summaryrefslogtreecommitdiff
path: root/issues/authentication_authorisation/migrate-user-accounts-from-redis.gmi
blob: 1d804c43355247803d6b29ee284dc57e50afc472 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Migrate User Accounts from Redis to new Auth DB

## Tags

* assigned: fredm, zsloan, zachs
* priority: high
* status: closed, wontfix
* keywords: authentication, authorisation, oauth2
* type: feature request

## Description

After some discussion, this issue was deemed unnecessary.

Users will have to register anew and their access details reconfirmed.

--------------------

Currently, on GN2, user details are stored in Redis. We need to migrate these to the new auth database (SQLite3) in order to be able to use that system.

As part of that migration, we need that any particular user's privileges be maintained across all the resources they have access to - in the best possible way.

### Notes

* In GN2 resources are owned by users, in GN3, resources are owned by groups
* Resource owners can have a group created for them
* A newly created groups (as above) will contain those users with privileges ONLY for the resources in the group
* Any users with privileges that cross groups will be harder to handle, but are hopefully fewer


We could have the migration be triggered by the user:

* User logs in using existing credentials
* System looks for credentials in auth system db
* If credentials found, log the user in and end the login process
* If credentials are not found, search for credentials in old system
* If credentials are found in old system, log the user in, and transfer the credentials to the new system (including user id, email, name, password, etc)
* Provide the user with the chance to trigger migration of their details from the old system
* If credentials are not found in either system, that is not a valid user. Show error and end the login process.

The user accounts information in redis is stored in a hash of the form:

```
{
  <user-id:UUID>: {
    "email_address": <:STRING>,
    "full_name": <:STRING>,
    "organization": <:STRING>,
    "password": <pbkdf2-password-representation:MAPPING>,
    "user_id": <user-id:UUID>,
    "confirmed": <:int (0 or 1)>,
    "registration_info": {
        "timestamp": <:TIMESTAMP>,
        "ip_address": <:IPv4ADDRESS>,
        "user_agent": <:STRING>}
    },
  ...
}
```

where both ```<user-id:UUID>``` values are the same.

## Related Topic(s)

=> /topics/authentication/authentication-authorisation-design Authentication/authorisation design