On Sat, 04 Sep 2010 18:32:30 +0200, Zygmunt Krynicki zygmunt.krynicki@linaro.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello guys.
I'd like to ask for your advice in for implementing authentication mechanism for the XML-RPC interface to the dashboard. I believe this problem has two aspects: user needs and client program needs. I was about to implement HTTP Digest authentication that will authorize the user against the Django user database. James pointed out that we should discuss this topic more. I'd like to know what you think.
What users need to have.
I think that for our internal use cases a best option would be launchpad integration. We don't mind using launchpad, we already have accounts there.
That works for now, yes. That's a distinct question from the auth mechanism of the API though. We can use openid for users to authenticate themselves via LP, or any openid provider as we like. We can then choose an authentication mechanism basically independent of that for the API.
We could use oauth for authentication. I'm not an expect on oauth so I'm not sure what kind of impact it has on the API itself, if any (do we need to pass some special argument to each call?). I suspect it has a negotiation phase where the client and oauth provider exchange some messages after which the client can authenticate by providing some extra header in each request. In any way that's one option.
That's correct. There are no changes to the API needed.
The main difference to digest is that you don't give your password to the app, you give it a token that stands in for your password, but can be revoked independently of your password. There are other ways to do that than oauth.
For a centralized installation this would be pretty good. For ad-hoc installations it could be difficult to setup but I'm just guessing here.
Other options are (off the top of my head):
- Basic/Digest HTTP authentication. Digest is pretty good (or so
wikipedia tells me) and has a very nice property of not requiring any changes to the API. User identity is provided as out-of-band HTTP header.
- Custom authentication via special XML-RPC methods and some
user/pass/token/whatever arguments. This is IMHO pretty ugly as it affects the interface. The upside is that we can build any authentication options we like.
No, let's not do this.
- No authentication at all. All XML-RPC interfaces are public and anyone
may call them. Surprisingly this is not such a bad option. Since all request would be anonymous all the users would be allowed to do is upload data to public "directories". All other interaction would have to be performed via the website or the administration panel.
What clients need to implement.
So this is about everyone who has to interact with the API, currently that's just dashboard itself (we have a command-line client that can use each exposed method) and of course abrek. While I don't mind changing the API or security method to make it better we need to consider that each client will have to adapt as well. Worse, if one client has to interact with two servers it may be required to discover/negotiate supported authentication before we can even connect.
That's not such a big issue in my eyes. launch-control should just have one method, at least for now.
What's missing before we can sensibly discuss this is a discussion of how we would like the user interaction to work.
Do we want to support setting up clients without a connection to the server? I don't see why as if you have no connection you can't submit results, except if:
Do we want to use the authentication token to identify a user + machine combination?
Do we want users to be able to revoke access for certain tokens (and hence clients) without revoking them all?
Basically, we need to be able to complete this paragraph as a minimum.
A new developer joins linaro and is shipped a board that they wish to submit test results for. To do this they "apt-get install abrek" and then...
Thanks,
James