Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage API authentication #4

Open
northox opened this issue Mar 11, 2017 · 6 comments
Open

Manage API authentication #4

northox opened this issue Mar 11, 2017 · 6 comments

Comments

@northox
Copy link
Member

northox commented Mar 11, 2017

Provide the capability to control who can access the API - authentication.

Constraint: The design of this functionality needs to take into consideration the future need to extend the model toward a more elaborated type of Access Control where we can actually control who can access what (which part of the API, under which constraints) - authorization.

@jmettraux
Copy link
Member

jmettraux commented Mar 11, 2017

Hello,

since flack is a Rack "app" (something that responds to call(env), for the app where I am using flor+flack I did it this way in the configu.ru:

# (...)
#
# top Sinatra configuration then...

require 'flack'
require 'sg/flor_logger'

class ManageFlowCheck

  def initialize(app); @app = app; end

  def call(env)

    s = env['rack.session']
    u = s && SilverGoose::Auth.user(s[:user_id]) rescue nil
      # fetch user from host application auth service

    if u && u.may?(:manage_flows)
      # the user has the right to manage flows, let her/him pass
      @app.call(env)
    elsif u
      # prevent access to valid user
      [ 403, {}, [ 'Forbidden' ] ]
    else
      # prevent access, not logged in, 404 would be better maybe
      [ 401, {}, [ 'Unauthorized' ] ]
    end
  end
end

map '/flack' do

  use ManageFlowCheck

  run Flack::App.new('flor/', start: false)
    # only start flor when auth credentials are available...
end

run Sinatra::Application

My goal showing that is not to solve this issue, it's rather to remind us that Rack allows for deceptively simple solutions, those horses can let us ride far, provided we remember they're in the stable.

@jmettraux
Copy link
Member

jmettraux commented Mar 11, 2017

authentication

We should look at what's on the Rack market, maybe https://www.google.co.jp/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=ruby+rack+authentication+middleware&*

authorization

Maybe there is a Rack middleware out there to help us, but we should probably start with enumerating what can be done with flack:

  • POST a message to flack /message
    • a launch message
    • a cancel message
    • a tasker reply message
  • GET a list of executions /executions
  • GET a particular executions /executions/:exid

For now that's all there is to it.

Updated with point from #1

@jmettraux
Copy link
Member

@northox question, are we in sync if I say that you want to use flack(+flor) as a standalone service? Whereas I'm thinking of using it as some kind of admin nested in a flor-using application?

I want to distinguish the two use cases, they can gain from each other, but we need to not confuse them.

This was referenced Mar 11, 2017
@northox
Copy link
Member Author

northox commented Mar 11, 2017

Yes, exactly.

Absolutely. The separation has to be VERY clear. That's what I was saying in #5:

What I have in mind is to use Flack's API itself so it would be composed of two parts;

  1. to manage workflows (e.g. create,list) and;
  2. to act as a RESTful tasker - i.e. the Flack Tasker

The first part being your admin nested in a flor-using application and the second being the standalone service.

@northox
Copy link
Member Author

northox commented Mar 12, 2017

Your authentication implementation proposal seems to make sense but I think we should assign it to a far-away milestone or on-hold label as it's not a priority - at least for me. The whole point of have it here is for other users to do +1 if this is something they need.

@jmettraux
Copy link
Member

OK. let's welcome +1s and comments.

@northox northox added this to the backlog +1 driven milestone Mar 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants