Closed brainfunked closed 7 years ago
mkudlej
commented
7 years ago @brainfunked I think this is not user authentication. As I understand it APi server will run in 2 different modes admin or read/write which will depend on configuration option. Am I right?
Why there is not plan to provide user authentication with use sessions? Example in ManageIQ http://manageiq.org/docs/reference/latest/api/overview/auth
I think lack of user authentication is security risk.
sankarshanmukhopadhyay
commented
7 years ago Isn't this part of the specification talking about roles and the access that will be available to these roles? @brainfunked
mkudlej
commented
7 years ago @sankarshanmukhopadhyay What specification do you mean, please? is there any pull request already there? If yes, could you please link it here?
brainfunked
commented
7 years ago This specification focuses on enabling the concept of a user in Tendrl. For now, it'll be a basic password based authentication mechanism for local users, with the levels of privileges mentioned above. Additional authentication schemes such as LDAP can then be added on top of this basic framework.
sankarshanmukhopadhyay
commented
7 years ago Alright. So, I did a mangled attempt to explain it previously. The intent is to have access and authentication (along with privilege levels associated) first and thereafter extend it to integrate with identity management systems.
brainfunked
commented
7 years ago The pull requests against this spec are to be in a branch named spec-128-api-auth-and-rabc across all affected repositories. The branch has already been created on this repository: https://github.com/Tendrl/specifications/tree/spec-128-api-auth-and-rabc.
r0h4n
commented
7 years ago @brainfunked is this done?
The API needs to support users and authentication. Three levels of access are required: read-only, read-write and admin. The read-only and read-write privileges will automatically be available for API endpoints based on the HTTP verb being used. In a special case, some flows (and hence their endpoints) could be marked as admin. Such endpoints' access must be granted only to the users with the admin privileges.