[Pulp-dev] JWT Use Case Revisions for Pulp3

Dennis Kliban dkliban at redhat.com
Wed May 31 12:26:38 UTC 2017 

We had a chance to discuss some of these use cases during our MVP call
yesterday. Here is the updated list of uses cases:

As an administrator, I can disable JWT token expiration.  This
configuration is in the settings file and is system-wide.
As an administrator, I can configure the JWT tokens to expire after a
configurable amount of time. This configuration is in the settings file
and is system-wide.
The JWT shall have a username identifier
As an API user, I can authenticate any API call (except to request a JWT)
with a JWT.
As an API user, I can invalidate all existing JWT tokens for a given user.
As an authenticated user, when deleting a user 'foo', all of user 'foo's
existing JWTs are invalidated.
As an autheticated user, I can invalidate a user's JWTs in the same
operation as updating the password.
As an un-authenticated user, I can obtain a JWT token by using a username
and password.

Let's polish them up on this email thread and then update the MVP wiki
page.

-Dennis

On Mon, May 29, 2017 at 1:57 PM, Brian Bouterse <bbouters at redhat.com> wrote:

> We had a use case call which produced these use cases [0]. Then @fdobrovo
> investigated using the django-rest-framework-jwt [1] to fulfil those use
> cases and there are some small, but to fulfil the use cases written he had
> to write a good amount of code and maybe only used 50 or 100 lines of code
> actually from django-rest-framework-jwt.
>
> Through a lot of back and forth on the issue [2], we did a gap analysis
> and considered different ways the use cases could be aligned with the
> functionality provided by the django-rest-framework. We came up with the
> following revised use cases related to JWT that are effectively the same
> and would allow the plugin code to be used mostly as-is:
>
> * As an administrator, I can disable JWT token expiration.  This
> configuration is in the settings file and is system-wide.
> * As an administrator, I can configure the JWT tokens to expire after a
> configurable amount of time. This configuration is in the settings file and
> is system-wide.
> * The JWT shall have a username identifier
> * As an API user, I can authenticate any API call (except to request a
> JWT) with a JWT.
> * As an API user, I can invalidate all JWT tokens for a given user
> * As an authenticated user, when deleting a user 'foo', all of user 'foo's
> JWTs are invalidated.
> * As an un-authenticated user, I can obtain a JWT token, by passing a
> username and password via POST
>
> Comments and questions are welcome here. I also hope to append this topic
> onto one of the upcoming, Tuesday use case calls. The next call May 30th is
> on the Status API and Alternate Content Sources so hopefully there will be
> enough time to revisit the JWT use cases then too or on a following call.
>
> [0]: https://pulp.plan.io/projects/pulp/wiki/Pulp_3_Minimum_
> Viable_Product#Authentication
> [1]: http://getblimp.github.io/django-rest-framework-jwt/
> [2]: https://pulp.plan.io/issues/2359
>
> -Brian
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20170531/899172ad/attachment.htm>

More information about the Pulp-dev mailing list