Download to read offline
Opencast Valencia 2017: Users, groups, roles, ACLs and providers
- 1. Users, groups, roles,ACLs and providers: integrating Opencast with external systems Stephen Marquard, Centre for Innovation in Learning and Teaching, UCT stephen.marquard@uct.ac.za | twitter: stephenmarquard
- 2. || Who areyou? Authentication: create a session. What authorizations do you have? List of roles What actions are visible to you in the Admin UI? ROLE_UI_ roles What events and series are visible to you? Index (Search, Admin UI, External API): ACL matching What CRUD actions can you take through REST endpoints? mh_security_org URL configuration, role / URL path / HTTP method matching https://docs.opencast.org/develop/admin/configuration/security/ 02/03/2017 2 Opencast authentication and authorization
- 3. || A username(belongs to an organization), method of authentication, set of roles System users (admin, opencast_system_account) are configured in etc/custom.properties, have plain-text passwords, and thus digest authentication can be used (server-to-server, CA-to-server). All users are authenticated by Spring Security (etc/security/mh_default_org.xml) LTI is a type of authentication which does not involve a password: the Opencast LTI producer trusts the credentials from the LTI Consumer (e.g. LMS) 02/03/2017 3 What is a user?
- 4. || No authentication required: Anonymous Password-based: Digest(plain-text password in custom.properties) Database (hashed password in mh_user) LDAP (password verified against external service) Trust-based: Web single-sign-on (CAS, Shibboleth) LTI (OAuth) 02/03/2017 4 Common authentication types
- 5. || 1. The loginhandler (for example LtiLaunchAuthenticationHandler) provides some roles related to the type of login. These are Spring Security roles (GrantedAuthority). Examples ROLE_ANONYMOUS (no authentication) ROLE_ADMIN (system users) ROLE_OAUTH_USER (LTI) 2. The Opencast UserAndRoleDirectoryService enriches the user’s set of roles by consulting the set of running UserProviders and RoleProviders. 02/03/2017 5 How do users get roles?
- 6. || A grouphas a title, description, a group role (ROLE_GROUP_TITLE), a set of members, and a set of roles. If a user is a member of a group, the user is granted all of the roles defined for the group. 02/03/2017 6 What is a group?
- 7. || User dialog External Roles tab (roles given to this user which are identified as external roles) Effective Roles tab (all the users roles: internal, group roles and external roles) Giving a user the group role makes the user a member of the group (and the inverse) Group membership can be granted by an external RoleProvider (by giving the user the group role) Fixed some cache invalidation issues (changes to group membership show up immediately in the user’s details) UserAndRoleDirectoryService cache is configurable (MH-12034) 02/03/2017 7 User and group improvements (MH-12016 / Opencast 2.4)
- 8. || Goals: avoidsaving user roles that aren’t under Opencast’s control. allow users to enter external roles in the Admin UI don’t present roles in the Admin UI which aren’t relevant in that context Concept of Role Types and Role Targets introduced Only internal roles are saved in the Opencast database You can enter a role name or partial role name in the Admin UI, and Opencast will consult all the RoleProviders to find matching roles (e.g. for external LMS roles) User roles can be added to ACLs for any valid user (ROLE_USER_ID) 02/03/2017 8 Role and ACL improvements (MH-12016 / Opencast 2.4)
- 9.
- 10. || Implements org.opencastproject.security.api.UserProvider (oneof many) String getName(); Iterator<User> getUsers(); User loadUser(String userName); long countUsers(); String getOrganization(); Iterator<User> findUsers(String query, int offset, int limit); void invalidate(String userName); Provide information about the user and a set of roles. Locate users matching a query. Not necessary to return all users, or a count of all users. 02/03/2017 10 What can a User Provider do?
- 11. || System providers: InMemoryUserAndRoleProvider(custom.properties admin user and digest user) JpaUserAndRoleProvider (mh_user / mh_user_role) JpaUserReferenceProvider (mh_user_ref / mh_user_ref_role) External providers: LDAP User Provider Sakai User Provider 02/03/2017 11 User Provider examples
- 12. || Implements org.opencastproject.security.api.RoleProvider (oneof many). Iterator<Role> getRoles(); List<Role> getRolesForUser(String userName); String getOrganization(); Iterator<Role> findRoles(String query, int offset, int limit); Is the RoleProvider returning roles for all organizations, or a specific organization? List all the roles for this organization (optional) Get a list of roles for a user Get a list of roles that match a query The list of roles available for selection in the Admin UI is the set of roles returned by findRoles() from all providers. Not necessary to return all roles, or a count of all roles. 02/03/2017 12 What can a Role Provider do?
- 13. || System role providers: InMemoryUserAndRoleProvider (ROLE_ADMIN, …) OrganizationRoleProvider (per-tenant admin role) UserIdRoleProvider (ROLE_USER_*) JpaGroupRoleProvider (ROLE_GROUP_*) JpaUserAndRoleProvider UIRolesRoleProvider (ROLE_UI_*) ExternalApiRoleProvider (ROLE_API_*) Custom roles: CustomRoleProvider (MH-12056) External role providers: Sakai User Provider (MH-10871) 02/03/2017 13 Role Provider Examples
- 14. || Don’t have toomany internal users, too many groups, or too many users in a group! Performance issues with very large groups MH-12025 Performance issues with a large number of internal users MH-12026 02/03/2017 14 Performance of the Admin UI
- 15. || Add aGroups tab on the Add/Edit User dialog (MH-12068) Improve usability of ACL Editor for Event and Series MH-12021 Make things simpler for adopters who don’t have a User Provider: Persist LTI users (in mh_user_ref) MH-8955 Add regexp validation of custom roles to the CustomRoleProvider MH-12056 Optionally persist roles when they’re noticed by the LTI launch handler (so they’re visible in the Admin UI) 02/03/2017 15 To Do