@Karan, @Suresh Is there a plan to enable data sharing at the raw file level using NextCloud? If so we may need a more complex authorization mechanism.
On Wed, May 23, 2018 at 3:07 PM, Kotabagi, Karan <kkota...@iu.edu> wrote: > @Supun, @Suresh and Sudhakar, > > > Thanks!, for your inputs, I will have more questions moving ahead. > > > Regards > > Karan​ > ------------------------------ > *From:* Supun Nakandala <supun.nakand...@gmail.com> > *Sent:* Wednesday, May 23, 2018 4:42 PM > *To:* Kotabagi, Karan > > *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache > Airavata > > Hi Karan, > > On Wed, May 23, 2018 at 9:34 AM, Kotabagi, Karan <kkota...@iu.edu> wrote: > >> Hi Supun, >> >> >> I have followed the steps that Sachin gave and was able to configure the >> nextcloud with the keycloak server locally. The nextcloud interface will >> re-direct to the keycloak server to authenticate with the username and >> password. >> >> >> Since, we have a file upload service code that will upload the file into >> the nextcloud without the keycloak authentication, I have few of the >> following questions that I need your help with respect to the seagrid-rich >> client, we need to integrate this in such a way that the fileupload service >> will get authenticated with the keycloak server and then proceed to be >> upload the file. >> >> >> 1>Does the seagrid-rich client is currently configured to be >> authenticated with the keycloak server? >> >> Yes. In the login process seagrid client obtains an access token and it >> uses this access token as the password for the SFTP server. The SFTP server >> (Apache Mina implementation) verifies this access token from SFTP server >> end. https://github.com/SciGaP/airavata-file-manager/ >> blob/master/src/main/java/org/apache/airavata/filemgr/ >> AuthenticationMgr.java. You can do something similar in NextCloud. I >> hope NextCloud would support some form of pluggable authentication model >> (PAM). >> >> 2>I looked into the following code:- >> >> *https://github.com/SciGaP/seagrid-rich-client/blob/ >> master/src/main/java/org/seagrid/desktop/connectors/storage/ >> GuiFileTask.java >> >> In this, the sftp session is getting authenticated with the oauth >> token. >> >> In the same way, is it possible to use the existing authentication >> mechanism to get the nextcloud authenticated? (by configuring the nextcloud >> login endpoint as the client in the existing keycloak server). >> >> The client should be the desktop client. Not the NextCloud server. >> NextCloud server will be the resource which has to enforce authentication >> and authorization using the access token. >> >> 3> The token is being received from the Airvata Manager at >> >> *https://github.com/SciGaP/seagrid-rich-client/blob/master/ >> src/main/java/org/seagrid/desktop/connectors/airavata/ >> AiravataManager.java >> >> and I believe the token is set during the intial login. >> >> Yes you are correct. >> >> Do you have any more of the details that I can look into to integrate the >> existing authentication mechanism in seagrid-rich client to login to >> the nextcloud server? >> >> >> Regards >> >> Karan >> ------------------------------ >> *From:* Kotabagi, Karan <kkota...@iu.edu> >> *Sent:* Saturday, May 19, 2018 11:03 AM >> *To:* Kariyattin, Sachin; Supun Nakandala >> *Cc:* Marru, Suresh; dev@airavata.apache.org >> >> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache >> Airavata >> >> >> @Sachin, @Supun, >> >> >> Thanks for the information, I will look into the same. >> >> >> Regards >> >> Karan >> ------------------------------ >> *From:* Supun Nakandala <supun.nakand...@gmail.com> >> *Sent:* Saturday, May 19, 2018 12:07 AM >> *To:* dev >> *Subject:* Re: Gsoc 2018 - Integration of the Nextcloud with Apache >> Airavata >> >> Hi Karan, >> >> In my opinion, the ideal approach to use in this scenario would be OAuth >> based authorization. KeyCloak supports OAuth and you can register a service >> provider and use that to give a prompt to the user to authorize the desktop >> client to communicate with the NextCloud server. >> After the user authorizes the client, KeyCloak will issue an access token >> which can be used on behalf of the user. NextCloud server will have to use >> this token and get it validated from the KeyCloak server to ensure the >> token bearer is authorized to access the NextCloud server. >> >> For obtaining this access token there several grant flows in OAuth that >> you can use. Based on the type of the client and the level of security you >> can decide which grant flow to use. >> >> https://alexbilbie.com/guide-to-oauth-2-grants/ contains a good summary >> of OAuth grant flows. I think the implicit grant flow will be most >> appropriate in this scenario. >> >> >> >> [1] - https://scholarworks.iu.edu/dspace/bitstream/handle/2022/2 >> 1092/airavata-security-escience16.pdf?sequence=1 >> >> On Fri, May 18, 2018 at 8:55 PM, Sachin Kariyattin <sachin9...@gmail.com> >> wrote: >> >>> Hi Karan, >>> >>> The following wiki lists the basic steps to configure keycloak with >>> NextCloud >>> >>> https://github.com/sachinkariyattin/NextCloud/wiki >>> >>> This can get you started >>> >>> On Fri, May 18, 2018 at 7:57 PM, Kotabagi, Karan <kkota...@iu.edu> >>> wrote: >>> >>>> Hi All, >>>> >>>> >>>> I am working with the following Seagrid-rich client to replace the file >>>> upload mechanism with the next cloud instead of the SFTP. >>>> >>>> >>>> I have the different nextcloud API code set-up that uploads the file >>>> to the Nextcloud server that is set-up locally in Ubuntu. At present the >>>> password is hardcoded, so this should be authenticated with the help of >>>> keycloak as discussed with Suresh. >>>> >>>> >>>> I have discussed the things with Sachin and I have received some inputs >>>> to proceed with keycloak authentication and after that I can proceed >>>> to implement the same with the nextcloud API, after this is successful I >>>> need to integrate nextcloud API with the Seagrid-rich client. >>>> >>>> >>>> Further steps will also include to set-up Nextcloud in the existing >>>> file server and point the upload of the input files from the client to the >>>> same location where the existing files are saved (This needs to be further >>>> looked into with all the configurations). >>>> >>>> >>>> Any suggestions or inputs to proceed with the keycloak authentication >>>> mechanism to work instead of the password would be appreciated. >>>> >>>> >>>> Regards >>>> >>>> Karan >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> >>> >>> *Regards, Sachin Kariyattin * >>> >> >> >
