Hi devs With all the auth changes going around I kind of los lakeFS #dev

Hi devs, With all the auth changes going around, ...

Ariel Shaqed (Scolnicov)

07/03/2022, 7:58 AM

Hi devs, With all the auth changes going around, I kind-of lost track of the difference between Username and Email on the User model, with respect to "userID" parameters. • What do I pass to auth.Service.Authorize: user.Username? • What do I pass to auth.Service.CreateCredentials: user.Username (of the user for whom I'm creating credentials)? THANKS!

Yoni Augarten

07/03/2022, 8:48 AM

Hey! I'll admit that it is confusing. Today we have two types of users - email-based and credential-based. The concept of username is different for each of them. For an email-based user, the username will be the email. For a credentials-based user it will be the "username" you supplied when creating the user. So in both cases you mentioned, you should supply either the email or the username the user was created with, depending on the user type.

Ariel Shaqed (Scolnicov)

07/03/2022, 8:51 AM

So every time I want to know a user ID, I need to examine the type of the user?? Can you please link to where this happens in controller.go, so that I can see a known-good implementation?

Ariel Shaqed (Scolnicov)

07/03/2022, 8:52 AM

Oh, I think I already asked this in April. Could the team prioritize handling this please? It seems like a security bug waiting to happen...

Yoni Augarten

07/03/2022, 8:52 AM

If you are the end user of the API, yes - you need to examine the type of user. In the code, both are always passed to the username field, AFAIR. Looking for an example

Yoni Augarten

07/03/2022, 8:55 AM

So if you consider this code in controller.go:

Copy code

resp, err := c.Auth.Authorize(ctx, &auth.AuthorizationRequest{
		Username:            user.Username,
		RequiredPermissions: perms,
	})

user.Username

is already assumed to be the email for email-based users, and the username for credential-based.

Ariel Shaqed (Scolnicov)

07/03/2022, 9:27 AM

Thanks! I can see

Username

is used for authorization. Is it also safe to use it as an identifier for fetching the user? E.g. this call in CreateCredentials uses whatever it gets from the user; if I wanted to create "credentials for the calling user" then I could use

user.Username

to identify the user too, right?

Yoni Augarten

07/03/2022, 9:28 AM

Not sure I understand, where do you want to use it for fetching the user?

Ariel Shaqed (Scolnicov)

07/03/2022, 9:31 AM

I want to write a call that generates credentials for the calling user, as part of a speedier "generate Spark config" flow. I (now) know that I can use

user.Username

to check whether the user is allowed to create credentials for themselves; I am asking is it also the right string to pass to auth.Service.CreateCredentials (the "user to create")? It should be, I am making sure. (Sorry)

Yoni Augarten

07/03/2022, 9:35 AM

Yes, it is the right string to pass there

Yoni Augarten

07/03/2022, 9:35 AM

We do need to go over this code because it's very confusing

Ariel Shaqed (Scolnicov)

07/03/2022, 9:37 AM

Thanks!

We do need to go over this code because it's very confusing

I know 😕 . It was always confusing, then I lost track while we added email. Fix #3244 FTW.

6 Views

Open in Slack

Previous Next