeblue.com> wrote:
>> This was done:
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refactoring
>>
>> This is the branch:
>> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/auth-refactor
>>
>> Updates:
>> - Every auth mechanism now implements as a APICommand but these are special APIs are not allowed to execute, i.e. the execute() method returns with an error
>> - Existing tests were fixed
>> - We no longer need to hardcode login/logout for doc generation etc.
>> - Api discovery now has login/logout docs etc as well
>> - Since these APIs are tightly coupled with cloud-server artifact, except for responses all the interface definitions etc are within cloud-server
>> - This allows for implementation of other login mechanisms such as saml, oauth, something-custom™ etc. though implementing it as a plugin is still tricky now
>>
>> I’ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret keys but would welcome help around this area from anyone. I’ll merge the branch later this week if no one objects.
>>
>> Cheers.
>>
>> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>>
>>> Hi,
>>>
>>> The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don’t discover these apis. For supporting SAML as an authentication mechanism, I’ve refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
>>>
>>> I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server’s ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
>>>
>>> I’ll merge them after sometime and continue working on saml stuff. Will push the code in the branch “auth-refactor” in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
>>>
>>> Any suggestions, feedback welcome! Refactoring was pretty straight forward but I’ll make sure to write a wiki page on this before merging to master.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related services
>>>
>>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>
>
> --
> Daan
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Daan Hoogland <da...@gmail.com>.
looks alright at first glance. did you considder IAM/is it going to
give conflicts there? I don't suppose so as this work is more of a
front end thing and IAM should be more based in the background but
keep it in mind anyway;)
No reason why you shouldn't merge, except feature freeze..
On Tue, Aug 12, 2014 at 11:10 AM, Rohit Yadav <ro...@shapeblue.com> wrote:
> This was done:
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refactoring
>
> This is the branch:
> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/auth-refactor
>
> Updates:
> - Every auth mechanism now implements as a APICommand but these are special APIs are not allowed to execute, i.e. the execute() method returns with an error
> - Existing tests were fixed
> - We no longer need to hardcode login/logout for doc generation etc.
> - Api discovery now has login/logout docs etc as well
> - Since these APIs are tightly coupled with cloud-server artifact, except for responses all the interface definitions etc are within cloud-server
> - This allows for implementation of other login mechanisms such as saml, oauth, something-custom™ etc. though implementing it as a plugin is still tricky now
>
> I’ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret keys but would welcome help around this area from anyone. I’ll merge the branch later this week if no one objects.
>
> Cheers.
>
> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don’t discover these apis. For supporting SAML as an authentication mechanism, I’ve refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server’s ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
>>
>> I’ll merge them after sometime and continue working on saml stuff. Will push the code in the branch “auth-refactor” in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight forward but I’ll make sure to write a wiki page on this before merging to master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
Daan
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi David,
On 13-Aug-2014, at 5:10 am, David Nalley <da...@gnsa.us> wrote:
> On Tue, Aug 12, 2014 at 5:35 PM, Rohit Yadav <ro...@shapeblue.com> wrote:
>> Hi Min,
>>
>> For for master, we don’t have any code freeze currently, I think merge request/reviews are not mandatory and I was confident with the changes so I pushed it on master.
>>
>
> This is an incorrect understanding of our community norms.
> Merging a feature has little to do with code or feature freeze and has
> been well documented for some time:
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Branch+Merge+Expectations
Thanks for the info, I was unaware of this.
Will follow this workflow in future.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Daan Hoogland <da...@gmail.com>.
On Wed, Aug 13, 2014 at 5:10 AM, David Nalley <da...@gnsa.us> wrote:
> Code freeze means that we discuss every commit, and only critical or
> blocker bug fixes make it in.
Which in practice means: RM reviews quickly and cherry-picks/merges it.
--
Daan
Re: [SHOW] Authentication refactoring
Posted by David Nalley <da...@gnsa.us>.
On Tue, Aug 12, 2014 at 5:35 PM, Rohit Yadav <ro...@shapeblue.com> wrote:
> Hi Min,
>
> For for master, we don’t have any code freeze currently, I think merge request/reviews are not mandatory and I was confident with the changes so I pushed it on master.
>
This is an incorrect understanding of our community norms.
Merging a feature has little to do with code or feature freeze and has
been well documented for some time:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Branch+Merge+Expectations
For completeness:
Feature freeze means no additional features make it in to master. (if
we followed the schedule literally, we hit this on 19 July, so
technically we are already well into feature freeze as well)
Code freeze means that we discuss every commit, and only critical or
blocker bug fixes make it in.
--David
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Min,
For for master, we don’t have any code freeze currently, I think merge request/reviews are not mandatory and I was confident with the changes so I pushed it on master.
After Daan’s email I did testing at my end (I’ve bunch of zotac zboxes to do the local testing, it was already failing for some vm lifecycle stuff so I hope it not my stuff breaking anything), then fixed cloudmonkey for certain pre-existing issues (nothing related to the refactoring) and pushed it to master.
This was just refactoring, nothing should break and no change is expected for clients except two:
- apidocs no longer required hardcoded entries, serialization is done by the same Api response serializer
- on non-authenticated port (8096/integration) calls to login/logout etc. will fail with 405 (method not available), i.e. the Authentication cmds are not allowed to run execute() (since they extend BaseCmd, this hack just for the doc stuff and to follow the existing API convention)
The refactoring was not a lot of work or change and I was able to pull this off yesterday within few hours so I think there may look like whole bunch of commits and files, but nothing new was introduced. Once you go through the com.cloud.api.auth package and the wiki you’ll see it just tries to introduce extensions for new/existing login/logout mechanisms.
Advise on the merge request workflow, do we follow anything?
Cheers.
On 12-Aug-2014, at 10:52 pm, Min Chen <mi...@citrix.com> wrote:
> Hi Rohit,
> My understanding is that you will do this on your feature branch
> "auth-refactor", then merge them after passing at least some CI automation
> tests. Today, I saw all these commits already in master:
>
> 10 hours ago Rohit YadavDefaultLoginAPIAuthenticatorCmd: return userId
> as UUID commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavutils: fix pom.xml to have references for
> javax.servlet... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiServer: take UTF_8 and other static vars from
> HttpUtils commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiServlet: use HttpUtils instead of class
> specific... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiResponseSerializer: Use HttpUtils instead of
> BaseCmd commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavBaseCmd: Use HttpUtils to have single source of
> static... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavutils: refactor HTTP transport stuff to
> HttpUtils commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiServletTest: Fix test, now login/logout have
> their... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavAPIAuthenticator: refactor signature of
> APIAuthenticato... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiServlet: move setting of response type up in
> the... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiXmlDocWriter: get rid of hardcoded
> login/logout... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiServlet: use the new and refactored
> authentication... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiXmlDocWriter: remove hardcoded login and
> logout... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiResponseSerializer: Skip extra boxing for
> Auth responses commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavresponse: add command response for login and
> logout... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavAPIAuthenticationManagerImpl: add the auth
> manager... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavDefaultLoginAPIAuthenticatorCmd: Refactor and
> implement... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavDefaultLogoutAPIAuthenticatorCmd: Refactor and
> implemen... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavAPIAuthenticationManager: Add Auth manager
> definition commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavAPIAuthenticationType: Add auth enum type, login
> or... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavAPIAuthenticator: Add interface definition for
> the... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavsaml2: add opensaml as dependency commit |
> commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavcommands.properties: add
> login,logout,samlsso,samlslo... commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiErrorCode: Add API error code 401, 405
> commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavApiConstants: add Api constant registered
> commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavsaml2: add spring security saml2 extension
> 1.0.0.RELEASE commit | commitdiff | tree | snapshot
> 10 hours ago Rohit Yadavclient: add saml2 plugin dependency on client
> artifact commit | commitdiff | tree | snapshot
> 10 hours ago Rohit YadavCLOUDSTACK-7083: Add SAML2 SSO plugin skeleton
> and... commit | commitdiff | tree | snapshot
>
>
> Are these commits related to the refactor you are talking about here? Why
> are they not going through some merge request?
>
> Thanks
> -min
>
> On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>
>> This was done:
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>> ctoring
>>
>> This is the branch:
>> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>> /heads/auth-refactor
>>
>> Updates:
>> - Every auth mechanism now implements as a APICommand but these are
>> special APIs are not allowed to execute, i.e. the execute() method
>> returns with an error
>> - Existing tests were fixed
>> - We no longer need to hardcode login/logout for doc generation etc.
>> - Api discovery now has login/logout docs etc as well
>> - Since these APIs are tightly coupled with cloud-server artifact, except
>> for responses all the interface definitions etc are within cloud-server
>> - This allows for implementation of other login mechanisms such as saml,
>> oauth, something-custom etc. though implementing it as a plugin is still
>> tricky now
>>
>> I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>> keys but would welcome help around this area from anyone. I¹ll merge the
>> branch later this week if no one objects.
>>
>> Cheers.
>>
>> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>>
>>> Hi,
>>>
>>> The way we handle login and logout is hardcoded and since there is no
>>> APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>> don¹t discover these apis. For supporting SAML as an authentication
>>> mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>> that loads with api-server artifact and both login and logout are now
>>> implemented as a pseduo BaseCmd classes.
>>>
>>> I call them pseudo because their execute() is never called, the
>>> authentication guards in ApiServlet class make sure we call an
>>> authenticate method of such classes. Since, they are tightly coupled
>>> with cloud-server¹s ApiServlet it only made sense to have the interface
>>> definition and implementation within the same package/artifact as well.
>>> This also solves the apidoc issue for login/logout and saml related auth
>>> apis.
>>>
>>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>> push the code in the branch ³auth-refactor² in an hour for
>>> review/testing now. This does not break anything and should not cause
>>> any auth related issues for all existing clients.
>>>
>>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>> forward but I¹ll make sure to write a wiki page on this before merging
>>> to master.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related
>>> services
>>>
>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are
>>> intended solely for the use of the individual to whom it is addressed.
>>> Any views or opinions expressed are solely those of the author and do
>>> not necessarily represent those of Shape Blue Ltd or related companies.
>>> If you are not the intended recipient of this email, you must neither
>>> take any action based upon its contents, nor copy or show it to anyone.
>>> Please contact the sender if you believe you have received this email in
>>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>>> ShapeBlue Services India LLP is a company incorporated in India and is
>>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>>> Consultoria Ltda is a company incorporated in Brasil and is operated
>>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>> registered by The Republic of South Africa and is traded under license
>>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>> is a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Min Chen <mi...@citrix.com>.
Hi Rohit,
My understanding is that you will do this on your feature branch
"auth-refactor", then merge them after passing at least some CI automation
tests. Today, I saw all these commits already in master:
10 hours ago Rohit Yadav DefaultLoginAPIAuthenticatorCmd: return userId
as UUID commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav utils: fix pom.xml to have references for
javax.servlet... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiServer: take UTF_8 and other static vars from
HttpUtils commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiServlet: use HttpUtils instead of class
specific... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiResponseSerializer: Use HttpUtils instead of
BaseCmd commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav BaseCmd: Use HttpUtils to have single source of
static... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav utils: refactor HTTP transport stuff to
HttpUtils commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiServletTest: Fix test, now login/logout have
their... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav APIAuthenticator: refactor signature of
APIAuthenticato... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiServlet: move setting of response type up in
the... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiXmlDocWriter: get rid of hardcoded
login/logout... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiServlet: use the new and refactored
authentication... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiXmlDocWriter: remove hardcoded login and
logout... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiResponseSerializer: Skip extra boxing for
Auth responses commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav response: add command response for login and
logout... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav APIAuthenticationManagerImpl: add the auth
manager... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav DefaultLoginAPIAuthenticatorCmd: Refactor and
implement... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav DefaultLogoutAPIAuthenticatorCmd: Refactor and
implemen... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav APIAuthenticationManager: Add Auth manager
definition commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav APIAuthenticationType: Add auth enum type, login
or... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav APIAuthenticator: Add interface definition for
the... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav saml2: add opensaml as dependency commit |
commitdiff | tree | snapshot
10 hours ago Rohit Yadav commands.properties: add
login,logout,samlsso,samlslo... commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiErrorCode: Add API error code 401, 405
commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav ApiConstants: add Api constant registered
commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav saml2: add spring security saml2 extension
1.0.0.RELEASE commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav client: add saml2 plugin dependency on client
artifact commit | commitdiff | tree | snapshot
10 hours ago Rohit Yadav CLOUDSTACK-7083: Add SAML2 SSO plugin skeleton
and... commit | commitdiff | tree | snapshot
Are these commits related to the refactor you are talking about here? Why
are they not going through some merge request?
Thanks
-min
On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>This was done:
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>ctoring
>
>This is the branch:
>https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>/heads/auth-refactor
>
>Updates:
>- Every auth mechanism now implements as a APICommand but these are
>special APIs are not allowed to execute, i.e. the execute() method
>returns with an error
>- Existing tests were fixed
>- We no longer need to hardcode login/logout for doc generation etc.
>- Api discovery now has login/logout docs etc as well
>- Since these APIs are tightly coupled with cloud-server artifact, except
>for responses all the interface definitions etc are within cloud-server
>- This allows for implementation of other login mechanisms such as saml,
>oauth, something-custom etc. though implementing it as a plugin is still
>tricky now
>
>I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>keys but would welcome help around this area from anyone. I¹ll merge the
>branch later this week if no one objects.
>
>Cheers.
>
>On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no
>>APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>don¹t discover these apis. For supporting SAML as an authentication
>>mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>that loads with api-server artifact and both login and logout are now
>>implemented as a pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the
>>authentication guards in ApiServlet class make sure we call an
>>authenticate method of such classes. Since, they are tightly coupled
>>with cloud-server¹s ApiServlet it only made sense to have the interface
>>definition and implementation within the same package/artifact as well.
>>This also solves the apidoc issue for login/logout and saml related auth
>>apis.
>>
>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>push the code in the branch ³auth-refactor² in an hour for
>>review/testing now. This does not break anything and should not cause
>>any auth related issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>forward but I¹ll make sure to write a wiki page on this before merging
>>to master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>>services
>>
>> IaaS Cloud Design &
>>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>>Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>>intended solely for the use of the individual to whom it is addressed.
>>Any views or opinions expressed are solely those of the author and do
>>not necessarily represent those of Shape Blue Ltd or related companies.
>>If you are not the intended recipient of this email, you must neither
>>take any action based upon its contents, nor copy or show it to anyone.
>>Please contact the sender if you believe you have received this email in
>>error. Shape Blue Ltd is a company incorporated in England & Wales.
>>ShapeBlue Services India LLP is a company incorporated in India and is
>>operated under license from Shape Blue Ltd. Shape Blue Brasil
>>Consultoria Ltda is a company incorporated in Brasil and is operated
>>under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>registered by The Republic of South Africa and is traded under license
>>from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>Regards,
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.yadav@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Min,
On 14-Aug-2014, at 6:54 pm, Min Chen <mi...@citrix.com> wrote:
> Hi Rohit,
>
> Any reason why you didn't implement response class for login and logout
> like any other API cmd? I think that will be useful as mentioned in your
> FS.
Checkout LoginResponse and LogoutResponse :) also read the annotation in @APICommand which links to them on master.
That’s how the apidoc gets the response docs.
Cheers.
>
> Thanks
> -min
>
> On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>
>> This was done:
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>> ctoring
>>
>> This is the branch:
>> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>> /heads/auth-refactor
>>
>> Updates:
>> - Every auth mechanism now implements as a APICommand but these are
>> special APIs are not allowed to execute, i.e. the execute() method
>> returns with an error
>> - Existing tests were fixed
>> - We no longer need to hardcode login/logout for doc generation etc.
>> - Api discovery now has login/logout docs etc as well
>> - Since these APIs are tightly coupled with cloud-server artifact, except
>> for responses all the interface definitions etc are within cloud-server
>> - This allows for implementation of other login mechanisms such as saml,
>> oauth, something-custom etc. though implementing it as a plugin is still
>> tricky now
>>
>> I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>> keys but would welcome help around this area from anyone. I¹ll merge the
>> branch later this week if no one objects.
>>
>> Cheers.
>>
>> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>>
>>> Hi,
>>>
>>> The way we handle login and logout is hardcoded and since there is no
>>> APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>> don¹t discover these apis. For supporting SAML as an authentication
>>> mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>> that loads with api-server artifact and both login and logout are now
>>> implemented as a pseduo BaseCmd classes.
>>>
>>> I call them pseudo because their execute() is never called, the
>>> authentication guards in ApiServlet class make sure we call an
>>> authenticate method of such classes. Since, they are tightly coupled
>>> with cloud-server¹s ApiServlet it only made sense to have the interface
>>> definition and implementation within the same package/artifact as well.
>>> This also solves the apidoc issue for login/logout and saml related auth
>>> apis.
>>>
>>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>> push the code in the branch ³auth-refactor² in an hour for
>>> review/testing now. This does not break anything and should not cause
>>> any auth related issues for all existing clients.
>>>
>>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>> forward but I¹ll make sure to write a wiki page on this before merging
>>> to master.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related
>>> services
>>>
>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are
>>> intended solely for the use of the individual to whom it is addressed.
>>> Any views or opinions expressed are solely those of the author and do
>>> not necessarily represent those of Shape Blue Ltd or related companies.
>>> If you are not the intended recipient of this email, you must neither
>>> take any action based upon its contents, nor copy or show it to anyone.
>>> Please contact the sender if you believe you have received this email in
>>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>>> ShapeBlue Services India LLP is a company incorporated in India and is
>>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>>> Consultoria Ltda is a company incorporated in Brasil and is operated
>>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>> registered by The Republic of South Africa and is traded under license
>>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>> is a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Min Chen <mi...@citrix.com>.
Sorry, I might just get part of your commit yesterday when I looked. Now I
saw them. Thanks for your clarification.
-min
On 8/14/14 10:01 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>
>On 14-Aug-2014, at 6:54 pm, Min Chen <mi...@citrix.com> wrote:
>
>> Hi Rohit,
>>
>> Any reason why you didn't implement response class for login and logout
>> like any other API cmd? I think that will be useful as mentioned in your
>> FS.
>
>In cloud-api, checkout
>org.apache.cloudstack.api.response.{LoginCmdResponse, LogoutCmdResponse}.
>These are special response classes used by only authentication apis and
>they extend org.apache.cloudstack.api.response.AuthenticationCmdResponse.
>
>The serialized output of all the
>org.apache.cloudstack.api.response.AuthenticationCmdResponse classes (and
>children) are not boxed to have object name, it follows: {
>“classresponse”: {response object json here} }.
>
>Cheers.
>
>>
>> Thanks
>> -min
>>
>> On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>>
>>> This was done:
>>>
>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Re
>>>fa
>>> ctoring
>>>
>>> This is the branch:
>>>
>>>https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=re
>>>fs
>>> /heads/auth-refactor
>>>
>>> Updates:
>>> - Every auth mechanism now implements as a APICommand but these are
>>> special APIs are not allowed to execute, i.e. the execute() method
>>> returns with an error
>>> - Existing tests were fixed
>>> - We no longer need to hardcode login/logout for doc generation etc.
>>> - Api discovery now has login/logout docs etc as well
>>> - Since these APIs are tightly coupled with cloud-server artifact,
>>>except
>>> for responses all the interface definitions etc are within cloud-server
>>> - This allows for implementation of other login mechanisms such as
>>>saml,
>>> oauth, something-custom etc. though implementing it as a plugin is
>>>still
>>> tricky now
>>>
>>> I¹ve tested UI and cloudmonkey on port 8080 and 8096, with
>>>apikey/secret
>>> keys but would welcome help around this area from anyone. I¹ll merge
>>>the
>>> branch later this week if no one objects.
>>>
>>> Cheers.
>>>
>>> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com>
>>>wrote:
>>>
>>>> Hi,
>>>>
>>>> The way we handle login and logout is hardcoded and since there is no
>>>> APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>>> don¹t discover these apis. For supporting SAML as an authentication
>>>> mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>>> that loads with api-server artifact and both login and logout are now
>>>> implemented as a pseduo BaseCmd classes.
>>>>
>>>> I call them pseudo because their execute() is never called, the
>>>> authentication guards in ApiServlet class make sure we call an
>>>> authenticate method of such classes. Since, they are tightly coupled
>>>> with cloud-server¹s ApiServlet it only made sense to have the
>>>>interface
>>>> definition and implementation within the same package/artifact as
>>>>well.
>>>> This also solves the apidoc issue for login/logout and saml related
>>>>auth
>>>> apis.
>>>>
>>>> I¹ll merge them after sometime and continue working on saml stuff.
>>>>Will
>>>> push the code in the branch ³auth-refactor² in an hour for
>>>> review/testing now. This does not break anything and should not cause
>>>> any auth related issues for all existing clients.
>>>>
>>>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>>> forward but I¹ll make sure to write a wiki page on this before merging
>>>> to master.
>>>>
>>>> Regards,
>>>> Rohit Yadav
>>>> Software Architect, ShapeBlue
>>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>>
>>>>
>>>>
>>>> Find out more about ShapeBlue and our range of CloudStack related
>>>> services
>>>>
>>>> IaaS Cloud Design &
>>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>>> CSForge rapid IaaS deployment
>>>>framework<http://shapeblue.com/csforge/>
>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>>> CloudStack Infrastructure
>>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>>> CloudStack Bootcamp Training
>>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>>
>>>> This email and any attachments to it may be confidential and are
>>>> intended solely for the use of the individual to whom it is addressed.
>>>> Any views or opinions expressed are solely those of the author and do
>>>> not necessarily represent those of Shape Blue Ltd or related
>>>>companies.
>>>> If you are not the intended recipient of this email, you must neither
>>>> take any action based upon its contents, nor copy or show it to
>>>>anyone.
>>>> Please contact the sender if you believe you have received this email
>>>>in
>>>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>>>> ShapeBlue Services India LLP is a company incorporated in India and is
>>>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>>>> Consultoria Ltda is a company incorporated in Brasil and is operated
>>>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>>> registered by The Republic of South Africa and is traded under license
>>>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related
>>>services
>>>
>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge rapid IaaS deployment
>>>framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are
>>>intended
>>> solely for the use of the individual to whom it is addressed. Any views
>>> or opinions expressed are solely those of the author and do not
>>> necessarily represent those of Shape Blue Ltd or related companies. If
>>> you are not the intended recipient of this email, you must neither take
>>> any action based upon its contents, nor copy or show it to anyone.
>>>Please
>>> contact the sender if you believe you have received this email in
>>>error.
>>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>>> Services India LLP is a company incorporated in India and is operated
>>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda
>>>is
>>> a company incorporated in Brasil and is operated under license from
>>>Shape
>>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic
>>>of
>>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>>> is a registered trademark.
>
>Regards,
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.yadav@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
On 14-Aug-2014, at 6:54 pm, Min Chen <mi...@citrix.com> wrote:
> Hi Rohit,
>
> Any reason why you didn't implement response class for login and logout
> like any other API cmd? I think that will be useful as mentioned in your
> FS.
In cloud-api, checkout org.apache.cloudstack.api.response.{LoginCmdResponse, LogoutCmdResponse}. These are special response classes used by only authentication apis and they extend org.apache.cloudstack.api.response.AuthenticationCmdResponse.
The serialized output of all the org.apache.cloudstack.api.response.AuthenticationCmdResponse classes (and children) are not boxed to have object name, it follows: { “classresponse”: {response object json here} }.
Cheers.
>
> Thanks
> -min
>
> On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>
>> This was done:
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>> ctoring
>>
>> This is the branch:
>> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>> /heads/auth-refactor
>>
>> Updates:
>> - Every auth mechanism now implements as a APICommand but these are
>> special APIs are not allowed to execute, i.e. the execute() method
>> returns with an error
>> - Existing tests were fixed
>> - We no longer need to hardcode login/logout for doc generation etc.
>> - Api discovery now has login/logout docs etc as well
>> - Since these APIs are tightly coupled with cloud-server artifact, except
>> for responses all the interface definitions etc are within cloud-server
>> - This allows for implementation of other login mechanisms such as saml,
>> oauth, something-custom etc. though implementing it as a plugin is still
>> tricky now
>>
>> I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>> keys but would welcome help around this area from anyone. I¹ll merge the
>> branch later this week if no one objects.
>>
>> Cheers.
>>
>> On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>>
>>> Hi,
>>>
>>> The way we handle login and logout is hardcoded and since there is no
>>> APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>> don¹t discover these apis. For supporting SAML as an authentication
>>> mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>> that loads with api-server artifact and both login and logout are now
>>> implemented as a pseduo BaseCmd classes.
>>>
>>> I call them pseudo because their execute() is never called, the
>>> authentication guards in ApiServlet class make sure we call an
>>> authenticate method of such classes. Since, they are tightly coupled
>>> with cloud-server¹s ApiServlet it only made sense to have the interface
>>> definition and implementation within the same package/artifact as well.
>>> This also solves the apidoc issue for login/logout and saml related auth
>>> apis.
>>>
>>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>> push the code in the branch ³auth-refactor² in an hour for
>>> review/testing now. This does not break anything and should not cause
>>> any auth related issues for all existing clients.
>>>
>>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>> forward but I¹ll make sure to write a wiki page on this before merging
>>> to master.
>>>
>>> Regards,
>>> Rohit Yadav
>>> Software Architect, ShapeBlue
>>> M. +41 779015219 | rohit.yadav@shapeblue.com
>>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>>
>>>
>>>
>>> Find out more about ShapeBlue and our range of CloudStack related
>>> services
>>>
>>> IaaS Cloud Design &
>>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>>> CloudStack Infrastructure
>>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>>> CloudStack Bootcamp Training
>>> Courses<http://shapeblue.com/cloudstack-training/>
>>>
>>> This email and any attachments to it may be confidential and are
>>> intended solely for the use of the individual to whom it is addressed.
>>> Any views or opinions expressed are solely those of the author and do
>>> not necessarily represent those of Shape Blue Ltd or related companies.
>>> If you are not the intended recipient of this email, you must neither
>>> take any action based upon its contents, nor copy or show it to anyone.
>>> Please contact the sender if you believe you have received this email in
>>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>>> ShapeBlue Services India LLP is a company incorporated in India and is
>>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>>> Consultoria Ltda is a company incorporated in Brasil and is operated
>>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>> registered by The Republic of South Africa and is traded under license
>>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>> is a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Min Chen <mi...@citrix.com>.
Hi Rohit,
Any reason why you didn't implement response class for login and logout
like any other API cmd? I think that will be useful as mentioned in your
FS.
Thanks
-min
On 8/12/14 2:10 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>This was done:
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>ctoring
>
>This is the branch:
>https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>/heads/auth-refactor
>
>Updates:
>- Every auth mechanism now implements as a APICommand but these are
>special APIs are not allowed to execute, i.e. the execute() method
>returns with an error
>- Existing tests were fixed
>- We no longer need to hardcode login/logout for doc generation etc.
>- Api discovery now has login/logout docs etc as well
>- Since these APIs are tightly coupled with cloud-server artifact, except
>for responses all the interface definitions etc are within cloud-server
>- This allows for implementation of other login mechanisms such as saml,
>oauth, something-custom etc. though implementing it as a plugin is still
>tricky now
>
>I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>keys but would welcome help around this area from anyone. I¹ll merge the
>branch later this week if no one objects.
>
>Cheers.
>
>On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no
>>APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>don¹t discover these apis. For supporting SAML as an authentication
>>mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>that loads with api-server artifact and both login and logout are now
>>implemented as a pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the
>>authentication guards in ApiServlet class make sure we call an
>>authenticate method of such classes. Since, they are tightly coupled
>>with cloud-server¹s ApiServlet it only made sense to have the interface
>>definition and implementation within the same package/artifact as well.
>>This also solves the apidoc issue for login/logout and saml related auth
>>apis.
>>
>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>push the code in the branch ³auth-refactor² in an hour for
>>review/testing now. This does not break anything and should not cause
>>any auth related issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>forward but I¹ll make sure to write a wiki page on this before merging
>>to master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>>services
>>
>> IaaS Cloud Design &
>>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>>Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>>intended solely for the use of the individual to whom it is addressed.
>>Any views or opinions expressed are solely those of the author and do
>>not necessarily represent those of Shape Blue Ltd or related companies.
>>If you are not the intended recipient of this email, you must neither
>>take any action based upon its contents, nor copy or show it to anyone.
>>Please contact the sender if you believe you have received this email in
>>error. Shape Blue Ltd is a company incorporated in England & Wales.
>>ShapeBlue Services India LLP is a company incorporated in India and is
>>operated under license from Shape Blue Ltd. Shape Blue Brasil
>>Consultoria Ltda is a company incorporated in Brasil and is operated
>>under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>registered by The Republic of South Africa and is traded under license
>>from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>Regards,
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.yadav@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.
Re: [SHOW] Authentication refactoring
Posted by Rohit Yadav <ro...@shapeblue.com>.
This was done:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refactoring
This is the branch:
https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs/heads/auth-refactor
Updates:
- Every auth mechanism now implements as a APICommand but these are special APIs are not allowed to execute, i.e. the execute() method returns with an error
- Existing tests were fixed
- We no longer need to hardcode login/logout for doc generation etc.
- Api discovery now has login/logout docs etc as well
- Since these APIs are tightly coupled with cloud-server artifact, except for responses all the interface definitions etc are within cloud-server
- This allows for implementation of other login mechanisms such as saml, oauth, something-custom™ etc. though implementing it as a plugin is still tricky now
I’ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret keys but would welcome help around this area from anyone. I’ll merge the branch later this week if no one objects.
Cheers.
On 12-Aug-2014, at 5:50 am, Rohit Yadav <ro...@shapeblue.com> wrote:
> Hi,
>
> The way we handle login and logout is hardcoded and since there is no APICommand/BaseCmd implementation the apidoc, apidiscovery and other don’t discover these apis. For supporting SAML as an authentication mechanism, I’ve refactored the Auth mechanism as a pluggable service that loads with api-server artifact and both login and logout are now implemented as a pseduo BaseCmd classes.
>
> I call them pseudo because their execute() is never called, the authentication guards in ApiServlet class make sure we call an authenticate method of such classes. Since, they are tightly coupled with cloud-server’s ApiServlet it only made sense to have the interface definition and implementation within the same package/artifact as well. This also solves the apidoc issue for login/logout and saml related auth apis.
>
> I’ll merge them after sometime and continue working on saml stuff. Will push the code in the branch “auth-refactor” in an hour for review/testing now. This does not break anything and should not cause any auth related issues for all existing clients.
>
> Any suggestions, feedback welcome! Refactoring was pretty straight forward but I’ll make sure to write a wiki page on this before merging to master.
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.