Skip to content

Latest commit

 

History

History
97 lines (84 loc) · 3.86 KB

20200728-minutes.md

File metadata and controls

97 lines (84 loc) · 3.86 KB

Authentication Working Group Minutes

Tuesday, 2020/07/28

10:00 am ET

Attendees:

Terrell Russell, Alan King, Daniel Moore, Kory Draughn, Stefan Wolfsheimer (SURFsara), Claudio Cacciari (SURFsara), Mike Conway (NIEHS), John Constable (Sanger), Michele Carpené (CINECA), Brett Hartley (Sanger)

Minutes

SUMMARY:

TODO: Terrell to update minutes, save Stefan's June diffs to AuthWG repository

Next POCs with new framework:

  • PAM (Stefan, mostly demonstrated…)
  • OpenID Connect
  • Kerberos
  • S3-like access/secret key auth

UPDATE:

  • Stefan has now pulled nearly all the code from the diffs into plugins, more modular approach, and now built against 4.2.7 and 4.2.8
  • Only a few lines still needed in the iCommands code - can probably pull that out soon, no deltas with the core at this time.
  • Because OpenID Connect… some temporary token exchanged, then real access token is used … need to store the access token on client side… then later, other icommands can use that access token … Storing a cookie/token on the client side, accessible by key later in the flow, can be used non-interactively allowing for flexible use cases (this has the effect of providing a 'session-like' experience). If the token is expired, they will need to reauthenticate, but that is expected/desired.
  • Still to do - remove the last of the extra manual steps for the user interaction. But nothing left to prove with the PAM negotiation explicitly.
  • Code here: https://github.com/stefan-wolfsheimer/irods_auth_plugin_pam_interactive

QUESTION:

  • Parallel transfer… does this authentication work affect data transfer in any way? Claudio saw a partial transfer at one point… some of the file did not arrive. Only once… and with 4.2.7… not yet reproducible.

TODO:

  • Quick call with SURFsara for PAM iCommands - last 4-5 lines to pull out - scheduled for early Thurs

Stefan's remaining iCommands diff:

diff --git a/src/iinit.cpp b/src/iinit.cpp
index 9607c07..7032430 100644
--- a/src/iinit.cpp
+++ b/src/iinit.cpp
@@ -279,7 +279,9 @@ main( int argc, char **argv ) {
     if ( irods::AUTH_PAM_SCHEME == lower_scheme ) {
         doPassword = 0;
     }
-
+    if ( lower_scheme == "pam_interactive") {
+        doPassword = 0;
+    }
     if ( strcmp( my_env.rodsUserName, ANONYMOUS_USER ) == 0 ) {
         doPassword = 0;
     }
@@ -346,8 +348,39 @@ main( int argc, char **argv ) {
         // if this succeeded, do the regular login below to check
         // that the generated password works properly.
     } // if pam
-
-    if ( strcmp( my_env.rodsAuthScheme, AUTH_OPENID_SCHEME ) == 0 ) {
+    if ( "pam_interactive" == lower_scheme ) {
+      irods::kvp_map_t ctx_map;
+      if(myRodsArgs.verbose == True)
+      {
+        ctx_map["VERBOSE"] = "true";
+      }
+      else
+      {
+        ctx_map["VERBOSE"] = "false";
+      }
+      if(myRodsArgs.veryVerbose == True)
+      {
+        ctx_map["VVERBOSE"] = "true";
+      }
+      else
+      {
+        ctx_map["VVERBOSE"] = "false";
+      }
+      // tell the plugin that we are using iinit
+      ctx_map["ECHO"] = "true";
+
+      std::string ctx_str = irods::escaped_kvp_string(ctx_map);
+      // =-=-=-=-=-=-=-
+      // pass the context with the ttl as well as an override which
+      // demands the pam authentication plugin
+      status = clientLogin( Conn, ctx_str.c_str(), "pam_interactive" );
+      if ( status != 0 )
+      {
+        rcDisconnect( Conn );
+        return 7;
+      }
+    }
+    else if ( strcmp( my_env.rodsAuthScheme, AUTH_OPENID_SCHEME ) == 0 ) {
         irods::kvp_map_t ctx_map;
         try {
             std::string client_provider_cfg = irods::get_environment_property<std::string&>( "openid_provider" );