search

atlanticwave-sdx / sdx-controller

Central Controller for AtlanticWave SDX.
https://www.atlanticwave-sdx.net
MIT License
1 stars 3 forks source link

SDX Controller User Authentication and Ownership #298

Open usmanazFIU opened 3 days ago

usmanazFIU commented 3 days ago

SDX controller should have an authentication middleware for authenticating MEICAN users before it can access the SDX controller endpoints. Also SDX controller must know which user is initiating the request so it can set the ownership field in the JSON response for creating connections.

This can be done by either using JWT tokens or any other token based authentication or use other authentication protocols such as BasicHTTP or OAuth mechanisms. Also MEICAN will be storing connection requests into the MEICAN Database for granting access to only those connections which were created by that specific MEICAN user. as mentioned in issue :

https://github.com/atlanticwave-sdx/sdx-meican/issues/52

YufengXin commented 3 days ago

@usmanazFIU To clarify and initiate the discussion:

In an earlier discussion, I recalled that the decision was for Meican to implement CILogon for user AA. How does It go? and how it's related to this SDX middleware AA, in your opinion?

Secondly, "Users" and their roles needs to be defined between Meican, middlerware, OXP. What is a "user' defined in Meican? When connection requests come to the middleware without user information, how would middleware distinguish and generate 'user' information?

For middleware API security, (1) conventionally, it will be deployed by the operator behind a firmware so that only white-listed IP can visit it (2) conventionally, like most public Cloud like Google do: we can enable API-Key for API calls.

usmanazFIU commented 3 days ago

Yes @YufengXin MEICAN is using CI Logon for authenticating users to use the MEICAN system. The same user information can be send to a SDX middleware or authentication endpoint which can check if the user exists within the SDX controller DB maybe? if not create a new user otherwise just let the request go further. I am not sure if we should store users information in SDX Controller mongoDB.

Also, a "user" in a MEICAN is a network operator with some pre defined roles and access privileges.

sajith commented 3 days ago

I too am not sure what "users" would mean for SDX Controller or SDX LC or further down the SDX layers.

A simpler design would be to make Meican the only gatekeeper/portal to the system, and then maybe have Meican and SDX Controller use a shared secret token. Or perhaps use firewall rules and/or TLS mutual authentication to ensure that only Meican can talk to SDX Controller.