Hi Randy-- Yes, I mean "Evernote" in the next to the last paragraph--Evernote does not have the same mulitenanted use case.
I'm looking forward to your document, but I'm also at a conference this week and want to have a few thoughts in mind for my presentation in case anyone is interested. Marlon On 6/3/14 11:00 AM, Randy Heiland wrote: > Marlon, > > In your last paragraph, you mean “Evernote...” and not “Thrift also has…” - > correct? > > I believe you’re correct in your Thrift over HTTP for Evernote assumption, > based on this: > http://mail-archives.apache.org/mod_mbox/incubator-thrift-dev/201005.mbox/%[email protected]%3E > > I actually have a doc to share with your team shortly regarding > Evernote/Thrift that we did as part of our (CTSC) engagement with you. And I > have some follow-on questions that I’ll contact you about offline. > > -Randy > > On Jun 3, 2014, at 2:33 AM, Marlon Pierce <[email protected]> wrote: > >> This email is intended to introduce some security discussion. >> >> One of the advantages of Thrift is the ability it will give us to >> integrate native-language SDKs with desktop clients. This requires >> though that we will need to think through our security model. In the >> usual browser-based use case, the user does not make direct calls to the >> API. These come instead from the gateway server, and we can establish a >> trust relationship (such as SSL mutual authentication). >> >> For the desktop client case, users make direct calls to the Airavata API >> server, so we have three actors: the desktop application, the API >> Server, and an auth service. The Auth service performs initial >> authentication of the user; it is a service that is gateway-dependent. >> Without going into too many details, OAuth is the usual protocol for >> doing this. Evernote, in their Thrift API, provides this as an option. >> >> Evernote (from what I can tell) uses Thrift over HTTP, or at least uses >> an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, >> does this mean we need to implement OAuth ourselves? >> >> Thrift also has a different use case in that they are not a >> multi-tenanted service: they own all the accounts that they >> authenticate. In contrast, a single Airavata server may support several >> unrelated gateways. Each gateway would manage its own user accounts. >> >> What are the best options for Airavata? >> >> >> Marlon >>
