Changes in perl and python libs supporting calls to auth service.#13
Changes in perl and python libs supporting calls to auth service.#13rsutormin wants to merge 2 commits intokbase:masterfrom
Conversation
|
I’m curious what the motivation is for this? On Apr 17, 2015, at 3:13 PM, Roman Sutormin <notifications@github.commailto:notifications@github.com> wrote: You can view, comment on, or merge this pull request online at: Commit Summary
File Changes
Patch Links: — |
|
Well, this PR is more for discussion rather than for acceptance (at least for a while and I'm sure there will be some improvements in these changes). The idea is to support optional way to use kbase auth service for token extraction and validation in generated JSON-RPC client/server code (it's about python and perl because in java it's the only way and on javascript client side there is only token supported and no validation at all). |
|
Does this mean you are contemplating not actually using the tokens for authentication? Or is this mixing in a notion of authorization along with the authentication? If it is the latter I think the authorization questions need to be made explicit and outside the token management classes. On Apr 17, 2015, at 3:36 PM, Roman Sutormin <notifications@github.commailto:notifications@github.com> wrote: Well, this PR is more for discussion rather than for acceptance (at least for a while and I'm sure there will be some improvements in these changes). The idea is to support optional way to use kbase auth service for token extraction and validation in generated JSON-RPC client/server code (it's about python and perl because in java it's the only way and on javascript client side there is only token supported and no validation at all). — |
|
Why do we need to use the Globus token for service calls? |
|
I don't think there is any reference to authorization in my PR. Authorization in one or another way should be checked in implementation of server functions (like checking permission for particular user to delete particular shock node or workspace object or to run more than some limited number of jobs on cluster). We discuss here common generated server/client code maintaining authentication only. |
|
What else would you use to contact a service that requires authentication? Unless there has been a change in policy, the KB project has been using Globus tokens as the means to authenticate service requests for those services that require authentication. On Apr 17, 2015, at 4:19 PM, Erik Pearson <notifications@github.commailto:notifications@github.com> wrote: Why do we need to use the Globus token for service calls? — |
|
You just mentioned auth, which is ambiguous, and I wanted to make sure we were on the same page. I agree that authorization is outside scope here. —bob On Apr 17, 2015, at 4:39 PM, Roman Sutormin <notifications@github.commailto:notifications@github.com> wrote: I don't think there is any reference to authorization in my PR. Authorization in one or another way should be checked in implementation of server functions (like checking permission for particular user to delete particular shock node or workspace object or to run more than some limited number of jobs on cluster). We discuss here common generated server/client code maintaining authentication only. — |
|
I know auth_service stands for authorization. But it has "Login" function which is authentication function. This is the only function I use in my changes. It forwards call to GlobusOnline so tokens which it deals with are pure GO ones. The goal I'm trying to achieve is to have some optional way to configure auth end-point in clients and servers to point to fake authentication service in tests. This is getting more important now since we decided to use Travis CI for unit tests and we can not store real password of real test user in git repo. |
A token created and manage by KBase? What we need is a secure bit of state that can be used within the kbase framework which provides the identity of the bearer and for which we control the structure, api, policy, etc. Not being flip -- after we obtain a Globus token, validate it, and use it to obtain the user identity, we should create our own session token, with our own security, expiration, and whatever state we need it to carry. By incorporating the globus token as "our own" we have taken on dependency to the internal implementation details of their token. The kbase auth service should present this simply as an api, with the token opaque, so that these types of issues can be resolved in isolated code locations.
What I'm also getting at is that the Globus token provides authorization for certain operations with Globus, one of which is obtaining the user identity (I know they also throw that into the token and we can use it.) But that token does not explicitly provide any such privileges for kbase. We turn that user identity around and then we have, by other means, the ability to do things on behalf of that user within kbase. The fact that we carry the Globus token around as authentication seems more like a convenience than anything else, and that seems to be wearing thin! |
Perhaps the latter is part of the problem. By definition if we are testing authentication, there will be private credentials passed, private keys stored for signatures, etc. Couldn't configuration of the test suite be maintained privately? |
On Fri, Apr 17, 2015 at 3:22 PM, Erik Pearson notifications@github.com
|
|
Right, I was not considering that the tests need to run in the open as well. |
|
I don't understand why keeping test account usernames and passwords in github is a problem. No private data will be stored in a test user account, nor will the test user account be given any private data. Reengineering everything and staging a copy of every service to link to a "fake" auth service just because we're protecting the credentials of the test account sounds very extreme. Could someone steal the test user account information and use it to post bad things to KBase or do a DOS? Sure... I suppose. Could the very same person set up a 100 new KBase accounts in 60 seconds and do exactly the same thing a hundred times worse? Uh, yes. They could. So what is it that we are working so hard to protect? It's like locking up a water fountain sitting right next to a completely unlocked fire hose. In fact, permitting the remapping of our services to an arbitrary "fake auth" service screams "back door" to me. It's a back door that could possibly be used to allow an unauthorized user to access private user data... so we are adding new holes to the system and increasing complexity, all because we don't want to expose useless test account passwords in git. I must question the logic here. |
|
Well, Chris, I don't even know should I answer you or not because your points are obviously too far away from normal development practices. |
|
Other than testing, I believe there are some opportunities here for a more robust and secure system. |
|
It might be good to consider the implications of not contracting auth to a third party. Perhaps someone could comment on what the Department of Energy might require for us to maintain internally authentication credentials, their private information, and their reputation…, and that if being a US citizen or foreign citizen. I know it can be done, it’s just do we know what is involved? We opted for buy over build to jump start the project. Now might be a good time to revisit that decision. On Apr 18, 2015, at 12:22 PM, Erik Pearson notifications@github.com wrote:
|
|
In the discussions of security we need to define the threat model. I'm not sure we've every really discussed that in any detail. From: Thomas Brettin [notifications@github.com] It might be good to consider the implications of not contracting auth to a third party. Perhaps someone could comment on what the Department of Energy might require for us to maintain internally authentication credentials, their private information, and their reputation…, and that if being a US citizen or foreign citizen. I know it can be done, it’s just do we know what is involved? We opted for buy over build to jump start the project. Now might be a good time to revisit that decision. On Apr 18, 2015, at 12:22 PM, Erik Pearson notifications@github.com wrote:
— |
That's an interesting idea, but even if we did our own auth/authz we still need to avoid storing credentials of any kind in Github, and therefore still need a way to run Travis tests without pulling real credentials from Github. |
|
Ok, discussions of security and the threat models could be goals in long term. But it's not so important in short term as test mode in Travis CI. I started this discussion for this testing topic and my suggestion is to focus on closer tasks first. And after that we can start separate discussion about security. |
|
If the entire purpose of this discussion was "how do we test KB code that uses authentication tokens in Travis" it should be laid out like that and I suspect a simple solution is quite doable. Such a solution probably involves the creation of known test tokens, possibly created not by Globus but by a test authority that we configure. Part of the definition of the problem involves explicit enumeration of which services need to honor the requests from the testing site. From: kkellerlbl [notifications@github.com] It might be good to consider the implications of not contracting auth to a third party. That's an interesting idea, but even if we did our own auth/authz we still need to avoid storing credentials of any kind in Github, and therefore still need a way to run Travis tests without pulling real credentials from Github. — |
|
Looking at the code, I don't see comments explaining what is being done here or why. If the idea is to make it possible to use an alternate authn in testing mode, there should be comments in the code to that effect. You can't expect people to be able to find and pick through this PR to understand the motivation for the optional url argument. |
|
Wow, Dan, it's first comment to code itself. Good start. I'll add comments On Sat, Apr 18, 2015 at 2:59 PM, Dan Gunter notifications@github.com
|
|
Ok, Bob, can I ask your opinion about whole approach? Is it right On Sat, Apr 18, 2015 at 10:39 AM, olsonanl notifications@github.com wrote:
|
|
First, I just want to say I'd like to keep these discussions constructive. Perhaps we disagree on how to proceed, and that is your and my prerogative. But you asked my advise, and I took precious time to offer my input. Respectfully reject my input if you wish, and move on. That said, to follow up on my original comment, has anyone consulted globus about whether or not they could provide us with some locked-down credentials that could be checked into git-hub without fear of the account being hijacked. Perhaps an account where auth is only accepted from the IPs of the test machines? We surely aren't the first to run into this issue. I personally like the idea of the system being tested completely using the "real" code rather than a fake auth service. I concede you are probably right that introducing a fake auth service won't harm security, but it still seems it might hide bugs in the real auth that we might want to know about. Just something to consider for what it's worth. |
|
Chris, sorry for critical style of my response. I didn't mean to offend you. I'm trying to be as much constructive as possible simply because I need to solve this problem for myself and it's now blocking me and many other people from migration tests to Travis CI. |
|
Chris beat me to it. Please keep the discussion constructive. Be mindful of your tone both intentional or unintentional. To weigh in on the debate. I think there is value in having testing stubs available at all levels. Having test accounts with limited/no privileges, having test services, and having mock interfaces are all useful at different stages. Regarding the actual changes, it is unclear to me how the auth_service_url is intended to be set. My only concern (similar to Chris's) is making sure an external user can't override the validation URL for a service. I don't believe this is possible since the service should be instantiating the auth object. But we would need to ensure that something couldn't slip through initial upstream request. It seems like it would make more sense to override the URL as part of the object creation (i.e. in the new method). In my mind, this would seem less dangerous since it would generally occur long before any user requests are being processed. And as Matt suggested, please add comments and explanation for the purpose of the new code. |
alternative authentication requests to auth_service.
|
Here is second part of the whole picture. It's pull request for type compiler with corresponding changes in perl and python client/server templates. msneddon/typecomp#1 |
|
Oh, and this is my fake implementation of auth_service login function: https://github.com/rsutormin/auth/blob/dev-fake_service/fake-service/src/us/kbase/auth/fakesrv/AuthFakeService.java which I used to check that all parts are working. Of course I'll make it better and deployable after we decide that this approach is right way to solve the problem. |
|
Actually that was Dan G., but I agree with his comment. On Sun, Apr 19, 2015 at 9:50 AM, Shane Canon notifications@github.com
|
|
Just a question. Is it stipulated that all testing needs to happen in travis CI, with each service tested entirely independently? When and where was this decision made and announced to the group?Testing the modeling code independently of any other services is going to be really complex. |
|
I must confess, I'm deeply confused by what we're trying to achieve with all this work on the "fake" auth service. I suppose I've missed some sort of extremely lengthy development discussion somewhere. So you want to create, and stage a fake authentication server? And this will be deployed in a test environment somewhere? And then test services will be deployed connected to the fake server? And then you'll do many authenticated tests? So I suppose you'll have a fake workspace posted that also connects to the fake auth server? So every test instance will run a fake auth, fake workspace, and test instance of every server? Where is data needed to load all these fake instances going to be stored? How is fake data being loaded into the fake workspace? Is someone building infrastructure for all of this? Is this plan documented or discussed anywhere? |
It has been proposed as part of the process guide. The next section talks about the proposal for integration testing across services. These docs have been up for a few weeks now, and Fernando announced them at least twice to the mailing list (I forget which one, either All or -devel). |
|
OK. Just to quote from the first few lines in the file you've referenced: "It is important to clarify that this document is at this stage, an early draft meant to elicit discussion across the KBase project. It is meant to be adapted and fine-tuned, until we can all “sign off” on it, and commit to adopting it as our common process." This was submitted 19 days ago, primarily written by Fernando and edited by two other people. I don't know if the "services lead" has even looked at this, and he devised his own testing strategy that would seem to need to be reconciled with this. It feels like this has moved from "discussion" to "action" before alot of discussion has taken place. I have attempted to track policy being devised across the project while also getting some work done on the side, and I must confess, I am beginning to drown in policy. |
|
Sorry, I'm not trying to be difficult. I guess I'm saying I'm seeing general policy being put into practice while the plan to implement the policy still seems pretty foggy to me. One could, for example, ask what it means to have all modules tested using Travis CI. So I see a well-articulated policy in the doc that Keith linked (thankyou keith), but has anyone laid out the implementation plan that Roman and Mike (and others) are following to put this into action? This would be helpful for me. |
|
My impression was that the discussion of the project guide documents was supposed to take place in issues and PRs in the repo. Is that accurate? |
|
Again, this is just my impression, which may be incorrect, but I think the idea is that we are trying to solidify our policies, while knowing that in reality we're not quite caught up with those statements. So, for example, we don't currently have implementation details for Travis CI, nor do we have a 100% fully functioning and reliable CI environment, nor do we have real integration tests that can be run against that CI environment. So the process guide is something we want to work towards, not necessarily something that we'll be fully compliant with tomorrow. But again, I could be wrong, and I hope someone will correct me if I am. |
|
So, yes, I am sure we all agree that general issues with the process should Dan GunterOn Mon, Apr 20, 2015 at 8:45 PM, kkellerlbl notifications@github.com
|
|
Off-topic, but important one. I'm sure we should have collected/arranged internally in KBase best practices, tutorials or even boot camps and trainings dedicated to testing APIs, scientific algorithms, UI of different complexity on different levels. Seriously. It's critical topic. We can't just hope it's going to be organized by itself. |
|
Hi folks, sorry I wasn't watching this repo, so I missed this discussion... A few points:
|
11 participants
No description provided.