ondemand

ondemand copied to clipboard

This is the epic ticket to replace our current proxy. While mod_ood_proxy has served us well for so many years, but now's the time start thinking about replacing it with something much more secure.

The attributes of such a solution should be:

• secure. No-one should be able to proxy to another user's interactive job.
• easy to install & maintain. It'd be nice to jump to some service mesh with etcd and all sorts of other components, but we can't really put that sort of administration burden on our administrators.
  • Compatibility is related to this. It should be able run at 90%+ of our sites.

┆Issue is synchronized with this Asana task by Unito

Based on comments made at various conferences, not sure if this belongs in the code mentioned here or some other layer of OnDemand but it is useful for administrators or support staff to become other users. For OSC something like that is possible with Keycloak and impersonation but due to security issues people supporting OnDemand at OSC can't use that feature so some OnDemand-specific feature to support impersonation would be useful. This could belong as the user mapping layer rather than the proxy layer.

Yea this will likely replace the lua code in mod_ood_proxy where it could take the authenticated user tdockendorf and actually proxy to johrstrom's PUN or some other interactive session of johrstrom's.

So the comment/feature is in the right place, but I'm not sure when (if) that'll be available. One of the main benefits is to increase security and this adds a large attack vector, so I'd imagine that feature will be deferred for quite some time.