Tuesday, December 22, 2009

Authentication in multi-tenant service

Recently, I implemented authentication service in CollectionSpace. Apart from the multitenancy requirements, it is also expected that the tenants might have their own identity providers (e.g. CalNet, LDAP, Kerberos, etc.). It is also expected that a tenant might use more than one identity provider, e.g. CalNet for users involved with collection management and OpenID for research students perhaps.

Tenant-aware security context

I implemented a JAAS LoginModule in CollectionSpace (see here) that retrieves user's association with tenant(s) during the commit phase of the authentication process. This association is made at the time of provisioning an account for the user in CollectionSpace. During the commit phase, a group named Tenants is created and it contains one or more members each representing a tenant in the system to which user is associated with. I think this approach has the following advantages:
  1. User identifier remains independent of the user's association with a tenant.
  2. Because tenant is modeled as a group, access control permissions/policies could be written with explicit knowledge about the tenant. In other words, the permissions/policies could be tenant-qualified.
I will provide concrete example in subsequent post to explain how this works.

Friday, December 18, 2009

My profiles are connected with rel="me"

Last night, I finally connected all my profiles using rel="me" tag suggested by XHTML Friends Network (xfn). I used Plaxo's Online Identity Verifier to verify that xfn crawlers could go from one page to the other. Indeed, my LinkedIn profile, my profile on Google and my Plaxo profile did use rel="me" but the crawler would just stop after 1 visit. So, I had to change directions a bit. But now, everything seems to be connected. Here is what it says now:
>> *** Done! Here's what we found:

 claims: http://loudvchar.blogspot.com
 claims: http://sites.google.com/site/sanjaydalal
 claims: http://wiki.collectionspace.org/display/~sanjay.dalal@berkeley.edu/Home
 claims: http://www.blogger.com/profile/07345321706379617116
     is: http://www.google.com/profiles/107889855647471469473
 claims: http://www.plaxo.com/profile/show/51540603517?pk=c1185a9db8102a44e22e53533ee18ee3136f9f5e&sbQuery=sanjay%20dalal

I realize that Google Sites does not allow XFN crawlers to go forward. They seem to override rel="me" with rel="nofollow". I wish I could point to my CollectionSpace profile from there.

My profile on CollectionSpace is getting a lot of comment spam. I will have to trace where the link to the profile is available and put rel="nofollow" there.

Building an open social graph could be fun!