Apache Ignite Developers - Legacy Mail Archive

REST API and new authentication API

Classic

List

Threaded

7 messages Options

Alexey Kuznetsov

REST API and new authentication API

Igniters,

Recently new authentication API was added.

I added support for it on REST, but several problems appeared:

1) "&ignite.login=login" and "&ignite.password=pwd" should be used for
credentials.
May be we should use "&user=user" and " &password=pwd " instead?
But this will lead to conflict with new authentication API:
For example add user: http://localhost/ignite?cmd=*adduser*&*user*=sample&
*password*=sample&ignite.login=ignite&ignite.password=ignite

Any ideas how to resolve this?

2) For some reason when new authentication is enabled session toked
returned as null
{"successStatus":0,*"sessionToken":null*,"error":null,"response":"2.5.0"}

Session token can be used instead of adding user name and password to every
request.

Who can help with resolving this issue?

--
Alexey Kuznetsov

Alexey Kuznetsov

Re: REST API and new authentication API

I looked into code and I think that we could do the following:

1) Use user and password for authentication.
2) Use newUser and newPassword for new authentication API (add, remove and
update user).
3) Debug why sessionToken is null.

Created issues:
https://issues.apache.org/jira/browse/IGNITE-8201
https://issues.apache.org/jira/browse/IGNITE-8202

I will try to implement them in a couple of days.

On Tue, Apr 10, 2018 at 11:32 AM, Alexey Kuznetsov <[hidden email]>
wrote:

> Igniters,
>
> Recently new authentication API was added.
>
> I added support for it on REST, but several problems appeared:
>
> 1) "&ignite.login=login" and "&ignite.password=pwd" should be used for
> credentials.
> May be we should use "&user=user" and " &password=pwd " instead?
> But this will lead to conflict with new authentication API:
> For example add user: http://localhost/ignite?cmd=*adduser*&*user*=
> sample&*password*=sample&ignite.login=ignite&ignite.password=ignite
>
> Any ideas how to resolve this?
>
> 2) For some reason when new authentication is enabled session toked
> returned as null
> {"successStatus":0,*"sessionToken":null*,"error":null,"response":"2.5.0"}
>
> Session token can be used instead of adding user name and password to
> every request.
>
> Who can help with resolving this issue?
>
> --
> Alexey Kuznetsov
>

--
Alexey Kuznetsov

dsetrakyan

Re: REST API and new authentication API

Alexey, are you suggesting that we have "newUser" as command parameter, while "user" is also a valid command parameter?

⁣D.

On Apr 10, 2018, 12:00 AM, at 12:00 AM, Alexey Kuznetsov <[hidden email]> wrote:

>I looked into code and I think that we could do the following:
>
>1) Use user and password for authentication.
>2) Use newUser and newPassword for new authentication API (add, remove
>and
>update user).
>3) Debug why sessionToken is null.
>
>Created issues:
>https://issues.apache.org/jira/browse/IGNITE-8201
>https://issues.apache.org/jira/browse/IGNITE-8202
>
>I will try to implement them in a couple of days.
>
>
>On Tue, Apr 10, 2018 at 11:32 AM, Alexey Kuznetsov
><[hidden email]>
>wrote:
>
>> Igniters,
>>
>> Recently new authentication API was added.
>>
>> I added support for it on REST, but several problems appeared:
>>
>> 1) "&ignite.login=login" and "&ignite.password=pwd" should be used
>for
>> credentials.
>> May be we should use "&user=user" and " &password=pwd " instead?
>> But this will lead to conflict with new authentication API:
>> For example add user: http://localhost/ignite?cmd=*adduser*&*user*=
>> sample&*password*=sample&ignite.login=ignite&ignite.password=ignite
>>
>> Any ideas how to resolve this?
>>
>> 2) For some reason when new authentication is enabled session toked
>> returned as null
>>
>{"successStatus":0,*"sessionToken":null*,"error":null,"response":"2.5.0"}
>>
>> Session token can be used instead of adding user name and password to
>> every request.
>>
>> Who can help with resolving this issue?
>>
>> --
>> Alexey Kuznetsov
>>
>
>
>
>--
>Alexey Kuznetsov

Alexey Kuznetsov

Re: REST API and new authentication API

Dmitriy,

Yes, because we have a command "Add new user" and this command can be
executed only with credentials of some "admin" user.

It means, that in one command you need to specify name of new user and
"admin" credentials at the same time.

If you have any ideas how we can handle this - I will be glad to discuss it.

On Tue, Apr 10, 2018 at 2:05 PM, Dmitriy Setrakyan <[hidden email]>
wrote:

> Alexey, are you suggesting that we have "newUser" as command parameter,
> while "user" is also a valid command parameter?
>
> ⁣D.
>
> On Apr 10, 2018, 12:00 AM, at 12:00 AM, Alexey Kuznetsov <
> [hidden email]> wrote:
> >I looked into code and I think that we could do the following:
> >
> >1) Use user and password for authentication.
> >2) Use newUser and newPassword for new authentication API (add, remove
> >and
> >update user).
> >3) Debug why sessionToken is null.
> >
> >Created issues:
> >https://issues.apache.org/jira/browse/IGNITE-8201
> >https://issues.apache.org/jira/browse/IGNITE-8202
> >
> >I will try to implement them in a couple of days.
> >
> >
> >On Tue, Apr 10, 2018 at 11:32 AM, Alexey Kuznetsov
> ><[hidden email]>
> >wrote:
> >
> >> Igniters,
> >>
> >> Recently new authentication API was added.
> >>
> >> I added support for it on REST, but several problems appeared:
> >>
> >> 1) "&ignite.login=login" and "&ignite.password=pwd" should be used
> >for
> >> credentials.
> >> May be we should use "&user=user" and " &password=pwd " instead?
> >> But this will lead to conflict with new authentication API:
> >> For example add user: http://localhost/ignite?cmd=*adduser*&*user*=
> >> sample&*password*=sample&ignite.login=ignite&ignite.password=ignite
> >>
> >> Any ideas how to resolve this?
> >>
> >> 2) For some reason when new authentication is enabled session toked
> >> returned as null
> >>
> >{"successStatus":0,*"sessionToken":null*,"error":null,"response":"2.5.0"}
> >>
> >> Session token can be used instead of adding user name and password to
> >> every request.
> >>
> >> Who can help with resolving this issue?
> >>
> >> --
> >> Alexey Kuznetsov
> >>
> >
> >
> >
> >--
> >Alexey Kuznetsov
>

--
Alexey Kuznetsov

dsetrakyan

Re: REST API and new authentication API

On Tue, Apr 10, 2018 at 12:28 AM, Alexey Kuznetsov <[hidden email]>
wrote:

> Dmitriy,
>
> Yes, because we have a command "Add new user" and this command can be
> executed only with credentials of some "admin" user.
>
> It means, that in one command you need to specify name of new user and
> "admin" credentials at the same time.?

> If you have any ideas how we can handle this - I will be glad to discuss
> it.
>

I am not sure if I agree with the approach you have suggested. In my view,
we should have "authenticate" command, which should ask for the username
and password. Once the user is authenticated and logged in, you should use
the session token to perform all other commands. We should NOT be
authenticating users on every command.

If you follow this approach, then the command for adding a new user should
require any authentication.

Makes sense?

D.

Sergey Kozlov

Re: REST API and new authentication API

Hi

I a bit investigated the issue for REST authentication and found following
approaches:

1. Add authenticate command providing sessions token by login and password.
Any further requests will require that token.
Advantages:
- Small changes for REST requests (just add token parameter)
Disadvantages:
- New command for authentication
- We need to store user sessions on the server side and manage them
(delete) if token life time reached.

2. Use HMAC (hash-based message authentication code) [1]. All requests
require to provide "sign" parameter generated by as has256 for parameters
string + secret key
Advantages:
- No new command for authentication
Disadvantages:
- we need to generate access + secret keys on the server side together
with username and password (two additional fields for user record).
- logic to generate sign parameter on client side

1.
https://eclipsesource.com/blogs/2016/07/06/keyed-hash-message-authentication-code-in-rest-apis/

On Tue, Apr 10, 2018 at 10:43 AM, Dmitriy Setrakyan <[hidden email]>
wrote:

> On Tue, Apr 10, 2018 at 12:28 AM, Alexey Kuznetsov <[hidden email]>
> wrote:
>
> > Dmitriy,
> >
> > Yes, because we have a command "Add new user" and this command can be
> > executed only with credentials of some "admin" user.
> >
> > It means, that in one command you need to specify name of new user and
> > "admin" credentials at the same time.?
>
>
> > If you have any ideas how we can handle this - I will be glad to discuss
> > it.
> >
>
> I am not sure if I agree with the approach you have suggested. In my view,
> we should have "authenticate" command, which should ask for the username
> and password. Once the user is authenticated and logged in, you should use
> the session token to perform all other commands. We should NOT be
> authenticating users on every command.
>
> If you follow this approach, then the command for adding a new user should
> require any authentication.
>
> Makes sense?
>
> D.
>

--
Sergey Kozlov
GridGain Systems
www.gridgain.com

Alexey Kuznetsov

Re: REST API and new authentication API

In reply to this post by dsetrakyan

Dmitriy,

Yes, sound reasonable to add "authenticate" command and require token for
all subsequent commands.

Will update issue description.

On Tue, Apr 10, 2018 at 2:43 PM, Dmitriy Setrakyan <[hidden email]>
wrote:

--
Alexey Kuznetsov