Re: [SHOW] Authentication refactoring

[Min Chen]

Hi Rohit,
        My understanding is that you will do this on your feature branch
"auth-refactor", then merge them after passing at least some CI automation
tests. Today, I saw all these commits already in master:

10 hours ago    Rohit Yadav     DefaultLoginAPIAuthenticatorCmd: return userId
as UUID         commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     utils: fix pom.xml to have references for
javax.servlet...        commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiServer: take UTF_8 and other static vars from
HttpUtils       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiServlet: use HttpUtils instead of class
specific...     commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiResponseSerializer: Use HttpUtils instead of
BaseCmd         commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     BaseCmd: Use HttpUtils to have single source of
static...       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     utils: refactor HTTP transport stuff to
HttpUtils       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiServletTest: Fix test, now login/logout have
their...        commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     APIAuthenticator: refactor signature of
APIAuthenticato...      commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiServlet: move setting of response type up in
the...  commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiXmlDocWriter: get rid of hardcoded
login/logout...         commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiServlet: use the new and refactored
authentication...       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiXmlDocWriter: remove hardcoded login and
logout...       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiResponseSerializer: Skip extra boxing for
Auth responses  commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     response: add command response for login and
logout...       commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     APIAuthenticationManagerImpl: add the auth
manager...      commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     DefaultLoginAPIAuthenticatorCmd: Refactor and
implement...    commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     DefaultLogoutAPIAuthenticatorCmd: Refactor and
implemen...     commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     APIAuthenticationManager: Add Auth manager
definition      commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     APIAuthenticationType: Add auth enum type, login
or...   commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     APIAuthenticator: Add interface definition for
the...  commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     saml2: add opensaml as dependency       commit |
commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     commands.properties: add
login,logout,samlsso,samlslo...         commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiErrorCode: Add API error code 401, 405
        commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     ApiConstants: add Api constant registered
        commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     saml2: add spring security saml2 extension
1.0.0.RELEASE   commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     client: add saml2 plugin dependency on client
artifact        commit | commitdiff | tree | snapshot
10 hours ago    Rohit Yadav     CLOUDSTACK-7083: Add SAML2 SSO plugin skeleton
and...  commit | commitdiff | tree | snapshot


        Are these commits related to the refactor you are talking about here? 
Why
are they not going through some merge request?

        Thanks  
        -min

On 8/12/14 2:10 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote:

>This was done:
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Authentication+Refa
>ctoring
>
>This is the branch:
>https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=shortlog;h=refs
>/heads/auth-refactor
>
>Updates:
>- Every auth mechanism now implements as a APICommand but these are
>special APIs are not allowed to execute, i.e. the execute() method
>returns with an error
>- Existing tests were fixed
>- We no longer need to hardcode login/logout for doc generation etc.
>- Api discovery now has login/logout docs etc as well
>- Since these APIs are tightly coupled with cloud-server artifact, except
>for responses all the interface definitions etc are within cloud-server
>- This allows for implementation of other login mechanisms such as saml,
>oauth, something-custom etc. though implementing it as a plugin is still
>tricky now
>
>I¹ve tested UI and cloudmonkey on port 8080 and 8096, with apikey/secret
>keys but would welcome help around this area from anyone. I¹ll merge the
>branch later this week if no one objects.
>
>Cheers.
>
>On 12-Aug-2014, at 5:50 am, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
>
>> Hi,
>>
>> The way we handle login and logout is hardcoded and since there is no
>>APICommand/BaseCmd implementation the apidoc, apidiscovery and other
>>don¹t discover these apis. For supporting SAML as an authentication
>>mechanism, I¹ve refactored the Auth mechanism as a pluggable service
>>that loads with api-server artifact and both login and logout are now
>>implemented as a pseduo BaseCmd classes.
>>
>> I call them pseudo because their execute() is never called, the
>>authentication guards in ApiServlet class make sure we call an
>>authenticate method of such classes. Since, they are tightly coupled
>>with cloud-server¹s ApiServlet it only made sense to have the interface
>>definition and implementation within the same package/artifact as well.
>>This also solves the apidoc issue for login/logout and saml related auth
>>apis.
>>
>> I¹ll merge them after sometime and continue working on saml stuff. Will
>>push the code in the branch ³auth-refactor² in an hour for
>>review/testing now. This does not break anything and should not cause
>>any auth related issues for all existing clients.
>>
>> Any suggestions, feedback welcome! Refactoring was pretty straight
>>forward but I¹ll make sure to write a wiki page on this before merging
>>to master.
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +41 779015219 | rohit.ya...@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>>services
>>
>> IaaS Cloud Design &
>>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge ­ rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>>Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>>intended solely for the use of the individual to whom it is addressed.
>>Any views or opinions expressed are solely those of the author and do
>>not necessarily represent those of Shape Blue Ltd or related companies.
>>If you are not the intended recipient of this email, you must neither
>>take any action based upon its contents, nor copy or show it to anyone.
>>Please contact the sender if you believe you have received this email in
>>error. Shape Blue Ltd is a company incorporated in England & Wales.
>>ShapeBlue Services India LLP is a company incorporated in India and is
>>operated under license from Shape Blue Ltd. Shape Blue Brasil
>>Consultoria Ltda is a company incorporated in Brasil and is operated
>>under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>>registered by The Republic of South Africa and is traded under license
>>from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>Regards,
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.ya...@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge ­ rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.