Re: [alf-dev] Re: Requirements for ALF SSON

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [alf-dev] Re: Requirements for ALF SSON

From: Brian Behlendorf <brian@xxxxxxxxxx>
Date: Thu, 8 Sep 2005 19:55:44 -0700 (PDT)
Delivered-to: alf-dev@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/alf-dev>
List-help: <mailto:alf-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/alf-dev>, <mailto:alf-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/alf-dev>, <mailto:alf-dev-request@eclipse.org?subject=unsubscribe>

This is a very interesting conversation for me. CollabNet found ourselvesimplementing a ton of auth-n and auth-z logic to build a collaborationplatform that we were astonished wasn't done well enough by others - andwe're clearly not alone, as it seems like every multi-user application outthere has its own model for storing user information and permissions,beyond simple name/password auth using LDAP or some other system. That'sinsanity that makes it difficult to integrate multiple apps into a suiteof cooperating tools.

I'm not entirely caught up on the history of this issue within thisproject yet, so apologies if this is ground already covered, but thistriggered a few thoughts I'd share:

* SSO doesn't necessarily mean that there is only one protocol for doingauthentication (authn) or authorization (authz). Different tools willhave different protocols - some will use SOAP apis, some will be web-basedtools that use HTTP auth, others will be web-based tools that use cookies,some will have their own protocols (CVS and Subversion I assume are partof the picture), etc. LDAP might be just one of many different protocolssuch a tool could use, but it can not be the only one. If my client-sideAJAX-based project management tool is making some sort of SOAP call to aserver somewhere, it's got to carry something that validates it - either aKerberos-style auth token or the name/password combination itself. Authnis an attribute of the network connection and thus must be embedded withinthe protocol; authz is an attribute of the user's profile once identifiedby the authn process.

* It seems like many SSO systems lack any sense of authz, which iscritical to any multi-user productivity tool. To be useful, authz needsto talk about more than just a particular capability an individual mighthave - it needs to talk about that capability within some context. InCollabNet's environment, that means a project-by-project granularity tothe permissions, and in some cases going further - such as the ability tomodify .c files but not the .h prototype definitions in a given project.The authz system needs to be able to answer the question: "is the userallowed to perform this action on this resource in this project?". Theanswer can be binary. For performance (since perm checks can be expensiveon big lists of things), it has to also be able to ask "What actions areallowed by this user in this project?" and "What resources within thisproject can this user perform this action on?"

* The ability to provide this level of granularity, and then being able tosummarize these functions up into roles that can be granted to groups ofusers across projects (or categories of projects, or projects withsubprojects, etc) has been cited by CollabNet's customers as a keydifferentiator with competitors. However, CollabNet is not in the authn/zbusiness and we'd much rather see this kind of thing be defined as an openstandard and implemented as an open source library. I've got to believewe're not the first to have done this, but keep coming across protocolsand APIs that either don't come close (JAAS and JACC) or are way toocomplicated (WS*). I personally could see this ALF effort being a meansto arrive at a standard and implementation for this, at least in thecontext of developer tools, which is our real business. At the very leastI hope to tap into others here who have explored this space and perhapsfound an authz protocol/model that actually works.

* Tools need to be able to register new permissions with the SSO server.That way you can have one UI to configuring roles and permissions acrossthe whole integrated environment. The SSO server might relay all auth-nrequests behind-the-scenes to another system, such as an LDAP server, butshould itself manage the authz information, and optionally groupmembership information.

* Developer communities in enterprise environments often includestakeholders who are not employees of the main sponsoring organization.The design for the SSO server might want to anticipate being able tohandle different auth-n back-ends based on a regex - so that users whoseusernames end with "@domain.com" are auth-n'd against the domain.com LDAPserver, while others have their password information maintained locallywithin the SSO server.

I can't participate on Monday's call (prior commitments) but I amfollowing this list/newsgroup. I am not yet committing CN resources toEclipse ALF, but I'm starting to see how and where we might.


	Brian

On Wed, 7 Sep 2005, Mini Govind wrote:

Last week, we had discussed some potential SSO implementations thatcould be included within ALF.
One promising contender that also happens to be in popular use currentlyis the Central Authentication Service (CAS) from YaleUniversity(http://www.yale.edu/tp/auth/cas10.html). CAS provides SSO(authentication) capability, it does not deal with authorization per se,although it may be possible to extend CAS to send along role informationfor authenticated principals.
The following whitepaper provides a clear explanation of how CASimplements SSO and what applications have to do to enable SSO:http://www.esup-portail.org/consortium/espace/SSO_1B/cas/eunis2004/cas-eunis2004-article.pdf
Both CAS and JOSSO allow for the storage of user information andcredentials within a central LDAP server or database.
However, if we are to provide SSO capabilities for ALF using CAS orJOSSO, the architecture will be subject to the following constraints:
-All authentication for tools integrating within ALF will have to behandled by the SSO server. The proprietary authentication mechanismspresent within the individual tools will have to be somehow disabledwhen they integrate within ALF.
-The nature of SSO implies that there will be only one centralrepository for user information and credentials, prefereably within anLDAP server. So, any additions, modifications, etc. of user informationand credentials will have to be performed within this central store. Thetools participating within ALF will not maintain this informationanymore.
-We may also have to look at maintaining the role mappings within thecentral LDAP server and ensure that the SSO implementation propagatesthis information accordingly.
-Each of the tools participating within the ALF will have to be modifiedin some way to enable them to participate within the SSO framework. Wewill of course have to ensure that any modification is minimallyinvasive.
While I think most of the above issues would apply in the implementationof almost any ticket-based SSO system, it may be useful to focus thediscussion on whether any or all of the above mentioned constraintscould be potential show-stoppers. It they are, we may want to examinethe feasability of implementing a full fledged SSO system within ALF andexamine alternative approaches for user authentication.
Please share your thoughts on the matter.

Thanks,

Govind Seshadri
Cognizant Technology Solutions
govind.seshadri@xxxxxxxxxxxxx

References:
- [alf-dev] Requirements for ALF SSON
  - From: Kelly Shaw
- [alf-dev] Re: Requirements for ALF SSON
  - From: Mini Govind

Prev by Date: [alf-dev] SSO Discussion continued
Next by Date: Re: [alf-dev] ALF Requirements Meeting Minutes from 9/7/2005
Previous by thread: [alf-dev] Re: Requirements for ALF SSON
Next by thread: [alf-dev] Re: Requirements for ALF SSON
Index(es):
- Date
- Thread

Breadcrumbs