Hi I a bit investigated the issue for REST authentication and found following approaches:
1. Add authenticate command providing sessions token by login and password. Any further requests will require that token. Advantages: - Small changes for REST requests (just add token parameter) Disadvantages: - New command for authentication - We need to store user sessions on the server side and manage them (delete) if token life time reached. 2. Use HMAC (hash-based message authentication code) [1]. All requests require to provide "sign" parameter generated by as has256 for parameters string + secret key Advantages: - No new command for authentication Disadvantages: - we need to generate access + secret keys on the server side together with username and password (two additional fields for user record). - logic to generate sign parameter on client side 1. https://eclipsesource.com/blogs/2016/07/06/keyed-hash-message-authentication-code-in-rest-apis/ On Tue, Apr 10, 2018 at 10:43 AM, Dmitriy Setrakyan <dsetrak...@apache.org> wrote: > On Tue, Apr 10, 2018 at 12:28 AM, Alexey Kuznetsov <akuznet...@apache.org> > wrote: > > > Dmitriy, > > > > Yes, because we have a command "Add new user" and this command can be > > executed only with credentials of some "admin" user. > > > > It means, that in one command you need to specify name of new user and > > "admin" credentials at the same time.? > > > > If you have any ideas how we can handle this - I will be glad to discuss > > it. > > > > I am not sure if I agree with the approach you have suggested. In my view, > we should have "authenticate" command, which should ask for the username > and password. Once the user is authenticated and logged in, you should use > the session token to perform all other commands. We should NOT be > authenticating users on every command. > > If you follow this approach, then the command for adding a new user should > require any authentication. > > Makes sense? > > D. > -- Sergey Kozlov GridGain Systems www.gridgain.com
