authn: mark as beta + enforce stricter access for user GET

Signed-off-by: Ryan Koo <rbk65@cornell.edu>

Author: rkoo19

README.md

@@ -22,7 +22,7 @@ AIS consistently shows [balanced I/O distribution and linear scalability](https:
 * ✅ **Data Consistency:** Guaranteed [consistency](/docs/overview.md#read-after-write-consistency) across all gateways, with [write-through](/docs/overview.md#write-through) semantics in presence of [remote backends](/docs/overview.md#backend-provider).
 * ✅ **Small File Optimization:** AIS supports TAR, ZIP, TAR.GZ, and TAR.LZ4 serialization for batching and processing small files. Features include [initial sharding](https://aistore.nvidia.com/blog/2024/08/16/ishard), distributed shuffle (re-sharding), appending to existing shards, listing contained files, and [more](/docs/overview.md#shard).
 * ✅ **Kubernetes:** For production deployments, we developed the [AIS/K8s Operator](https://github.com/NVIDIA/ais-k8s/tree/main/operator). A dedicated GitHub [repository](https://github.com/NVIDIA/ais-k8s) contains Ansible scripts, Helm charts, and deployment guidance.
-* ✅ **Authentication and Access Control:** OAuth 2.0-compatible [authentication server (AuthN)](/docs/authn.md).
+* ✅ **Authentication and Access Control:** OAuth 2.0-compatible [authentication server (AuthN)](/docs/authn.md)[^authn-beta].
 * ✅ **Batch Jobs:** Start, monitor, and control cluster-wide [batch operations](/docs/batch.md).
 
 The feature set is actively growing and also includes: [adding/removing nodes at runtime](/docs/lifecycle_node.md), managing [TLS certificates](/docs/cli/x509.md) at runtime, listing, copying, prefetching, and transforming [virtual directories](/docs/howto_virt_dirs.md), executing [presigned S3 requests](/docs/s3compat.md#presigned-s3-requests), adaptive [rate limiting](/docs/rate_limit.md), and more.
@@ -133,9 +133,11 @@ Let others know your project is powered by high-performance AI storage:
 * [Batch Jobs](/docs/batch.md)
 * [Performance](/docs/performance.md) and [CLI: performance](/docs/cli/performance.md)
 * [CLI Reference](/docs/cli.md)
-* [Authentication](/docs/authn.md)
+* [Authentication](/docs/authn.md)[^authn-beta]
 * [Production Deployment: Kubernetes Operator, Ansible Playbooks, Helm Charts, Monitoring](https://github.com/NVIDIA/ais-k8s)
 
+[^authn-beta]: AuthN is under development and has *NOT* gone through a complete security audit.
+
 ### How to find information
 
 * See [Extended Index](/docs/docs.md)

cmd/authn/hserv.go

@@ -266,6 +266,9 @@ func (h *hserv) httpUserGet(w http.ResponseWriter, r *http.Request) {
 		code  int
 	)
 	if len(items) == 0 {
+		if err := validateAdminPerms(w, r); err != nil {
+			return
+		}
 		if users, code, err = h.mgr.userList(); err != nil {
 			cmn.WriteErr(w, r, err, code)
 			return
@@ -276,6 +279,17 @@ func (h *hserv) httpUserGet(w http.ResponseWriter, r *http.Request) {
 		writeJSON(w, users, "list users")
 		return
 	}
+	tk, err := getToken(r)
+	if err != nil {
+		cmn.WriteErr(w, r, err, http.StatusUnauthorized)
+		return
+	}
+	reqUser := items[0]
+	if !tk.IsAdmin && tk.UserID != reqUser {
+		err := errors.New("not authorized: requires admin or self")
+		cmn.WriteErr(w, r, err, http.StatusUnauthorized)
+		return
+	}
 	uInfo, code, err := h.mgr.lookupUser(items[0])
 	if err != nil {
 		cmn.WriteErr(w, r, err, code)

docs/authn.md

@@ -422,12 +422,14 @@ When a cluster is registered, an arbitrary alias can be assigned to the cluster.
 
 | Operation               | HTTP Action | Example                                                                                                               |
 |-------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------|
-| Get a list of users     | GET /v1/users | `curl -X GET $AUTHSRV/v1/users`                                                                                          |
-| Get a user              | GET /v1/users/\<user-id\> | `curl -X GET $AUTHSRV/v1/users/<user-id>`                                                                                  |
+| Get a list of users     | GET /v1/users | `curl -X GET $AUTHSRV/v1/users -H 'Authorization: Bearer <token>'`                                                        |
+| Get a user              | GET /v1/users/\<user-id\> | `curl -X GET $AUTHSRV/v1/users/<user-id> -H 'Authorization: Bearer <token>'`                                                |
 | Add a user              | POST /v1/users | `curl -X POST $AUTHSRV/v1/users -d '{"id": "<user-id>", "password": "<password>", "roles": "[{<role-json>}]"' -H 'Authorization: Bearer <token>'` |
 | Update an existing user | PUT /v1/users/\<user-id\> | `curl -X PUT $AUTHSRV/v1/users/<user-id> -d '{"id": "<user-id>", "password": "<password>", "roles": "[{<role-json>}]"' -H 'Authorization: Bearer <token>'`                    |
 | Delete a user           | DELETE /v1/users/\<user-id\> | `curl -X DELETE $AUTHSRV/v1/users/<user-id>  -H 'Authorization: Bearer <token>'`                                                      |
 
+> Note: A user can update their own password without admin privileges by issuing `PUT /v1/users/<user-id>` with only the `password` field set, authorized with their own token. A user can also retrieve their own user info via `GET /v1/users/<user-id>` using their own token.
+
 ### Configuration
 
 | Operation                    | HTTP Action | Example                                                                                       |

docs/cli/auth.md

@@ -2,6 +2,8 @@ For quick getting-started (local-playground) session _and_ in-depth overview, pl
 
 * [AIS AuthN documentation](/docs/authn.md).
 
+> Note: AuthN is currently in beta.
+
 ## Table of contents
 
 - [User Account and Access management](#user-account-and-access-management)

python/aistore/sdk/authn/README.md

@@ -2,6 +2,8 @@
 
 The AIStore Authentication Server (AuthN) is a standalone service that provides secure, user- and role-based access to AIStore by leveraging [OAuth 2.0](https://oauth.net/2/) compliant [JSON Web Tokens (JWTs)](https://datatracker.ietf.org/doc/html/rfc7519). The `aistore.sdk.authn` sub-package in the Python SDK allows developers to interact with the AuthN server to manage authentication, users, roles, clusters, and tokens seamlessly.
 
+> Note: AuthN is currently in beta.
+
 > For more details, please refer to the [AuthN documentation](https://github.com/NVIDIA/aistore/blob/main/docs/authn.md).
 
 ### Quick Start

python/tests/integration/sdk/authn/test_authn_user_manager.py

@@ -159,7 +159,6 @@ def test_update_user_no_roles(self):
         # Test invalid login with old password
         with self.assertRaises(ErrUserInvalidCredentials):
             self.authn_client.login(self.user.id, "12345")
-        self.authn_client.login(self.user.id, "123456")
 
         # Check if the user has the same roles
         updated_user = self.user_manager.get(username=self.user.id)
@@ -187,7 +186,6 @@ def test_update_user(self):
         # Test invalid login with old password
         with self.assertRaises(ErrUserInvalidCredentials):
             self.authn_client.login(self.user.id, "12345")
-        self.authn_client.login(self.user.id, "1234567")
 
         # Check if the user has the new role and not the old role
         updated_user = self.user_manager.get(username=self.user.id)