source: trunk/doc/historical/specifications/core/authentication.html @ 4509

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
  $Id: authentication.html 4509 2008-09-11 20:01:44Z jari $

  Copyright (C) 2005 Jari Hakkinen, Nicklas Nordborg
  Copyright (C) 2006 Jari Hakkinen

  This file is part of BASE - BioArray Software Environment.
  Available at http://base.thep.lu.se/

  BASE is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 3
  of the License, or (at your option) any later version.

  BASE is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with BASE. If not, see <http://www.gnu.org/licenses/>.
-->
<html>
  <head>
    <title>BASE - Core specification - User authentication and management</title>
  <link rel=stylesheet type="text/css" href="../../styles.css">
  </head>
<body>

<div class="navigation">
  <a href="../../index.html">BASE</a>
  <img src="../../next.gif">
  <a href="index.html">Core specification</a>
  <img src="../../next.gif">
  User authentication and management
</div>

  <h1>User authentication and management</h1>

  <div class="abstract">
    <p>
    This document covers the details of internal and external user authentication.
    It also discusses user management and how groups and roles are related.
    </p>

    <b>Contents</b><br>
    <ol>
    <li><a href="#authentication">User authentication</a>
    <li><a href="#user">User management</a>
    <li><a href="#group">Group management</a>
    <li><a href="#role">Role management</a>
    </ol>
    
    <b>See also</b><br>
    <ul>
    <li><a href="../../development/overview/data/authentication.html">Implementation overview</a>
    </ul>

    <p class="authors">
    <b>Last updated:</b> $Date: 2008-09-11 20:01:44 +0000 (Thu, 11 Sep 2008) $
    </p>
  </div>

  <a name="authentication">
  <h2>1. User authentication</h2>
  </a>

  <ol>
  <li>A user is authenticated by a unique login name and a password.

  <li>BASE can be configured to use internal or external authentication.

  <li>Support for external authentication is provided by standardized plugin
      modules that can be added to BASE independently of the core system.

  <li>If the technical solution allows it, internal authentication may also be
    implemented as a plugin.

  </ol>

  <h3>1.2 Internal authentication only</h3>
  <ol>
  <li>BASE maintains a list of valid login/password combinations.
  <li>It should be possible to set an expiration date for a user
    account, after which the user will not be able to log on to BASE.
  </ol>

  <h3>1.3 External authentication only</h3>
  <ol>
  <li>The primary role of the external authentication system is to accept or reject
    the login/password combination.

  <li>If the user is accepted, the authentication system should return a
    unique ID identifying the user. The ID must always be the same.
    The uniue ID may be the same as the login name, but doesn't have to.

  <li>BASE maintains a list of known unique IDs.

  <li>Optionally, BASE can be configured to cache the login/password combinations.
    This will make it possible to log on to BASE even if the external
    authentication system currently is unavailable. It should also be possible
    to limit the time the cached data is valid. The limit may be infinite.

  <li class="question">[QUESTION] What about single-sign-on systems for external authentication?
    If a user is logged in, can this information be carried on to BASE? This would
    affect point 1.1 since a user can be authenticated by something else than a
    login/password combination, for example a cookie.<br>
    Answer: This is difficult and depends on the client application. For example, a web
    based authentication system may use a cookie, which cannot be used by
    standalone applications. In other words, this cannot be a core feature.

  <li>Account expiration handling should be done by the external system,
    BASE should not enforce any time limit when using external authentication.

  </ol>

  <a name="user">
  <h2>2. User management</h2>
  </a>

  <ol>
  <li>BASE maintains additional information about a user,
    ie. email address, phone number, etc.

  <li>The only required information about a user is the login name
    and the full name.

  <li>Preferrably, the email address should also be known.
  </ol>

  <h3>2.1 Internal authentication only</h3>
  <ol>
  <li>User accounts can be manually created, updated or deleted by an
    administrator.
    
  <li>Users may update their own information, except the login name and
    the full name.

  <li class="client">[CLIENT] A client application may allow self-registration.
    The privileges
    initially assigned to such an account should be configurable. The normal
    configuration would be to allow less than for a normal account. Note!
    The client application must of course be logged in with permission to
    create user accounts.
  </ol>
  
  <h3>2.2 External authentication only</h3>
  <ol>
  <li>The external authentication system may, but is not required to, provide
    additional information, ie. email address, phone number, etc., about the user.

  <li>If the authentication system doesn't provide a full name, the full name
    is set to the same value as the login.

  <li>If a user not formely known to BASE is logging in and is accepted by the
    external system, a new account is created, including any available
    additional information. BASE can be configured to automatically
    add a new user to a specific group and/or role.

  <li>If the external system provides additional information, BASE can be configured
    to automatically update changes to the information. This is done at
    login time.
    
  <li>If the external system provides additional information, BASE can be configured
    to advice client application to disallow changes to that information. A
    client application is not required to follow that advice. Note! This is because
    we want to allow batch updates for synchronizing information between the
    external system and BASE (see the <a href="#batch">Batch processing</a> section).

  <li>If a user already known to BASE is rejected by the authentication system,
    the account should be flagged as deleted.

  <li>It is still possible to create, update or delete existing accounts in BASE,
    but that information is not verified against the external system. Note! This
    is because we want to allow batch updates for synchronizing information
    between the external system and BASE (see the <a href="#batch">Batch processing</a>
    section).

  <li>BASE can only query the external system for information. Information
    in the external system cannot be created, modified or deleted.
    
    
  <li class="client">[WEB CLIENT] If a user not formerly known to BASE is accepted by the
    external system, one of the following may happen:
    <ul>
    <li>If the external system doesn't supply additional information, the user
      is presented with a form to add that information manually.
    <li>If the external system supply additional information and BASE is configured
      to allow modifications, the same form as above is shown, but with the
      supplied values already entered.
    <li>If BASE is configured not to allow modifications to the additional
      information the values supplied by the authentication system are stored and
      the login proceeds as normal.
    </ul>
    The web client should respect the advice to not allow modification to
    additional information.

  <li class="client">[OTHER CLIENT] If a user not formerly known to BASE is accepted by the
    external system, the client may choose to reject the user access to BASE.
    If the client rejects the user it should let the user know about another
    client application, for example the web client, that can be used to
    enter BASE for the first time.
  </ol>
  
  <a name="batch">
  <h3>2.3 Batch processing</h3>
  </a>
  <ol>
  <li>Batch processing is allowed for both authentication types.

  <li>User accounts can be added, updated or deleted in batch by uploading
    a formatted file containing the user information. How the file should
    be formatted is not specified by BASE, but by standardized plugin modules.
    Such modules can be added to BASE independently of the core system.

  <li class="note">[NOTE] Another way to implement batch updates is to make a 
    client application
    that uses the BASE API. Such a program may, for example, be scheduled for
    nightly runs to synchronize information between BASE and an external system.
  </ol>


  <a name="group">
  <h2>3. Group management</h2>
  </a>

  <ol>
  <li>Groups are used for organising users into units. Usually this maps into
    real-world groups, for example, "lab group 1", "lab group 2", etc. Groups
    are used in the access control mechanism to control access to individual,
    existing items (see the <a href="accesscontrol.html#items">Access to items</a>
    section).

  <li>Groups are added, updated and deleted by an administrator.
  
  <li>Users are assigned to groups by an administrator.

  <li>A user that is a member of a group may see information about
    other members.

  <li class="question">[QUESTION] What about groups and external authentication systems?
    Should BASE allow such systems to also provide group information. In that case,
    can the external system also provide group membership information?
    How is this information synchronized?
    <br>
    Answer: No

  <li class="question">[QUESTION] What about groups within groups?
    <br>
    Answer: Yes, this would be a nice feature. But only if it can
    be implemented in a relatively simple way.

  <li class="question">[QUESTION] Batch updating of group information?
    <br>
    Answer: Yes. This can the be used to synchronize external systems with BASE.

  </ol>

  <a name="role">
  <h2>4. Role management</h2>
  </a>

  <ol>
  <li>Roles are used for organising users by function and responsibility,
    for example, server administrators, head of the lab, regular user,
    reviewer, etc. Roles are used in the access control mechanism to control
    access to all items of a specific type and other operations not involving
    any particular items (see <a href="accesscontrol.html#role">Role-based
    access to items</a> section).

  <li>Roles are added, updated and deleted by an administrator.

  <li>Users are assigned to roles by an administrator.

  <li class="question">[QUESTION] What about roles and external authentication systems?
    Should BASE allow such systems to also provide role information. In that case,
    can the external system also provide role membership information?
    How is this information synchronized?
    <br>
    Answer: No

  <li class="question">[QUESTION] What about roles in groups?
    <br>
    Answer: Hmm... what does this really mean? Answer is no.

  <li class="question">[QUESTION] What about "group roles"? Ie. users that have a special
    role within a group, for example, "leader of lab group 1". Such a user
    could for example have access to everything that is produced by
    members of the group. It should also be possible to have different roles
    in different groups.
    <br>
    Answer: Not optimal. What if a user is a member of two groups, then some things
    are actually only for group 1 and some things only for group 2?
    Can the introduction of "projects" avoid this? By adding items and
    permissions to projects it might be possible to get generic permissions
    for all items within a project.
    
  <li class="question">[QUESTION] Batch updating of role information?
    <br>
    Answer: Yes...
  </ol>

  <!--
  <a name="implementation">
  <h2>5. Implementation overview</h2>
  </a>

  <h3>5.1 Database schema</h3>
  <p>
  <img src="images/authentication.gif">
  </p>

  <p>
  The <span class="incode">Passwords</span> table is used
  for internal authentication only and stores login/password
  combinations. A password is stored in an encrypted form
  given by calculating the MD5 hash of the password.
  </p>

  <p>
  The <span class="incode">Users</span> table stores the additional
  information for each user, including the external ID if external
  authentication is used.
  </p>

  <h3>5.2 External authentication</h2>

  <p>
  For external authentication we define the <span class="incode">Authenticator</span>
  interface. It has three methods:
  </p>

  <dl>
  <dt>init(settings)</dt>
  <dd>Initialises the object. The settings parameter is string whose format
    is specified by the plugin implementation. For example it might be the
    host name of the authentication server or the url for a database
    connection. The BASE core doesn't care about the format.

  <dt>supportsExtraInformation()</dt>
  <dd>Returns TRUE if the authentication system returns additional
    user information (ie. address, phone, email, etc). Otherwise FALSE
    should be returned.

  <dt>authenticate(login, password)</dt>
  <dd>Tries to authenticate the login/password combination. If it is
    successful the unique ID is returned together with additional
    information if supported. If the authentication fails an error
    is thrown.

  </dl>

  <p>
  If the external authentication doesn't support additional information
  the name of new users is set to the login.
  </p>
  -->

</body>
</html>