Time
S
Nick
Message
02:56 axfelix joined #dataverse
13:21 bsilverstein joined #dataverse
13:21 bsilverstein
pdurbin: welcome back!
13:22 pdurbin
bsilverstein: thanks! I was just reading through comments on the Confirm Email google doc. :)
13:25 pdurbin
bsilverstein: looks like you haven't made a pull request yet. Still working on the code? Are you blocked? Need anything?
13:27 bsilverstein
pdurbin: small UI blocker that mike can help with, just alignment for something that merce pointed out after I did a demo for her
13:28 bsilverstein
although if things are good enough I suppose a pull request today isn't out of the question
13:28 bsilverstein
big steps!
13:33 pdurbin
Nice! And I'm glad to hear Merce got a demo!
13:34 bsilverstein
yeah it went over well thankfully! Sonia sat in as well
13:35 pdurbin
ah, perfect
13:59 pameyer joined #dataverse
16:22 bsilverstein joined #dataverse
18:29 nicholas_ joined #dataverse
19:44 pdurbin
nicholas_: hi! Just got your email. Welcome!
19:44 nicholas_
Hi! Thanks.
19:45 pdurbin
I didn't realize you're in the code already. That's awesome.
19:46 pdurbin
I thought the "user login process" diagram here might be interesting for you: https://github.com/IQSS/dataverse/blob/develop/doc/Architecture/auth.md
19:48 nicholas_
Interesting. Reading it over now..
19:50 pdurbin
nicholas_: let's get you in touch with the author of that doc: https://github.com/michbarsinai . He also wrote most of that code.
19:51 pdurbin
all the AuthenticationProvider stuff
19:52 nicholas_
That sounds good. I'm curious what he thinks about stepping in with 2FA at the provider level. Or if it should be an option in the UserBean...
19:52 pdurbin
Yeah, I dunno what he'd say. I haven't really thought about it.
19:54 pdurbin
nicholas_: is the main reason you want to add two factor authentication to Dataverse that the "dataverseAdmin" user is a builtin/local account and has superuser access? The reason I ask is that you could give a Shibboleth user or two superuser access and disable the "dataverseAdmin" account (or remove superuser from it).
19:57 michbarsinai joined #dataverse
19:59 pdurbin
nicholas_: meet michbarsinai!
20:01 michbarsinai
Hello!
20:02 pdurbin
michbarsinai: I've already mentioned to nicholas_ that I declared 2FA "out of scope" for issue 3150 at https://github.com/IQSS/dataverse/issues/3150#issuecomment-223941891
20:03 pdurbin
... but that Lucien is very interested in feedback at https://github.com/IQSS/dataverse/pull/3227
20:03 michbarsinai
OK. It's going to get in scope for DataTags integration for sure.
20:03 michbarsinai
No GitHub issues yet, though
20:03 pdurbin
ah, I didn't know that
20:06 nicholas_
Yes, I think that's the primary motivation. I think your suggestion of 1+ Shibboleth users having admin and disabling the dataverseAdmin account could work. We honestly hadn't considered the possibility of disabling it.
20:06 pdurbin
michbarsinai: 2FA can be achieved by using Shibboleth, of course. HarvardKey is going to require it soon.
20:07 nicholas_
Same here, we are told. It was just the dataverseAdmin account that really bothered security.
20:07 nicholas_
Or so I've been told. I started a week ago.
20:07 michbarsinai
Can Dataverse know that Shib/HarvardKey are using it? I.e., can it be enabled for one user and disabled for another without Dataverse knowing?
20:07 pdurbin
makes total sense. demote him to non-superuser, I say :)
20:08 pdurbin
michbarsinai: well, imagine that HarvardKey requires 2FA (which it will soon) but MIT's Touchstone system doesn't (I have no idea if it does or not). I don't know of a way to know which Shibboleth Identity Provider (IdP) enforces 2FA or not.
20:09 nicholas_
I don't think this is the case, and I'll have to check with other folks here. But one issue could be if we need to have non-Shib users and security wants them to use 2FA.
20:09 michbarsinai
That part code be a config thing. Any user authenticating via HarvardKey can be considered as having passed 2FA.
20:10 michbarsinai
But if within the same Shib provider we can't tell the difference, we need to suspect everybody, no?
20:10 michbarsinai
Security people, suspecting everybody since 1960 (or so)
20:20 pdurbin
michbarsinai: right. Trust no one.
20:25 pdurbin
nicholas_: technically, Dataverse doesn't yet have first class support for locking users, but I'm working on this at https://github.com/IQSS/dataverse/tree/3153-2419-lockuser
20:26 pdurbin
you could scramble the dataverseAdmin password after removing the superuser boolean for now
20:30 pdurbin
anyway, gotta go pick up my kids from camp then head to the Coolidge to see The Big Lebowski :)
20:31 nicholas_
Yeah, that could work. I'll have a talk with Nick 1 and see what we come up with.
20:31 pdurbin
michbarsinai: in case you're wondering, there are two Nicks :)
20:31 pdurbin
ok, really going. bye!
20:32 michbarsinai
bye!
20:33 michbarsinai
As long as they don't share a nick.... #sorry
20:33 nicholas_
take care
