Changes between Version 13 and Version 14 of SPIDocs


Ignore:
Timestamp:
Sep 16, 2014 2:36:03 PM (8 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SPIDocs

    v13 v14  
    190190==== Authentication ====
    191191
    192 In order for a user to carry out operations on the testbed, the user must log in to the testbed.  When requests are made to the SPI they are made through a secure connection where client and server (that is user and testbed) are identified by an X.509 certificate issued by the testbed.  The login process binds an X.509 certificate used to make a secure connection to a user instance in the testbed used to determine rights.  Users are authenticated through a password system.
     192Each user has a unique identifier, a textual ''userid''.  Permissions, resources, objects, etcetera are all bound to that userid.  Authentication is the problem of binding a request to that identity.
     193
     194In order for a user to carry out operations on the testbed, the user must log in to the testbed.  When requests are made to the SPI they are made through a secure connection where client and server (that is user and testbed) are identified by an X.509 certificate issued by the testbed.  The login process binds an X.509 certificate used to make a secure connection to a userid in the testbed used to determine rights.  Users are authenticated through a password system.
    193195
    194196The simplest way to log in through the SPI is to call the `requestChallenge` operation on the `Users` [wiki:SPIDocs#Services service].  The caller specifies the sorts of challenges it can carry out and the server sends the input for such a challenge.  Challenges can include hashing passwords and other mechanisms.  Because the challenge and its response are passed through encrypted channels, we also support a clear challenge.  In a clear challenge the caller submits a password in the clear.  Each challenge is valid for a limited time - 2 minutes - and has a unique identifier so a response is bound to a specific challenge.
     
    237239Note that users generally cannot send notifications to other users.  Only administrators and testbed actions do this.
    238240
     241==== Password Management ====
     242
     243The `Users` [wiki:SPIDocs#Services service] provides operations for managing a user's password.  A user who is logged in can change their password directly using the `changePassword` operation.  The operation takes a user identifier and a password. Administrators can also use that interface to change other user's passwords.
     244
     245If a user cannot log in - for example their password has expired or they have forgotten it - the application can use the `requestPasswordReset` interface to issue temporary credentials that can be used to set a user's password to a known value.  When `requestPasswordReset` is called