Users, groups, roles, ACLs and providers: integrating Opencast with external systemsStephen Marquard, Centre for Innovation in Learning and Teaching, UCTstephen.marquard@uct.ac.za | twitter: stephenmarquard

|| 02/05/2023 2

Who are you? Authentication: create a session.

What authorizations do you have? List of roles

What actions are visible to you in the Admin UI? ROLE_UI_ roles

What events and series are visible to you? Index (Search, Admin UI, External API): ACL matching

What CRUD actions can you take through REST endpoints? mh_security_org URL configuration, role / URL path / HTTP method matching

https://docs.opencast.org/develop/admin/configuration/security/

Opencast authentication and authorization

|| 02/05/2023 3

A username (belongs to an organization), method of authentication, set of roles

System users (admin, opencast_system_account) are configured in etc/custom.properties, have plain-text passwords, and thus digest authentication can be used (server-to-server, CA-to-server).

All users are authenticated by Spring Security (etc/security/mh_default_org.xml) LTI is a type of authentication which does not involve a password: the Opencast

LTI producer trusts the credentials from the LTI Consumer (e.g. LMS)

What is a user?

|| 02/05/2023 4

No authentication required:Anonymous

Password-based:Digest (plain-text password in custom.properties)Database (hashed password in mh_user)LDAP (password verified against external service)

Trust-based:Web single-sign-on (CAS, Shibboleth)LTI (OAuth)

Common authentication types

|| 02/05/2023 5

1. The login handler (for example LtiLaunchAuthenticationHandler) provides some roles related to the type of login. These are Spring Security roles (GrantedAuthority). Examples

ROLE_ANONYMOUS (no authentication) ROLE_ADMIN (system users) ROLE_OAUTH_USER (LTI)

2. The Opencast UserAndRoleDirectoryService enriches the user’s set of roles by consulting the set of running UserProviders and RoleProviders.

How do users get roles?

|| 02/05/2023 6

A group has a title, description, a group role (ROLE_GROUP_TITLE), a set of members, and a set of roles.

If a user is a member of a group, the user is granted all of the roles defined for the group.

What is a group?

|| 02/05/2023 7

User dialog External Roles tab (roles given to this user which are identified as external roles) Effective Roles tab (all the users roles: internal, group roles and external roles)

Giving a user the group role makes the user a member of the group (and the inverse)

Group membership can be granted by an external RoleProvider (by giving the user the group role)

Fixed some cache invalidation issues (changes to group membership show up immediately in the user’s details)

UserAndRoleDirectoryService cache is configurable (MH-12034)

User and group improvements (MH-12016 / Opencast 2.4)

|| 02/05/2023 8

Goals: avoid saving user roles that aren’t under Opencast’s control. allow users to enter external roles in the Admin UI don’t present roles in the Admin UI which aren’t relevant in that context

Concept of Role Types and Role Targets introduced Only internal roles are saved in the Opencast database You can enter a role name or partial role name in the Admin UI, and Opencast

will consult all the RoleProviders to find matching roles (e.g. for external LMS roles)

User roles can be added to ACLs for any valid user (ROLE_USER_ID)

Role and ACL improvements (MH-12016 / Opencast 2.4)

|| 02/05/2023 9

|| 02/05/2023 10

Implements org.opencastproject.security.api.UserProvider (one of many)

String getName(); Iterator<User> getUsers(); User loadUser(String userName); long countUsers(); String getOrganization(); Iterator<User> findUsers(String query, int offset, int limit); void invalidate(String userName);

Provide information about the user and a set of roles.Locate users matching a query.Not necessary to return all users, or a count of all users.

What can a User Provider do?

|| 02/05/2023 11

System providers: InMemoryUserAndRoleProvider (custom.properties admin user and digest user) JpaUserAndRoleProvider (mh_user / mh_user_role) JpaUserReferenceProvider (mh_user_ref / mh_user_ref_role)

External providers: LDAP User Provider Sakai User Provider

User Provider examples

|| 02/05/2023 12

Implements org.opencastproject.security.api.RoleProvider (one of many).

Iterator<Role> getRoles(); List<Role> getRolesForUser(String userName); String getOrganization(); Iterator<Role> findRoles(String query, int offset, int limit);

Is the RoleProvider returning roles for all organizations, or a specific organization? List all the roles for this organization (optional) Get a list of roles for a user Get a list of roles that match a query

The list of roles available for selection in the Admin UI is the set of roles returned by findRoles() from all providers. Not necessary to return all roles, or a count of all roles.

What can a Role Provider do?

|| 02/05/2023 13

System role providers: InMemoryUserAndRoleProvider (ROLE_ADMIN, …) OrganizationRoleProvider (per-tenant admin role) UserIdRoleProvider (ROLE_USER_*) JpaGroupRoleProvider (ROLE_GROUP_*) JpaUserAndRoleProvider UIRolesRoleProvider (ROLE_UI_*) ExternalApiRoleProvider (ROLE_API_*)

Custom roles: CustomRoleProvider (MH-12056)

External role providers: Sakai User Provider (MH-10871)

Role Provider Examples

|| 02/05/2023 14

Don’t have too many internal users, too many groups, or too many users in a group!

Performance issues with very large groups MH-12025 Performance issues with a large number of internal users MH-12026

Performance of the Admin UI

|| 02/05/2023 15

Add a Groups tab on the Add/Edit User dialog (MH-12068)

Improve usability of ACL Editor for Event and Series MH-12021

Make things simpler for adopters who don’t have a User Provider: Persist LTI users (in mh_user_ref) MH-8955 Add regexp validation of custom roles to the CustomRoleProvider MH-12056  Optionally persist roles when they’re noticed by the LTI launch handler

(so they’re visible in the Admin UI)

To Do