Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement api key and secret authentication #982

Closed
loomis opened this issue Apr 18, 2017 · 5 comments
Closed

implement api key and secret authentication #982

loomis opened this issue Apr 18, 2017 · 5 comments
Assignees
@loomis
Labels
P20 CYCLONE T3 Enhancement ★★★
Milestone
v3.34

Comments

@loomis
Copy link
Contributor

loomis commented Apr 18, 2017

Currently machine cookies are used to allow access to SlipStream resources from the orchestrators/machines in a deployment. Investigate whether we should change this implementation or improve the existing one. For example, the existing one could be enhanced to provide further checks on the cookie. A different implementation would be to use revocable api/secret keys, which would be valid only for the lifetime of a given deployment.
@loomis
Copy link
Contributor Author

loomis commented Jul 12, 2017

The decision was to start with an implementation of api/secret keys to replace machine cookies and to provide general, revocable API access to the service. The essential features of the implementation are:

  • Users can generate on demand new api/secret key pairs. These can be used through the API to authenticate with the server.
  • Authentication follows the standard CIMI workflow with the SessionTemplate and Session resources, allowing the client to obtain a time-limited token.
  • The api/secret key pairs can be revoked by the user at any time. After this, no new access tokens can be generated with the revoked api/secret key pair.
  • At creation time, the user attributes (groups, roles, etc.) will be transferred into the api/secret key and included in generated tokens thereafter. The user may optionally limit which attributes are included in the api/secret key.
  • At creation time, the user may provide an expiration time for the api/secret key. If provided, the api/secret key cannot be renewed after that time.

The details of the proposal and discussion can be found in another ticket.

@loomis loomis self-assigned this Aug 2, 2017
@loomis loomis mentioned this issue Aug 6, 2017
Merged
@loomis
Copy link
Contributor Author

loomis commented Aug 7, 2017

The attached PR implements all of the above features, except allowing the user to limit the roles for the API key and secret. Testing with a live SlipStream instance still needs to be carried out.

This was referenced Aug 9, 2017
Merged
Merged
@loomis
Copy link
Contributor Author

loomis commented Aug 9, 2017

The roles stored when creating an API key credential also stores the current session role. This should be stripped so that future sessions do not have multiple session roles.

@loomis loomis mentioned this issue Aug 9, 2017
Merged
@loomis loomis changed the title machine token implementation implement api key and secret authentication Aug 10, 2017
@loomis
Copy link
Contributor Author

loomis commented Aug 10, 2017

The latest changes fix the problem with the duplicated session roles.

@loomis
Copy link
Contributor Author

loomis commented Aug 10, 2017

Reimplementation of the machine cookies is covered in a separate ticket. #1151

@loomis loomis added this to the v3.34 milestone Aug 10, 2017
@loomis loomis closed this as completed Aug 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@loomis loomis

Labels
P20 CYCLONE T3 Enhancement ★★★
Projects
None yet
Milestone
v3.34
Development

No branches or pull requests
1 participant
@loomis