Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDX Controller User Authentication and Ownership #298

Open
Tracked by #317
usmanazFIU opened this issue Jul 3, 2024 · 4 comments
Open
Tracked by #317

SDX Controller User Authentication and Ownership #298

usmanazFIU opened this issue Jul 3, 2024 · 4 comments
Assignees
@YufengXin @lmarinve @congwang09 @usmanazFIU
Labels
in_progress

Comments

@usmanazFIU
Copy link

SDX controller should have an authentication middleware for authenticating MEICAN users before it can access the SDX controller endpoints. Also SDX controller must know which user is initiating the request so it can set the ownership field in the JSON response for creating connections.

This can be done by either using JWT tokens or any other token based authentication or use other authentication protocols such as BasicHTTP or OAuth mechanisms. Also MEICAN will be storing connection requests into the MEICAN Database for granting access to only those connections which were created by that specific MEICAN user. as mentioned in issue :

atlanticwave-sdx/sdx-meican#52
@YufengXin
Copy link
Collaborator

@usmanazFIU To clarify and initiate the discussion:

In an earlier discussion, I recalled that the decision was for Meican to implement CILogon for user AA. How does It go? and how it's related to this SDX middleware AA, in your opinion?

Secondly, "Users" and their roles needs to be defined between Meican, middlerware, OXP. What is a "user' defined in Meican? When connection requests come to the middleware without user information, how would middleware distinguish and generate 'user' information?

For middleware API security, (1) conventionally, it will be deployed by the operator behind a firmware so that only white-listed IP can visit it (2) conventionally, like most public Cloud like Google do: we can enable API-Key for API calls.

@usmanazFIU
Copy link
Author

Yes @YufengXin MEICAN is using CI Logon for authenticating users to use the MEICAN system. The same user information can be send to a SDX middleware or authentication endpoint which can check if the user exists within the SDX controller DB maybe? if not create a new user otherwise just let the request go further. I am not sure if we should store users information in SDX Controller mongoDB.

Also, a "user" in a MEICAN is a network operator with some pre defined roles and access privileges.

@sajith
Copy link
Member

sajith commented Jul 3, 2024
edited
Loading

I too am not sure what "users" would mean for SDX Controller or SDX LC or further down the SDX layers.

A simpler design would be to make Meican the only gatekeeper/portal to the system, and then maybe have Meican and SDX Controller use a shared secret token. Or perhaps use firewall rules and/or TLS mutual authentication to ensure that only Meican can talk to SDX Controller.

@YufengXin YufengXin mentioned this issue Aug 26, 2024
Open
12 tasks
@YufengXin
Copy link
Collaborator

I'll go ahead to to add an apikey first, w/o users definition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YufengXin YufengXin

@lmarinve lmarinve

@congwang09 congwang09

@usmanazFIU usmanazFIU

Labels
in_progress
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

298-sdx-controller-user-authentication-and-ownership atlanticwave-sdx/sdx-controller
5 participants
@sajith @YufengXin @lmarinve @congwang09 @usmanazFIU