Kenneth, Good point. But just to be clear I’m only proposing that the portal username and hence the Airavata internal user id be lowercase. Airavata also stores usernames for logging into remote compute resources, etc., and I’m not proposing that we make those usernames lowercase. So Airavata should still be able to authenticate to and interoperate with external services that allow for case sensitive usernames. I expect we would do something similar for a jupyterhub integration.
> On Jun 14, 2017, at 12:17 PM, K Yoshimoto <kenn...@sdsc.edu> wrote: > > Requiring case-insensitive usernames might make it a bit > more difficult for existing systems with case-sensitive > usernames. For example, I think jupyterhub servers can be > set up to use unix usernames, which would be case-sensitive. > > On Wed, Jun 14, 2017 at 10:18:52AM -0400, Suresh Marru wrote: >> Hi Marcus, >> >> Interesting problem. Your conclusion seems to be the right approach. >> >> + 1 for fixing the legacy data and also for employing lowercasing all the >> tables you identified. >> >> Suresh >> >>> On Jun 14, 2017, at 10:14 AM, Christie, Marcus Aaron <machr...@iu.edu> >>> wrote: >>> >>> Dev, >>> >>> During testing integration with Keycloak, Eroma discovered several issues >>> [1] [2] [3] [4] related to having a legacy username with mixed upper and >>> lower case characters. WSO2 IS allowed users to have usernames with upper >>> case characters. However, Keycloak lowercases the username when a user is >>> created so all usernames in Keycloak are lowercase. This causes a problem >>> when code compares a user’s logged in username with usernames in the >>> Airavata database that have upper case characters. For example, the PGA >>> when trying to determine if the logged in user can write to a project gets >>> all of the accessible users and compares the logged in username against the >>> list of accessible usernames. >>> >>> After some thought I’ve come around to thinking that Keycloak lowercasing >>> usernames is a good idea. It could cause confusion and potential security >>> issues to allow users to have case-sensistive usernames. Two usernames >>> could be identical except for case and it would be reasonable for users to >>> assume that they represent the same user. >>> >>> So I think Airavata and specifically the User Profile service should adopt >>> the same policy and lowercase usernames. >>> >>> For legacy data, to fix the issues Eroma encountered, we would need to do a >>> one-time conversion of legacy usernames to lowercase. This would involve: >>> * lowercasing all usernames in Airavata database. See [5] for list of >>> tables that would be affected >>> * lowercase the user directory names in gateway user storage on the PGA >>> servers >>> * likewise lowercase the user directory names in DATA_REPLICA_LOCATION >>> >>> I’m open to any feedback. >>> >>> Thanks, >>> >>> Marcus >>> >>> [1] https://issues.apache.org/jira/browse/AIRAVATA-2437 >>> <https://issues.apache.org/jira/browse/AIRAVATA-2437> >>> [2] https://issues.apache.org/jira/browse/AIRAVATA-2438 >>> <https://issues.apache.org/jira/browse/AIRAVATA-2438> >>> [3] https://issues.apache.org/jira/browse/AIRAVATA-2439 >>> <https://issues.apache.org/jira/browse/AIRAVATA-2439> >>> [4] https://issues.apache.org/jira/browse/AIRAVATA-2440 >>> <https://issues.apache.org/jira/browse/AIRAVATA-2440> >>> [5] >>> https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210 >>> >>> <https://issues.apache.org/jira/browse/AIRAVATA-2438?focusedCommentId=16049210&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16049210> >>> >>> >>
