[Auth Service] Lock content

[oserban]

Note: This is not a security or auth feature as the access to OVE can be secured on a network level, etc... What I want out of this is a safety mechanism to prevent people from accidentally deploying content to OVE while a presentation is running. The access to SDK is fairly easy so accidents like this may happen on the production environment without realizing.

I think it may be very helpful to have a lock content feature/function which returns a session token. This token should be used to execute any rest operation afterwards (update state, delete sections, play content, etc). This session token token can be displayed by the control panel, so someone wanting to use a tablet or laptop should be able to reuse it if he as physical access to the control panel. At the end of the presentation the space would be unlocked by the control panel before moving to the next presentation.

The OVE server would have an enpoint to reset the current session token and unlock the space, which would not be available from the SDKs.

[senakafdo]

As discussed offline, we should make it both secure and convenient - so, it should use a proper security token, but the presenter may only need to know a portion of it, for example. @oserban, this is one of the most fundamental features of a system that can support multiple collaborators, :).

Let's also make a list of other ACL/security features and we can implement them all, in one go.

[davidbirchwork]

another aspect here is locking content down to particular users, we previously discussed an LDAP system with @DavidAkroyd with a suggestion to implement a central user auth microservice.

[oserban]

Disclaimer: This is not meant as a negative comment, but as a personal opinion regarding this feature ^_^

As I also suggested offline to @senakafdo, I envisioned this feature as a safety mechanism to prevent people from loading content on OVE accidentally, hence the session token being displayed on the control panel and the reset session tokens in the OVE. I want this mechanism to be very practical and not block people from using the system.

If we can design this as a security mechanism simple enough not to be abused in practice, we can do it. Otherwise we don't need to over complicate things.

[oserban]

This will be implemented with the new authentication proxy

[senakafdo]

This issue can be dealt with as a part of ove/ove-asset-manager#65, and there is no real need for a separate Auth Service. Furthermore, depolyments of OVE can use their own security mechanisms to prevent users from getting access to private content.