Hi Simon, Please find the inline comments
On Wed, Sep 30, 2015 at 3:02 AM, Simon Twigger <[email protected]> wrote: > Hi Nipun, > > Thanks for the explanation, Im recapping it here to make sure I understand: > > When I set up a development instance of the PGA using that config file, > any new user accounts are being created on the dev admin group on > idp.scigap.org , as specified by the gw56.iu.xsede.org in the > airavata-server config setting. (Does this mean that if I changed this to > gw77 then it would use authentication set up for the production portal?) > 1. Each PGA instance is suppose to use a different tenant in Identity Server. Tenants work in isolation. testdrive and master.airavata are two tenants and does not allow cross authentication for users in each tenant. But it is completely possible to reuse the same tenant by may PGA instances. 2. Current PGA-Airavata security model has authentication and authorization aspects. Authentication is done from the PGA side and for that you have to set the required properties in the pga_config file. Default config file is using master.airavata tenant and the corresponding credentials. Authentication can be done via two methods, basic and oauth(we use request code grant type). If you want to use oauth then you need to register an oauth service provider. The default configuration set such that the redirection url is localhost/... so it want work with your deployment. To get your deployment work with oauth we need to register a new service provider in IS with your redirection url and put that value in pga_config including new provider-id and key. And also if your are using oauth based login in the login screen you need to append your user name with '@' + tenant id (e.g [email protected]). 3. Authorization is done at Airavata side and it is optional. Only if you enable security checks in airavata-server.properties file then only it will validate authorization by checking in IS. for this to work you should configure the same IS tenant information that you set in PGA in Airavata as well. And the authentication model has to be oauth to use this feature (basic wan't work). Currently in both gw56 and gw77 airavata instances authorization is disabled. So the IS configuration settings are not actually used. > > Also, does this mean that with that config file, if I use the > [email protected] username and appropriate password then it should > grant me admin privileges to my local PGA installation? Does it also use > the 'gateway-id’ (set to ‘default’ currently) to match the authentication > to a specific PGA installation? > The gateway-id in pga_config should match with the gateway id airavata-server.properties file > > Its unclear to me what role the callback URL (the 'oauth-callback-url’ > parameter?) plays in the basic authentication scheme - I can understand if > we were using OAuth but does this play a role in the basic scheme too? > > You are right. It is used only when oauth is using. > > > With all that said, my current situation is that while I can log in with > usernames that I have created myself, I cannot log in using the admin > username/password provided. I have changed the callback URL to one that is > appropriate to my installation and this doesn’t have any effect that I can > see. > > I suggest you set the authentication model to "basic" and master:master as username and password to login as admin. > When I am logged in as one of my created users I can’t see any menus > (projects, experiments, etc), perhaps because their initial user role > (‘airavata-user’?) is preventing them from being recognized as an > 'authorized-user’ and hence CommonUtilities.php doesn’t show the menus. I > can’t login as an Admin to really check or change these settings to see if > I’m correct. > You can always change the default authorized-user role from pga_config. Currently it is set to "airavata-user" . If you change it to "Internal/everyone" then every user will have authorized access to menus. > For now if I could get the admin login to work that would give me some > more options to explore and change some settings, however, I’m not really > sure what to try next to make that work. > > If you find any further difficulties getting this work please let us know. > Simon. > > > > On Sep 29, 2015, at 2:15 PM, Nipurn Doshi <[email protected]> wrote: > > Hi Simon, > > All accounts are created at idp.scigap.org, although they are created > under different admin groups as testdrive.airavata.org is production > portal gw77 and other accounts that you created are on dev ( gw56 as is on > the pga_config I sent ). > > To answer your other question, default PGA install doesn't expect any > particular url and should work as long as callback url is set correctly. > > Let me know if you have further questions. > > > -- Thank you Supun Nakandala Dept. Computer Science and Engineering University of Moratuwa
