Fwiw, here’s the draft document I mentioned below: http://pages.iu.edu/~heiland/ctsc/BestPracticesforThriftClients_EvernoteUseCase.pdf
I’d welcome any comments people might have. -Randy On Jun 3, 2014, at 9:05 AM, Marlon Pierce <[email protected]> wrote: > Hi Randy-- > > Yes, I mean "Evernote" in the next to the last paragraph--Evernote does > not have the same mulitenanted use case. > > I'm looking forward to your document, but I'm also at a conference this > week and want to have a few thoughts in mind for my presentation in case > anyone is interested. > > Marlon > > On 6/3/14 11:00 AM, Randy Heiland wrote: >> Marlon, >> >> In your last paragraph, you mean “Evernote...” and not “Thrift also has…” - >> correct? >> >> I believe you’re correct in your Thrift over HTTP for Evernote assumption, >> based on this: >> http://mail-archives.apache.org/mod_mbox/incubator-thrift-dev/201005.mbox/%[email protected]%3E >> >> I actually have a doc to share with your team shortly regarding >> Evernote/Thrift that we did as part of our (CTSC) engagement with you. And I >> have some follow-on questions that I’ll contact you about offline. >> >> -Randy >> >> On Jun 3, 2014, at 2:33 AM, Marlon Pierce <[email protected]> wrote: >> >>> This email is intended to introduce some security discussion. >>> >>> One of the advantages of Thrift is the ability it will give us to >>> integrate native-language SDKs with desktop clients. This requires >>> though that we will need to think through our security model. In the >>> usual browser-based use case, the user does not make direct calls to the >>> API. These come instead from the gateway server, and we can establish a >>> trust relationship (such as SSL mutual authentication). >>> >>> For the desktop client case, users make direct calls to the Airavata API >>> server, so we have three actors: the desktop application, the API >>> Server, and an auth service. The Auth service performs initial >>> authentication of the user; it is a service that is gateway-dependent. >>> Without going into too many details, OAuth is the usual protocol for >>> doing this. Evernote, in their Thrift API, provides this as an option. >>> >>> Evernote (from what I can tell) uses Thrift over HTTP, or at least uses >>> an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, >>> does this mean we need to implement OAuth ourselves? >>> >>> Thrift also has a different use case in that they are not a >>> multi-tenanted service: they own all the accounts that they >>> authenticate. In contrast, a single Airavata server may support several >>> unrelated gateways. Each gateway would manage its own user accounts. >>> >>> What are the best options for Airavata? >>> >>> >>> Marlon >>> >
