Authenticating Uyuni MCP server through the Uyuni API #108
Conversation
|
Thanks @cbbayburt for putting this RFC together. It's really helpful to have a clear breakdown of the problem and the different options. I've been thinking about Pattern 1 and have some concerns about the security of the mcp-service-account. Since it's a single, highly privileged user that all MCP server users would rely on, a compromise of that key would be a huge problem—it would grant full access to Uyuni. The RFC mentions this is a high-impact risk, and I completely agree. Plus, if the MCP server is run locally, any user would have to know that super user key. If that key is ever compromised, we'd have to revoke it, which would cut off access for everyone. I think there's a different way we could approach this that might be more secure and still fairly straightforward to implement. Instead of a single powerful API key, what if we used a unique API key for each user? Here's the basic idea:
I see a few big wins with this approach:
What do you think? Curious to hear your thoughts on this as a potential alternative. |
|
@jordimassaguerpla thanks for the input.
This sounds like a good compromise between the two patterns. The only part that needs clarification is:
How do we manage the API keys from multiple users? In this pattern, the complexity changes from the authorization logic to key lifecycle management:
A straightforward solution for this could be implementing a simple UI for adding/managing API keys for users. When the user first logs in via OAuth, we can redirect them to this UI to add their API key and store it. Later, at any time, the user can navigate to this UI to manage their key. Another issue is that we don't have a UI in Uyuni to generate API keys for users. This will need to be implemented in the UI as well. Nevertheless, I'll add this idea to the RFC for further discussion/comparison. |
|
|
||
| 1. **User Authentication (OAuth)**: The end-user authenticates with the MCP proxy ecosystem via a standard OAuth 2.0 flow. The LLM agent receives a JWT access token representing the user. | ||
|
|
||
| 2. **MCP Server Authentication**: |
There was a problem hiding this comment.
This one looks more tricky, since uses one single account to rule them all
There was a problem hiding this comment.
Would it be advisable to shorten as much as possible the duration of the sessions in this case? Or re-evaluate RBAC permissions in case they somehow changed while the session is still valid.
| - A single, non-human **Service Account** (e.g., `mcp-service-account`) is created in Uyuni with a powerful role that includes the permissions necessary to execute any tool within the Uyuni MCP server. | ||
| - An API key is generated for this account and stored securely in the MCP server's environment. The MCP server uses this key to authenticate itself to the Uyuni API. | ||
|
|
||
| 3. **Authorization Flow**: |
There was a problem hiding this comment.
This is moving the authorization check to the MCP server. It should be relatively safe since it's done by API call to extract the data, but it would still be duplicating the user validation.
| 3. **The MCP server performs a pre-flight authorization check.** It makes a read-only call to the Uyuni API (`access.list_permissions`) to verify that `alice` has the necessary permissions for the requested action on the target resource. | ||
| 4. Only if the permission check passes, the MCP server executes the command using its own privileged Service Account API key. | ||
|
|
||
| 4. **Auditing**: The MCP server **must** maintain its own immutable audit log that maps every executed command back to the originating user's identity from the JWT. This is critical, as Uyuni's native logs will only show the `mcp-service-account` as the actor. |
There was a problem hiding this comment.
The auditing will be part of MCP and not the MLM. So if we have users interacting directly with MLM and other users MCP, to have a complite picture of the auditing, we need to look at two systems?
I would prefer to keep it all centralized in the MLM server
| 2. **Custom Authentication Backend in Uyuni**: | ||
| - A new API endpoint is added to Uyuni that is capable of validating JWTs issued by the external Authorization Server. | ||
|
|
||
| 3. **Authorization Flow (Token Exchange)**: |
There was a problem hiding this comment.
so, basically it enhances the login endpoint to also allow login with JWT tokens instead of just username/password. Then the session token should be sent
|
|
||
| --- | ||
|
|
||
| ### Pattern 2: OAuth Token Exchange |
There was a problem hiding this comment.
I would upvote for this one. The most straightforward approach, and follows all the best standards.
There was a problem hiding this comment.
Could this be done with some sort of auth proxy? So user sessions would be managed between Uyuni server and the auth proxy.
|
|
||
| **Architecture:** | ||
|
|
||
| 1. **Prerequisite: Implement Native API Key Management in Uyuni**: |
There was a problem hiding this comment.
This would not be much different from OAuth. The benefit of OAuth is that it is standard and doesn't need revoked. When the tokes is end of live, it cannot be used anymore. Or I'm getting it wrong?
|
|
||
| 2. **User Authentication (OAuth)**: Same as other patterns. The end-user authenticates via OAuth, and the LLM agent receives a JWT access token. | ||
|
|
||
| 3. **Per-User API Key Storage**: |
There was a problem hiding this comment.
If we also need the OAuth token on this approach why over-engineering and ask for another key?
| - **Implementation Complexity**: The authorization logic must be carefully implemented and maintained within the MCP server. | ||
|
|
||
| **Of Pattern 2 (Token Exchange):** | ||
| - **Extra Development Effort**: Requires significant changes to the core Uyuni product to support JWT validation and session exchange. |
There was a problem hiding this comment.
We just need to have JWT authentication on the login endpoint. Then existing session toke could be used.
There was a problem hiding this comment.
Also token lifecycle management, as already pointed out.
| **Of Pattern 2 (Token Exchange):** | ||
| - **Extra Development Effort**: Requires significant changes to the core Uyuni product to support JWT validation and session exchange. | ||
| - **Increased Coupling**: Tightly couples Uyuni's authentication mechanism with the external Authorization Server. | ||
| - **Complex Setup**: The initial configuration of the trust relationship between Uyuni and the Authorization Server is more complex. |
There was a problem hiding this comment.
These last 2 items also applies to pattern 3
What about we use mcp elicitation? |
|
@rjmateus, thanks for the input. I guess it's obvious that Pattern 2 is the way to go for a standard enterprise setup. I think this will be the only approved solution from SUSE AI as well. And, considering there's also work needed to support API keys in Uyuni, there's not even much development overhead compared to other patterns. |
|
@rjmateus @jordimassaguerpla I think I'll just remove alternative patterns to make the RFC simpler before sharing it to a wider audience. |
|
@cbbayburt I think you can move the other option to the end in a section |
| 1. **User Authentication (OAuth)**: The end-user authenticates with the MCP proxy ecosystem via a standard OAuth 2.0 flow. The LLM agent receives a JWT access token representing the user. | ||
|
|
||
| 2. **MCP Server Authentication**: | ||
| - A single, non-human **Service Account** (e.g., `mcp-service-account`) is created in Uyuni with a powerful role that includes the permissions necessary to execute any tool within the Uyuni MCP server. |
There was a problem hiding this comment.
So would it exist a custom Uyuni role for the service that would be read-only access except for whatever is needed to run the available tools, correct?
|
|
||
| 1. **User Authentication (OAuth)**: The end-user authenticates with the MCP proxy ecosystem via a standard OAuth 2.0 flow. The LLM agent receives a JWT access token representing the user. | ||
|
|
||
| 2. **MCP Server Authentication**: |
There was a problem hiding this comment.
Would it be advisable to shorten as much as possible the duration of the sessions in this case? Or re-evaluate RBAC permissions in case they somehow changed while the session is still valid.
|
|
||
| --- | ||
|
|
||
| ### Pattern 2: OAuth Token Exchange |
There was a problem hiding this comment.
Could this be done with some sort of auth proxy? So user sessions would be managed between Uyuni server and the auth proxy.
| - **Implementation Complexity**: The authorization logic must be carefully implemented and maintained within the MCP server. | ||
|
|
||
| **Of Pattern 2 (Token Exchange):** | ||
| - **Extra Development Effort**: Requires significant changes to the core Uyuni product to support JWT validation and session exchange. |
There was a problem hiding this comment.
Also token lifecycle management, as already pointed out.
4 participants
This RFC presents two architectural patterns for securely connecting the Uyuni MCP server to the Uyuni API. The core challenge is bridging an OAuth-based system with Uyuni's existing credential-based API. This document details two viable solutions: a "Service Account with Internal Authorization" pattern that requires no changes to Uyuni's codebase, and an "OAuth Token Exchange" pattern that offers tighter integration at the cost of modifying Uyuni. Both designs aim to enable secure, user-delegated actions from an LLM-based agent.
See the rendered version.