[jira] [Commented] (AIRAVATA-2839) GroupResourceProfile: require unique login username or unique allocation number

Tue, 26 Jun 2018 17:32:11 -0700 


    [ 
https://issues.apache.org/jira/browse/AIRAVATA-2839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16524381#comment-16524381
 ] 

Marcus Christie commented on AIRAVATA-2839:
-------------------------------------------

Relates to AIRAVATA-2840. If we

# Apply group based auth to credential store tokens
# and, require that GroupResourceProfiles specify a credential store token

then we don't really need this validation. The root problem here is that 
currently, as implemented, a user can reuse username and credentials and create 
a profile that can log in as the same user as another profile. Apply 
authorization to credential store tokens and requiring them on 
GroupResourceProfiles will fix that.

If we go with that approach we can change this validation to check that a 
credential store token is specified on a GroupComputeResourcePreference.

> GroupResourceProfile: require unique login username or unique allocation 
> number
> -------------------------------------------------------------------------------
>
>                 Key: AIRAVATA-2839
>                 URL: https://issues.apache.org/jira/browse/AIRAVATA-2839
>             Project: Airavata
>          Issue Type: Story
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major
>
> The GatewayResourceProfile has ComputeResourcePreferences that are now used 
> to specify default values for compute resources, but a GroupResourceProfile's 
> GroupComputeResourcePreferences should be used for the actual 
> authentication/allocation charged for the job.
> This means that a GroupResourceProfile's GroupComputeResourcePreference 
> should either specify:
> * a different loginUserName
> * or an allocationProjectNumber
> from the corresponding ComputeResourcePreference in the 
> GatewayResourceProfile.  This way a GroupResourceProfile can't accidentally 
> use the account specified in a GatewayResourceProfile 
> ComputeResourcePreference.
> The main use case for this is that a gateway admin can create a 
> ComputeResourcePreference with a loginUserName and credential store token 
> that handles logging in to the compute resource and then a user can create a 
> GroupComputeResourcePreference that essentially only needs to specify an 
> allocation number (well, and the user would need to authorize that 
> loginUserName to be able to use the allocation, depending on the compute 
> resource's policy).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to