Improving Opencast's support for users, groups, roles, ACLs (access control lists) and user and role providers (for Opencast 2.4).

1. Users, groups, roles, ACLs and providers:
integrating Opencast with external systems
Stephen Marquard, Centre for Innovation in Learning and Teaching, UCT
stephen.marquard@uct.ac.za | twitter: stephenmarquard

2. ||
 Who are you?
 Authentication: create a session.
 What authorizations do you have?
 List of roles
 What actions are visible to you in the Admin UI?
 ROLE_UI_ roles
 What events and series are visible to you?
 Index (Search, Admin UI, External API): ACL matching
 What CRUD actions can you take through REST endpoints?
 mh_security_org URL configuration, role / URL path / HTTP method matching
https://docs.opencast.org/develop/admin/configuration/security/
02/03/2017 2
Opencast authentication and authorization

3. ||
 A username (belongs to an organization), method of authentication, set of
roles
 System users (admin, opencast_system_account) are configured in
etc/custom.properties, have plain-text passwords, and thus digest authentication
can be used (server-to-server, CA-to-server).
 All users are authenticated by Spring Security (etc/security/mh_default_org.xml)
 LTI is a type of authentication which does not involve a password: the Opencast
LTI producer trusts the credentials from the LTI Consumer (e.g. LMS)
02/03/2017 3
What is a user?

4. ||
No authentication required:
Anonymous
Password-based:
Digest (plain-text password in custom.properties)
Database (hashed password in mh_user)
LDAP (password verified against external service)
Trust-based:
Web single-sign-on (CAS, Shibboleth)
LTI (OAuth)
02/03/2017 4
Common authentication types

5. ||
1. The login handler (for example LtiLaunchAuthenticationHandler) provides some
roles related to the type of login. These are Spring Security roles
(GrantedAuthority). Examples
 ROLE_ANONYMOUS (no authentication)
 ROLE_ADMIN (system users)
 ROLE_OAUTH_USER (LTI)
2. The Opencast UserAndRoleDirectoryService enriches the user’s set of roles by
consulting the set of running UserProviders and RoleProviders.
02/03/2017 5
How do users get roles?

6. ||
 A group has a title, description, a group role (ROLE_GROUP_TITLE),
a set of members, and a set of roles.
 If a user is a member of a group, the user is granted all of the roles defined for
the group.
02/03/2017 6
What is a group?

7. ||
 User dialog
 External Roles tab (roles given to this user which are identified as external roles)
 Effective Roles tab (all the users roles: internal, group roles and external roles)
 Giving a user the group role makes the user a member of the group (and the
inverse)
 Group membership can be granted by an external RoleProvider (by giving the
user the group role)
 Fixed some cache invalidation issues
(changes to group membership show up immediately in the user’s details)
 UserAndRoleDirectoryService cache is configurable (MH-12034)
02/03/2017 7
User and group improvements (MH-12016 / Opencast 2.4)

8. ||
 Goals:
 avoid saving user roles that aren’t under Opencast’s control.
 allow users to enter external roles in the Admin UI
 don’t present roles in the Admin UI which aren’t relevant in that context
 Concept of Role Types and Role Targets introduced
 Only internal roles are saved in the Opencast database
 You can enter a role name or partial role name in the Admin UI, and Opencast
will consult all the RoleProviders to find matching roles (e.g. for external LMS
roles)
 User roles can be added to ACLs for any valid user (ROLE_USER_ID)
02/03/2017 8
Role and ACL improvements (MH-12016 / Opencast 2.4)

9. || 02/03/2017 9

10. ||
Implements org.opencastproject.security.api.UserProvider (one of many)
String getName();
Iterator<User> getUsers();
User loadUser(String userName);
long countUsers();
String getOrganization();
Iterator<User> findUsers(String query, int offset, int limit);
void invalidate(String userName);
Provide information about the user and a set of roles.
Locate users matching a query.
Not necessary to return all users, or a count of all users.
02/03/2017 10
What can a User Provider do?

11. ||
System providers:
 InMemoryUserAndRoleProvider (custom.properties admin user and digest user)
 JpaUserAndRoleProvider (mh_user / mh_user_role)
 JpaUserReferenceProvider (mh_user_ref / mh_user_ref_role)
External providers:
 LDAP User Provider
 Sakai User Provider
02/03/2017 11
User Provider examples

12. ||
Implements org.opencastproject.security.api.RoleProvider (one of many).
Iterator<Role> getRoles();
List<Role> getRolesForUser(String userName);
String getOrganization();
Iterator<Role> findRoles(String query, int offset, int limit);
 Is the RoleProvider returning roles for all organizations, or a specific organization?
 List all the roles for this organization (optional)
 Get a list of roles for a user
 Get a list of roles that match a query
The list of roles available for selection in the Admin UI is the set of roles returned by findRoles() from all
providers. Not necessary to return all roles, or a count of all roles.
02/03/2017 12
What can a Role Provider do?

13. ||
System role providers:
 InMemoryUserAndRoleProvider (ROLE_ADMIN, …)
 OrganizationRoleProvider (per-tenant admin role)
 UserIdRoleProvider (ROLE_USER_*)
 JpaGroupRoleProvider (ROLE_GROUP_*)
 JpaUserAndRoleProvider
 UIRolesRoleProvider (ROLE_UI_*)
 ExternalApiRoleProvider (ROLE_API_*)
Custom roles:
 CustomRoleProvider (MH-12056)
External role providers:
 Sakai User Provider (MH-10871)
02/03/2017 13
Role Provider Examples

14. ||
Don’t have too many internal users, too many groups, or too many users in a
group!
 Performance issues with very large groups MH-12025
 Performance issues with a large number of internal users MH-12026
02/03/2017 14
Performance of the Admin UI

15. ||
 Add a Groups tab on the Add/Edit User dialog (MH-12068)
 Improve usability of ACL Editor for Event and Series MH-12021
 Make things simpler for adopters who don’t have a User Provider:
 Persist LTI users (in mh_user_ref) MH-8955
 Add regexp validation of custom roles to the CustomRoleProvider MH-12056
 Optionally persist roles when they’re noticed by the LTI launch handler
(so they’re visible in the Admin UI)
02/03/2017 15
To Do