Tuesday, 2020/07/28
10:00 am ET
Terrell Russell, Alan King, Daniel Moore, Kory Draughn, Stefan Wolfsheimer (SURFsara), Claudio Cacciari (SURFsara), Mike Conway (NIEHS), John Constable (Sanger), Michele Carpené (CINECA), Brett Hartley (Sanger)
TODO: Terrell to update minutes, save Stefan's June diffs to AuthWG repository
Next POCs with new framework:
- PAM (Stefan, mostly demonstrated…)
- OpenID Connect
- Kerberos
- S3-like access/secret key auth
UPDATE:
- Stefan has now pulled nearly all the code from the diffs into plugins, more modular approach, and now built against 4.2.7 and 4.2.8
- Only a few lines still needed in the iCommands code - can probably pull that out soon, no deltas with the core at this time.
- Because OpenID Connect… some temporary token exchanged, then real access token is used … need to store the access token on client side… then later, other icommands can use that access token … Storing a cookie/token on the client side, accessible by key later in the flow, can be used non-interactively allowing for flexible use cases (this has the effect of providing a 'session-like' experience). If the token is expired, they will need to reauthenticate, but that is expected/desired.
- Still to do - remove the last of the extra manual steps for the user interaction. But nothing left to prove with the PAM negotiation explicitly.
- Code here: https://github.com/stefan-wolfsheimer/irods_auth_plugin_pam_interactive
QUESTION:
- Parallel transfer… does this authentication work affect data transfer in any way? Claudio saw a partial transfer at one point… some of the file did not arrive. Only once… and with 4.2.7… not yet reproducible.
TODO:
- Quick call with SURFsara for PAM iCommands - last 4-5 lines to pull out - scheduled for early Thurs
Stefan's remaining iCommands diff:
diff --git a/src/iinit.cpp b/src/iinit.cpp
index 9607c07..7032430 100644
--- a/src/iinit.cpp
+++ b/src/iinit.cpp
@@ -279,7 +279,9 @@ main( int argc, char **argv ) {
if ( irods::AUTH_PAM_SCHEME == lower_scheme ) {
doPassword = 0;
}
-
+ if ( lower_scheme == "pam_interactive") {
+ doPassword = 0;
+ }
if ( strcmp( my_env.rodsUserName, ANONYMOUS_USER ) == 0 ) {
doPassword = 0;
}
@@ -346,8 +348,39 @@ main( int argc, char **argv ) {
// if this succeeded, do the regular login below to check
// that the generated password works properly.
} // if pam
-
- if ( strcmp( my_env.rodsAuthScheme, AUTH_OPENID_SCHEME ) == 0 ) {
+ if ( "pam_interactive" == lower_scheme ) {
+ irods::kvp_map_t ctx_map;
+ if(myRodsArgs.verbose == True)
+ {
+ ctx_map["VERBOSE"] = "true";
+ }
+ else
+ {
+ ctx_map["VERBOSE"] = "false";
+ }
+ if(myRodsArgs.veryVerbose == True)
+ {
+ ctx_map["VVERBOSE"] = "true";
+ }
+ else
+ {
+ ctx_map["VVERBOSE"] = "false";
+ }
+ // tell the plugin that we are using iinit
+ ctx_map["ECHO"] = "true";
+
+ std::string ctx_str = irods::escaped_kvp_string(ctx_map);
+ // =-=-=-=-=-=-=-
+ // pass the context with the ttl as well as an override which
+ // demands the pam authentication plugin
+ status = clientLogin( Conn, ctx_str.c_str(), "pam_interactive" );
+ if ( status != 0 )
+ {
+ rcDisconnect( Conn );
+ return 7;
+ }
+ }
+ else if ( strcmp( my_env.rodsAuthScheme, AUTH_OPENID_SCHEME ) == 0 ) {
irods::kvp_map_t ctx_map;
try {
std::string client_provider_cfg = irods::get_environment_property<std::string&>( "openid_provider" );