Gateway id in airavata request

[Amila Jayasekara <th...@gmail.com>]

Hi All,

We need to send gateway name together with user name for
authentication at Airavata service level. We are thinking of using
following syntax for this,

username@gatwayId

So "@" will be a separator for gateway id and user name. In addition
we do authentication based on the gateway id. I am planning to
incorporate this change to existing security implementation. If you
have any objections/feedback please let us know.

Thanks
Amila

Re: Gateway id in airavata request

[Amila Jayasekara <th...@gmail.com>]

Hi All,

After having a chat on last Monday we came to following conclusions.

We will have a default gateway - This is going to be the bootstrap
gateway. If users want to just try out Airavata without managing their
own
user store, they can use the default gateway. The default gateway will
come with an internal user store.
If clients need to manage their own users, they have to first register
themselves with the hosted Airavata service.
During registration they will share a common secret. Airavata will use
this common secret for authentication. User level
authentication and authorization must be implemented at portal level.
We also assume that there will be a portal for each gateway.

We also wanted to send the gateway id with the request. The approach
we are thinking is to have the gateway id as a separate
field in the request. This field will be a http header and its name is
"gateway". The client has to
populate this field in the request. If the request does not contain a
gateway id, we will direct the request
to default gateway. Further we will have DNS like format for the
gateway id. But for the default gateway we will use
string "default".

After introducing above change all server components must get the user
name and gateway from the context.
There shouldn't be any API methods with arguments username or gateway
name. We are yet to introduce gateway id to
the request context (I will do it today). But you can get the
authenticated user name from
org.apache.airavata.common.context.WorkflowContext.getRequestUser().
We will have a similar method to get the gateway id.
This will only work if the calling code is in the same thread as the
request. In a spawned thread you will not be able to call context
methods.

Sorry about the delay in sending notes.

Appreciate your feedback.

Thanks
Amila

On Sat, Nov 24, 2012 at 5:22 PM, Suresh Marru <sm...@apache.org> wrote:
> Hi Lahiru,
>
> I agree that jumping into supporting multi-tenant without too much thought is bad idea. But I think Amila's questions are still very relevant. May be security is the time where we should start thinking about how we separate the data if two instances share registry. Lets say we have one workflow repository for all published workflows, if we want to have a development workflows also to be published and tried, may be we can do that by simply creating a new development registry space.
>
> Just a thought,
> Suresh
>
> On Nov 24, 2012, at 4:52 PM, Lahiru Gunathilake <gl...@gmail.com> wrote:
>
>> Hi Amila,
>>
>> I think right now we support only a single gateway and its configured
>> during start up time. I think we don't have proper multi-tenant data model
>> and I think its not a good time to provide users to register different
>> gateways.
>>
>> Unless we have a well defined multi-tenant data model we shouldn't add
>> api methods to register gateways. But we can add methods to get the gateway
>> ID of a particular instance.
>>
>> I think we are trying to think about multi-tenancy here which we haven't
>> discussed properly.
>>
>> Lahiru
>>
>> On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara
>> <th...@gmail.com>wrote:
>>
>>> introduce
>>
>>
>>
>>
>> --
>> System Analyst Programmer
>> PTI Lab
>> Indiana University
>

Re: Gateway id in airavata request

[Suresh Marru <sm...@apache.org>]

Hi Lahiru,

I agree that jumping into supporting multi-tenant without too much thought is bad idea. But I think Amila's questions are still very relevant. May be security is the time where we should start thinking about how we separate the data if two instances share registry. Lets say we have one workflow repository for all published workflows, if we want to have a development workflows also to be published and tried, may be we can do that by simply creating a new development registry space. 

Just a thought,
Suresh

On Nov 24, 2012, at 4:52 PM, Lahiru Gunathilake <gl...@gmail.com> wrote:

> Hi Amila,
> 
> I think right now we support only a single gateway and its configured
> during start up time. I think we don't have proper multi-tenant data model
> and I think its not a good time to provide users to register different
> gateways.
> 
> Unless we have a well defined multi-tenant data model we shouldn't add
> api methods to register gateways. But we can add methods to get the gateway
> ID of a particular instance.
> 
> I think we are trying to think about multi-tenancy here which we haven't
> discussed properly.
> 
> Lahiru
> 
> On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara
> <th...@gmail.com>wrote:
> 
>> introduce
> 
> 
> 
> 
> -- 
> System Analyst Programmer
> PTI Lab
> Indiana University

Re: Gateway id in airavata request

[Lahiru Gunathilake <gl...@gmail.com>]

Hi Amila,

I think right now we support only a single gateway and its configured
during start up time. I think we don't have proper multi-tenant data model
and I think its not a good time to provide users to register different
gateways.

Unless we have a well defined multi-tenant data model we shouldn't add
api methods to register gateways. But we can add methods to get the gateway
ID of a particular instance.

I think we are trying to think about multi-tenancy here which we haven't
discussed properly.

Lahiru

On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara
<th...@gmail.com>wrote:

> introduce




-- 
System Analyst Programmer
PTI Lab
Indiana University

Re: Gateway id in airavata request

[Saminda Wijeratne <sa...@gmail.com>]

On Fri, Nov 23, 2012 at 11:55 AM, Amila Jayasekara
<th...@gmail.com>wrote:

> Hi All,
>
> I encountered few more questions while incorporating gateway id to
> incoming request.
>
> 1. Currently our data model have the concept of gateway id but we dont
> have a process to register gateways. So how should we proceed
> implementing gateway registration ?
>
> Some options are;
> a. Provide a web interface within Airavata webapp to do the registration
> b. Provide an API method to do the registration (As Saminda suggested)
>
Right now we are not exposing the notion of a gateway to the user through
XBaya. We recently introduced passing the gateway id when initiating an
Airavata API object. Therefore I think its ok to allow API functionality to
manage gateways at first before updating client applications since they
anyway does not need to be aware of it yet.

>
> 2. Multiple gateways are needed if we are hosting a multi-tenanted
> (sort of) system. Still there are lot of use cases which needs a
> "stand a lone" Airavata instances. So is it ok to have a gateway
> called "defaultGateway" ? Default gateway will come with the
> distribution and will be there in all Airavata installations. Local
> user store will be associated with the "defaultGateway".
>
yes... Right now it is called "default".

>
> 3. In the previous mail we discussed about having DNS like names for
> gateways. So what is the preferred DNS like name for default gateway ?
> (If we decided to have default gateway).
>
But I like the format of the gateway id suggested in an earlier mail by
Amila such as "some-gateway-id.some-domain.some-tld". Infact this can be
any string (which avoids special characters).  However whether any format
would look nice on "username@gateway-id" format is questionable.

>
> 4. Still we do not have the notion of roles in Airavata. Therefore to
> manage local user store i am using a special user name called "admin".
> He has privileges to add/delete users from local user store. With the
> gateway concept we might need to introduce a "admin" sort of a user
> per each gateway. This will be more clean if we can introduce couple
> of roles at this point. At least admin role and non-admin role.
>
Yep... definitely +1... I think this itself deserves a separate mail thread.

Saminda

>
> Appreciate your feedback on above questions.
>
> Thanks
> Amila
>
>
> On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <sm...@apache.org> wrote:
> > On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <th...@gmail.com>
> wrote:
> >
> >> Hi Suresh,
> >>
> >> How should we associate gateway id with user id if user store resides
> >> outside of Airavata ?
> >>
> >> Is it ok to assume that a gateway id is associated with a single
> >> external user store ? In that case we can associate gateway id with
> >> the user store configuration.
> >
> > Hi Amila,
> >
> > Yes, this sounds reasonable right? Since we are assuming gateways do the
> authorization and send user identity to Airavata, I think its safe to
> assume each gateway has one user store. Gateways might support open id,
> incommon like federated identities, but in the end the gateway/portal has
> to keep the mapping. These assumptions might change as we see more use
> cases, but as of now, these seem to suffice.
> >
> > Cheers,
> > Suresh
> >
> >>
> >> Thanks
> >> Amila
> >>
> >> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <sm...@apache.org>
> wrote:
> >>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <th...@gmail.com>
> wrote:
> >>>
> >>>> Hi Suresh,
> >>>>
> >>>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
> >>>> (Due to its simplicity compared to entity ids).
> >>>
> >>> I did not pay attention to the SAML requirements for entity id's as
> discussed in the links I sent earlier. But if it doesn't matter, I am + 1
> for using "gateway.airavata.org", this looks much more elegant.
> >>>
> >>> Suresh
> >>>
> >>>> But in either case
> >>>> there wont be any changes to the logic we are doing at authentication
> >>>> stage. Maybe we need to further investigate to figure out what is most
> >>>> appropriate as a gateway id.
> >>>>
> >>>> Thanks
> >>>> Amila
> >>>>
> >>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org>
> wrote:
> >>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <
> thejaka.amila@gmail.com> wrote:
> >>>>>
> >>>>>> Hi All,
> >>>>>>
> >>>>>> We need to send gateway name together with user name for
> >>>>>> authentication at Airavata service level. We are thinking of using
> >>>>>> following syntax for this,
> >>>>>>
> >>>>>> username@gatwayId
> >>>>>>
> >>>>>> So "@" will be a separator for gateway id and user name. In addition
> >>>>>> we do authentication based on the gateway id. I am planning to
> >>>>>> incorporate this change to existing security implementation. If you
> >>>>>> have any objections/feedback please let us know.
> >>>>>
> >>>>> Hi Amila,
> >>>>>
> >>>>> Yes this sounds fine to me. But it will work under the assumption of
> gateway id being unique. May be we can maintain a wiki page with registered
> gateway id's. Can you please refer to [1] which discuss this issues of
> mapping end users with gateway identifiers.
> >>>>>
> >>>>> If you refer to examples at [2], are you proposing to create Entity
> ID's or Gateway DNS Domain in the format gateway.airavata.org?
> >>>>>
> >>>>> Cheers,
> >>>>> Suresh
> >>>>>
> >>>>> [1] -
> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
> >>>>> [2] -
> http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
> >>>>>
> >>>>>
> >>>
> >
>

Re: Gateway id in airavata request

[Amila Jayasekara <th...@gmail.com>]

Hi All,

I encountered few more questions while incorporating gateway id to
incoming request.

1. Currently our data model have the concept of gateway id but we dont
have a process to register gateways. So how should we proceed
implementing gateway registration ?

Some options are;
a. Provide a web interface within Airavata webapp to do the registration
b. Provide an API method to do the registration (As Saminda suggested)

2. Multiple gateways are needed if we are hosting a multi-tenanted
(sort of) system. Still there are lot of use cases which needs a
"stand a lone" Airavata instances. So is it ok to have a gateway
called "defaultGateway" ? Default gateway will come with the
distribution and will be there in all Airavata installations. Local
user store will be associated with the "defaultGateway".

3. In the previous mail we discussed about having DNS like names for
gateways. So what is the preferred DNS like name for default gateway ?
(If we decided to have default gateway).

4. Still we do not have the notion of roles in Airavata. Therefore to
manage local user store i am using a special user name called "admin".
He has privileges to add/delete users from local user store. With the
gateway concept we might need to introduce a "admin" sort of a user
per each gateway. This will be more clean if we can introduce couple
of roles at this point. At least admin role and non-admin role.

Appreciate your feedback on above questions.

Thanks
Amila


On Thu, Nov 22, 2012 at 4:32 PM, Suresh Marru <sm...@apache.org> wrote:
> On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <th...@gmail.com> wrote:
>
>> Hi Suresh,
>>
>> How should we associate gateway id with user id if user store resides
>> outside of Airavata ?
>>
>> Is it ok to assume that a gateway id is associated with a single
>> external user store ? In that case we can associate gateway id with
>> the user store configuration.
>
> Hi Amila,
>
> Yes, this sounds reasonable right? Since we are assuming gateways do the authorization and send user identity to Airavata, I think its safe to assume each gateway has one user store. Gateways might support open id, incommon like federated identities, but in the end the gateway/portal has to keep the mapping. These assumptions might change as we see more use cases, but as of now, these seem to suffice.
>
> Cheers,
> Suresh
>
>>
>> Thanks
>> Amila
>>
>> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <sm...@apache.org> wrote:
>>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <th...@gmail.com> wrote:
>>>
>>>> Hi Suresh,
>>>>
>>>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
>>>> (Due to its simplicity compared to entity ids).
>>>
>>> I did not pay attention to the SAML requirements for entity id's as discussed in the links I sent earlier. But if it doesn't matter, I am + 1 for using "gateway.airavata.org", this looks much more elegant.
>>>
>>> Suresh
>>>
>>>> But in either case
>>>> there wont be any changes to the logic we are doing at authentication
>>>> stage. Maybe we need to further investigate to figure out what is most
>>>> appropriate as a gateway id.
>>>>
>>>> Thanks
>>>> Amila
>>>>
>>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org> wrote:
>>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> We need to send gateway name together with user name for
>>>>>> authentication at Airavata service level. We are thinking of using
>>>>>> following syntax for this,
>>>>>>
>>>>>> username@gatwayId
>>>>>>
>>>>>> So "@" will be a separator for gateway id and user name. In addition
>>>>>> we do authentication based on the gateway id. I am planning to
>>>>>> incorporate this change to existing security implementation. If you
>>>>>> have any objections/feedback please let us know.
>>>>>
>>>>> Hi Amila,
>>>>>
>>>>> Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>>>>>
>>>>> If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org?
>>>>>
>>>>> Cheers,
>>>>> Suresh
>>>>>
>>>>> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
>>>>> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>>>>>
>>>>>
>>>
>

Re: Gateway id in airavata request

[Suresh Marru <sm...@apache.org>]

On Nov 22, 2012, at 4:10 PM, Amila Jayasekara <th...@gmail.com> wrote:

> Hi Suresh,
> 
> How should we associate gateway id with user id if user store resides
> outside of Airavata ?
> 
> Is it ok to assume that a gateway id is associated with a single
> external user store ? In that case we can associate gateway id with
> the user store configuration.

Hi Amila,

Yes, this sounds reasonable right? Since we are assuming gateways do the authorization and send user identity to Airavata, I think its safe to assume each gateway has one user store. Gateways might support open id, incommon like federated identities, but in the end the gateway/portal has to keep the mapping. These assumptions might change as we see more use cases, but as of now, these seem to suffice. 

Cheers,
Suresh

> 
> Thanks
> Amila
> 
> On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <sm...@apache.org> wrote:
>> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <th...@gmail.com> wrote:
>> 
>>> Hi Suresh,
>>> 
>>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
>>> (Due to its simplicity compared to entity ids).
>> 
>> I did not pay attention to the SAML requirements for entity id's as discussed in the links I sent earlier. But if it doesn't matter, I am + 1 for using "gateway.airavata.org", this looks much more elegant.
>> 
>> Suresh
>> 
>>> But in either case
>>> there wont be any changes to the logic we are doing at authentication
>>> stage. Maybe we need to further investigate to figure out what is most
>>> appropriate as a gateway id.
>>> 
>>> Thanks
>>> Amila
>>> 
>>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org> wrote:
>>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:
>>>> 
>>>>> Hi All,
>>>>> 
>>>>> We need to send gateway name together with user name for
>>>>> authentication at Airavata service level. We are thinking of using
>>>>> following syntax for this,
>>>>> 
>>>>> username@gatwayId
>>>>> 
>>>>> So "@" will be a separator for gateway id and user name. In addition
>>>>> we do authentication based on the gateway id. I am planning to
>>>>> incorporate this change to existing security implementation. If you
>>>>> have any objections/feedback please let us know.
>>>> 
>>>> Hi Amila,
>>>> 
>>>> Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>>>> 
>>>> If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org?
>>>> 
>>>> Cheers,
>>>> Suresh
>>>> 
>>>> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
>>>> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>>>> 
>>>> 
>> 

Re: Gateway id in airavata request

[Amila Jayasekara <th...@gmail.com>]

Hi Suresh,

How should we associate gateway id with user id if user store resides
outside of Airavata ?

Is it ok to assume that a gateway id is associated with a single
external user store ? In that case we can associate gateway id with
the user store configuration.

Thanks
Amila

On Thu, Nov 22, 2012 at 2:26 PM, Suresh Marru <sm...@apache.org> wrote:
> On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <th...@gmail.com> wrote:
>
>> Hi Suresh,
>>
>> I do prefer gateway DNS name formats such as "gateway.airavata.org"
>> (Due to its simplicity compared to entity ids).
>
> I did not pay attention to the SAML requirements for entity id's as discussed in the links I sent earlier. But if it doesn't matter, I am + 1 for using "gateway.airavata.org", this looks much more elegant.
>
> Suresh
>
>> But in either case
>> there wont be any changes to the logic we are doing at authentication
>> stage. Maybe we need to further investigate to figure out what is most
>> appropriate as a gateway id.
>>
>> Thanks
>> Amila
>>
>> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org> wrote:
>>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> We need to send gateway name together with user name for
>>>> authentication at Airavata service level. We are thinking of using
>>>> following syntax for this,
>>>>
>>>> username@gatwayId
>>>>
>>>> So "@" will be a separator for gateway id and user name. In addition
>>>> we do authentication based on the gateway id. I am planning to
>>>> incorporate this change to existing security implementation. If you
>>>> have any objections/feedback please let us know.
>>>
>>> Hi Amila,
>>>
>>> Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>>>
>>> If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org?
>>>
>>> Cheers,
>>> Suresh
>>>
>>> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
>>> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>>>
>>>
>

Re: Gateway id in airavata request

[Suresh Marru <sm...@apache.org>]

On Nov 22, 2012, at 1:10 PM, Amila Jayasekara <th...@gmail.com> wrote:

> Hi Suresh,
> 
> I do prefer gateway DNS name formats such as "gateway.airavata.org"
> (Due to its simplicity compared to entity ids).

I did not pay attention to the SAML requirements for entity id's as discussed in the links I sent earlier. But if it doesn't matter, I am + 1 for using "gateway.airavata.org", this looks much more elegant. 

Suresh

> But in either case
> there wont be any changes to the logic we are doing at authentication
> stage. Maybe we need to further investigate to figure out what is most
> appropriate as a gateway id.
> 
> Thanks
> Amila
> 
> On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org> wrote:
>> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:
>> 
>>> Hi All,
>>> 
>>> We need to send gateway name together with user name for
>>> authentication at Airavata service level. We are thinking of using
>>> following syntax for this,
>>> 
>>> username@gatwayId
>>> 
>>> So "@" will be a separator for gateway id and user name. In addition
>>> we do authentication based on the gateway id. I am planning to
>>> incorporate this change to existing security implementation. If you
>>> have any objections/feedback please let us know.
>> 
>> Hi Amila,
>> 
>> Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>> 
>> If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org?
>> 
>> Cheers,
>> Suresh
>> 
>> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
>> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>> 
>> 

Re: Gateway id in airavata request

[Amila Jayasekara <th...@gmail.com>]

Hi Suresh,

I do prefer gateway DNS name formats such as "gateway.airavata.org"
(Due to its simplicity compared to entity ids). But in either case
there wont be any changes to the logic we are doing at authentication
stage. Maybe we need to further investigate to figure out what is most
appropriate as a gateway id.

Thanks
Amila

On Thu, Nov 22, 2012 at 12:41 PM, Suresh Marru <sm...@apache.org> wrote:
> On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:
>
>> Hi All,
>>
>> We need to send gateway name together with user name for
>> authentication at Airavata service level. We are thinking of using
>> following syntax for this,
>>
>> username@gatwayId
>>
>> So "@" will be a separator for gateway id and user name. In addition
>> we do authentication based on the gateway id. I am planning to
>> incorporate this change to existing security implementation. If you
>> have any objections/feedback please let us know.
>
> Hi Amila,
>
> Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.
>
> If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org?
>
> Cheers,
> Suresh
>
> [1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
> [2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status
>
>

Re: Gateway id in airavata request

[Suresh Marru <sm...@apache.org>]

On Nov 22, 2012, at 12:25 PM, Amila Jayasekara <th...@gmail.com> wrote:

> Hi All,
> 
> We need to send gateway name together with user name for
> authentication at Airavata service level. We are thinking of using
> following syntax for this,
> 
> username@gatwayId
> 
> So "@" will be a separator for gateway id and user name. In addition
> we do authentication based on the gateway id. I am planning to
> incorporate this change to existing security implementation. If you
> have any objections/feedback please let us know.

Hi Amila,

Yes this sounds fine to me. But it will work under the assumption of gateway id being unique. May be we can maintain a wiki page with registered gateway id's. Can you please refer to [1] which discuss this issues of mapping end users with gateway identifiers.

If you refer to examples at [2], are you proposing to create Entity ID's or Gateway DNS Domain in the format gateway.airavata.org? 

Cheers,
Suresh

[1] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes
[2] - http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status