On Mon, Aug 24, 2015 at 9:45 PM, Udara Rathnayake <[email protected]> wrote:
> Hi Sagara, > > On Mon, Aug 24, 2015 at 9:38 PM, Sagara Gunathunga <[email protected]> > wrote: > >> >> >> On Mon, Aug 24, 2015 at 7:04 PM, Udara Rathnayake <[email protected]> >> wrote: >> >>> Hi All, >>> >>> [moving to eng-group] >>> >> [As this is a technical matter we should discuss in dev@ or >> architecture@ list] >> >> Hi Udara, >> >> Let me ask a question, if we forget G-Reg for a second, can we set up a >> distributed ES2 deployment (where ES2 publisher and ES2 store on separate >> nodes) without an external IDP (IS) ? >> > yes. As far as I remember we have tested this scenario pointing ES > nodes(store/publisher) to another ES node(this can be a store or a > publisher) which in this scenario acts as the IDP. > I assumed what you are saying is, it's possible to have 2 node ES2 ( store/publisher) deployment where one ES2 node act as IDP is a recommended ES2 deployment pattern. In above case both nodes need to be communicated among each other and both should be accessible to users of store and publisher, as an example a self-signed public (external ) user need to be logged into IDP located in internal publisher node or an internal publishing user need to be logged in to IDP located in public store node, in real world both of these examples raise some serious security concerns. If we look at widely used DMZ based deployments, IMO above pattern is not acceptable, even if we consider ES2 only this is a problem. There are lot of real world use cases where Store and Publisher are isolated, how do you achieve such deployments ? Having SSO among publisher and store is a great feature but it should not be the only authentication mechanism, if you take any WSO2 product you can simply login by providing user name and password through BasicAuth, this is a consistent behaviour across the platform. Further in production systems, it is not very common to have SSO among publisher and store, as an example in production systems how often an user logged into store will access to publisher through SSO ? > > Thanks ! > >> >> In order to facilitate a requirement came from gov center side we >> introduced basicauth capability to store/publisher apps. But there are some >> scenarios we need to improve in order to support basic-auth in ES. So I >> believe we should not introduce this as a feature in ES2. >> > Can you please explain why do you think BasicAuth should not be a feature of ES2 ? As I mentioned above how do you support isolated deployments of store and publisher where store is in DMZ ? AFAIK original concept of ES2 came after realizing publisher-store pattern we used have in API-M, G-Reg API Store etc, my point is embedding ES2 is a primary requirement and we should make sure such integrations are feasible and easy to use. Originally we expected BasicAuth is there with ES2 like any other platform components, since it was not there we raise it as GC requirement but that does not mean this is G-Reg specific requirement. > >> Following are the concerns we need to address, >> >> 1. We have integrated store and social apps via sso, if we are to enable >> basic-auth for store we need to disable social framework and move to old >> comment/rating solution based on registry. >> > This mean we have tightly coupled social F/W with SSO, IMHO that not a nice design. Security should be a separate concern and should not be scattered with functional features, ideally social F/W should be independent from any of the authentication mechanism supported. > 2. Still we can enable basic auth for publisher(only) and keep sso between >> store and social apps. >> > Basically we need set of deployment patterns supported by ES2 after that we can discuss how same patterns can be used in embedded use cases such as GC. Thanks ! > >> Thoughts? >> >> Regards, >> UdaraR >> >> On Mon, Aug 24, 2015 at 6:28 PM, Chankami Maddumage <[email protected]> >> wrote: >> >>> Hi Team, >>> >>> QA team need to know whether ES supports *Basic auth* as authentication >>> method . >>> >>> -- >>> Best Regards , >>> >>> >>> *Chankami Maddumage* >>> Software Engineer - QA Team >>> WSO2 Inc; http://www.wso2.com/. >>> Mobile: +94 (0) 770 030 469 <%2B94%20%280%29%20773%20381%20250> >>> >>> >> >> >> >> -- >> Sagara Gunathunga >> >> Architect; WSO2, Inc.; http://wso2.com >> V.P Apache Web Services; http://ws.apache.org/ >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> >> > -- Sagara Gunathunga Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
