Add access control with pai identity provider
SwordFaith opened this issue · comments
Introduction
PAI identity provider offers API can help marketplace do access control user by user, which is a big step to make marketplace a place user can store or share there work.
Issues / Motivations
Proposals / Solutions
@TobeyQin summarized a table about user authority management rules.
@debuggy and I addressed 6 parts to help marketplace have access control capability.
-
marketplace item schema change: add groupList, isPublic, isPrivate property to it. #213
- groupList describes which group is authorized as shared
- isPublic describes if everyone can view or copy the item
- isPrivate describes if only author can view the item
-
/items, /items/{itemId}, /storage/blobs, /users(deperacated) should be under access control. (MP APIs) #214
/items support get request to list marketplace items can be viewed by user, and post request to add new item.- For get request, webportal will attach "username" in body and bearer token in header. Marketplace restserver send request to /users/{username} with bearer token in header to get user group list. Then query marketplace database to get all items can be viewed by the user (user.isAdmin || (author=="username" or isPublic or intersection of user.groupList and item.groupList))
- For post request, authentication is same, but need addition groupList info support in request body.
/items/{itemId} support get, update, delete specific item, the user access check process is similar, following graph shows authentication check process, the main difference is process logic and response meaning.
- For get request, process logic will only check authorization, return 200 + item info or 404 not found or 403 forbidden
- For delete/put request, process logic should add delete or update item in database. if (item.author==username or user.isAdmin) return 200 OK for successs or 404 not found or 403 forbidden or 405 invalid input(put only)
/storage/blobs and /users(deperacated) apis are admin management api, should add check isAdmin logic (if user in admin group or offer by idp API /users/{username} user info "isAdmin") check, if not admin, should return 403 forbidden, or regular function will be performed.
-
Offer /items?type=my get query #215
Internally convert to author == username filter query -
Make "Delete" button under access control #216
Check with (item.author==username or user.isAdmin) locally, if no delete authorization, the delete button should be disabled (hide or grayed). OnClick the enabled button, webportal will send a delete request to /items/{itemId} api, the api will check auth again. If response 200 OK, webportal should show a success delete info and remove this item locally. Otherwise, webportal should prompt an error. Backend db consistency issue ? -
Make "Copy" button under access control
Because of "Copy" and "View" are considered as same privilege level, if user can view an item locally, "Copy" button should be enabled as well (may be as same positon as "Delete" button). OnClick the "Copy" button, webportal should show a rename box (and more button to change other metadata), and assemble new metadata with original template, then send a post request to /items/ api, the api will check auth. Auto rename if copy with no rename -
Add access control info in create template process
Add checkboxes to select template is Private/Public/Shared, if shared, user can add groups shared with, webportal will get /groups api to support groupList suggestion.
function by function
[Name + description] job type and work load
- new function
- modify current function and add access control
- add access control only