Authentication, and fine-grained authorization #1901
Comments
|
Some ideas discussed:
|
|
It seems we need to be able to work with standard site "identity management" systems. Primary use case: production suites under role accounts that need to handle restricted access from multiple operators, and unrestricted access from expert support people. Hopefully a generic interface in cylc, with simple plugins for external interaction. Defaulting to something very simple that does not complicate life for "normal" users. More to come on this... |
|
Current thinking on this: In the web GUI era we need a "reverse proxy server" as a gateway between the in-browser GUI and the suite server programs. Authentication can probably (hopefully?) be done at the proxy server - rather than at the suites as now - by calling out (via some off-the-shelf plugin, perhaps) to site identity management. Then an SSL Client Certificate held by the proxy server will allow suite server programs to simply trust all communications from the proxy. |
|
(Note comment above is now outdated). Now: call-out to authenticate at the Hub (co-opting JupyterHub for this). Then Hub-UIServer trust is by token, not SSL Client Cert. |
Definitely better this way. |
|
This can be closed as superseded, as soon as I find the superseding issues (which may still be coming into existence). |
hjoliver
changed the title
|
In Cylc 8 authorization will be handled by the new UI Server component. Closing this as superseded by cylc/cylc-uiserver#10 |
Supersedes #1475 and #1520.
Choose and use existing web-based authentication technologies;
depends on #1872.See also #526.
(EDIT Bruno): see also discussion in cylc-web and in cylc-jupyterhub
The text was updated successfully, but these errors were encountered: