parallelvirtualcluster
/
pvc
1
0
Fork 0
Code Issues 11 Pull Requests Projects Releases 111 Wiki Activity

Support additional authentication mechanisms #113

New Issue
Open
opened 2020-11-25 01:43:33 -05:00 by JoshuaBoniface · 4 comments
JoshuaBoniface commented 2020-11-25 01:43:33 -05:00 (Migrated from git.bonifacelabs.ca)
Copy Link

The simple key-based authentication on the API works fairly well, but more advanced authentication is a good idea for expandability and management within a larger environment, where multiple users and classes of users may require specific permissions.

This feature is twofold:

  1. Implement RBAC into the API, allowing the limiting of different "groups" to different functions. Allow these permissions to be granular and administrator-manageable with some sane defaults. This will likely require a bit of work, but shouldn't require extensive code refactoring and can be built on top of the existing authentication system.

  2. Implement additional mechanisms for authentication, as alternatives to keys. The first one that comes to mind is user + password authentication, but LDAP integration, and potentially some form of OAuth is a good idea too. This is likely the harder, longer part that will involve building an authentication subsystem into the API, of which keys will be only one option.

The simple key-based authentication on the API works fairly well, but more advanced authentication is a good idea for expandability and management within a larger environment, where multiple users and classes of users may require specific permissions. This feature is twofold: 1) Implement RBAC into the API, allowing the limiting of different "groups" to different functions. Allow these permissions to be granular and administrator-manageable with some sane defaults. This will likely require a bit of work, but shouldn't require extensive code refactoring and can be built on top of the existing authentication system. 2) Implement additional mechanisms for authentication, as alternatives to keys. The first one that comes to mind is user + password authentication, but LDAP integration, and potentially some form of OAuth is a good idea too. This is likely the harder, longer part that will involve building an authentication subsystem into the API, of which keys will be only one option.
JoshuaBoniface commented 2020-11-25 01:43:33 -05:00 (Migrated from git.bonifacelabs.ca)
Copy Link

changed milestone to %4

changed milestone to %4
JoshuaBoniface commented 2020-11-25 01:47:00 -05:00 (Migrated from git.bonifacelabs.ca)
Copy Link

mentioned in issue #114

mentioned in issue #114
JoshuaBoniface commented 2020-11-25 01:53:26 -05:00 (Migrated from git.bonifacelabs.ca)
Copy Link

At this point I'm leaning towards this being configuration-based, rather than being based in the API, but will have to give this more thought.

Config file

Pros

  • Simple to deploy
  • Static
  • Easy to understand
  • No CLI integration required

Cons

  • Difficult to change dynamically/inflexible
  • Can become obsolete quickly if dynamic config aspects (e.g. #114) change

Dynamic (API-based, in-database)

Pros

  • Fully dynamic
  • Reconfigurable via the API/CLI (useful with a WebUI or an authenticated CLI client)
  • Easier to view and change

Cons

  • Harder to implement (multiple layers)
  • Have to deal with storing passwords in the DB
  • Slightly harder to understand, requires menu system or similar
At this point I'm leaning towards this being configuration-based, rather than being based in the API, but will have to give this more thought. # Config file ## Pros * Simple to deploy * Static * Easy to understand * No CLI integration required ## Cons * Difficult to change dynamically/inflexible * Can become obsolete quickly if dynamic config aspects (e.g. #114) change # Dynamic (API-based, in-database) ## Pros * Fully dynamic * Reconfigurable via the API/CLI (useful with a WebUI or an authenticated CLI client) * Easier to view and change ## Cons * Harder to implement (multiple layers) * Have to deal with storing passwords in the DB * Slightly harder to understand, requires menu system or similar
joshuaboniface commented 2022-10-07 23:39:30 -04:00
Copy Link

I think from a backend perspective, the best solution is the simplest solution.

API keys should remain, and we can define at least 3 discrete roles that any given API key can be given.

First thought for discrete roles would be:

  1. admin: can do everything
  2. user: can do common tasks involving VMs, Networks, and Storage but nothing whole-cluster affecting
  3. readonly: can only obtain data but cannot make changes

From the API perspective this seems like a fairly ideal way of doing things. It keeps management and implementation of the authorization quite simple (a given function would require at most 2 flags) while still providing some good granularity. And any more advanced user control could be implemented in the frontends (specifically, web frontends) using whatever RBAC mechanisms make the most sense.

I think from a backend perspective, the best solution is the simplest solution. API keys should remain, and we can define at least 3 discrete roles that any given API key can be given. First thought for discrete roles would be: 1. admin: can do everything 2. user: can do common tasks involving VMs, Networks, and Storage but nothing whole-cluster affecting 3. readonly: can only obtain data but cannot make changes From the API perspective this seems like a fairly ideal way of doing things. It keeps management and implementation of the authorization quite simple (a given function would require at most 2 flags) while still providing some good granularity. And any more advanced user control could be implemented in the frontends (specifically, web frontends) using whatever RBAC mechanisms make the most sense.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
v0.9.105
v0.9.104
v0.9.103
v0.9.102
v0.9.101
v0.9.100
v0.9.99
v0.9.98
v0.9.97
v0.9.96
v0.9.95
v0.9.94
v0.9.93
v0.9.92
v0.9.91
v0.9.90
v0.9.89
v0.9.88
v0.9.87
v0.9.86
v0.9.85
v0.9.84
v0.9.83
v0.9.82
v0.9.81
v0.9.80
v0.9.79
v0.9.78
v0.9.77
v0.9.76
v0.9.75
v0.9.74
v0.9.73
v0.9.72
v0.9.71
v0.9.70
v0.9.69
v0.9.68
v0.9.67
v0.9.66
v0.9.65
v0.9.64
v0.9.63
v0.9.62
v0.9.61
v0.9.60
v0.9.59
v0.9.58
v0.9.57
0.9.56
v0.9.55
v0.9.54
v0.9.53
v0.9.52
v0.9.51
v0.9.50
v0.9.49
v0.9.48
v0.9.47
v0.9.46
v0.9.45
v0.9.44
v0.9.43
v0.9.42
v0.9.41
v0.9.40
v0.9.39
v0.9.38
v0.9.37
v0.9.36
v0.9.35
v0.9.34
v0.9.33
v0.9.32
v0.9.31
v0.9.30
v0.9.29
v0.9.28
v0.9.27
v0.9.26
v0.9.25
v0.9.24
v0.9.23
v0.9.22
v0.9.21
v0.9.20
v0.9.19
v0.9.18
v0.9.17
v0.9.16
v0.9.15
v0.9.14
v0.9.13
v0.9.12
v0.9.11
v0.9.10
v0.9.9
v0.9.8
v0.9.7
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
list
v0.8-1
v0.8
v0.7
v0.6
v0.5
v0.3
Labels
Clear labels   
API

   
blocked

Issue blocked by another issue

  
bug

   
CLI

   
Client

Issues abut the client frontends

  
Daemon

Issues abut the node daemon

  
debt

Technical debt that should be investigated or cleaned up

  
documentation

   
feature

   
improvement
No Label
API
blocked
bug
CLI
Client
Daemon
debt
documentation
feature
improvement
Milestone
Clear milestone
No items
No Milestone
future
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: parallelvirtualcluster/pvc#113
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?