This is a live design document on how to support authorization at the level of project spaces. The primary driver of this development is the SEAD project.
The current design tries to support requirements described in this document:
View file | ||||||||
---|---|---|---|---|---|---|---|---|
|
The following notes are from a meeting on is based on meeting notes from 06/09/15 attended by Indira Gutierrez Polo, Mario Felarca, Winston Jansz, Rob Kooper, Luigi Marini.
Goals:
- Meet the requirements of the above document
- Meet the outcomes of the SEAD all hands meeting in May 2015
- Simplify the design as much as possible to not overwhelm the user and provide a stable implementation within the current efforts
- Accommodate other use cases
Features Needed:
The following are already available in the current design tries to support requirements described in this document:
View file | ||||||||
---|---|---|---|---|---|---|---|---|
|
implementation:
- A dataset can be in multiple collections
The following need to be implemented:
- A file can only exist as part of a dataset (currently it can exist in multiple or none)
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-25 - A dataset can be part of multiple spaces (currently it can exist in multiple or none)
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-26 - With this design there is no "move" just assign to one or more spaces
- A collection can be part of multiple spaces (currently it can exist in multiple or none)
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-27 - With this design there is no "move" just assign to one or more spaces
- Use permissions on space, collection, dataset page to pick what is available and what is not in the GUI
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-28 - Nested collections (which are different from folders because a collection can be in multiple collections)
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-29 - Ability to list who has access to a dataset or collection on its page
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-30 - (Bonus) Folders in dataset to organize files similar to a file system
Jira server OpenSource JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId b14d4ad9-eb00-3a94-88ac-a843fb6fa1ca key CATS-31
Notes:
- Implement access control only at the level of spaces
- Datasets and collections authorization is based on space
- For resources in multiple spaces take the union of permissions
- Only the owner can add a dataset/collection to a new space
- In a world where resources can be in multiple spaces, spaces becomes a view into the data, not a simple self contained place
- What happens if D1 is in C1, C1 is in S1, but D1 is not in S1?
- Publishing a dataset or collection for public viewing will be done as a separate feature from managing permission on a space level
Permissions Cleanup:
(Note this is the list from api.Permissions.Permission. It's pretty low lever and it's what controller look for in the case of secured actions)
New List:
val Public, // Page is public accessible, i.e. no login needed
Admin,
// spaces
ViewSpace,
CreateSpace,
DeleteSpace,
EditSpace,
// datasets
ViewDataset,
CreateDataset,
DeleteDataset,
EditDataset,
// collections
ViewCollection,
CreateCollection,
DeleteCollection,
EditCollection,
// files
AddFile,
DeleteFile,
ViewFile,
DownloadFiles,
EditLicense,
CreatePreview, // Used by extractors
MultimediaIndexDocument,
CreateNote,
// sections
CreateSection,
ViewSection,
DeleteSection, // FIXME: Unused right now
EditSection, // FIXME: Unused right now
// metadata
AddMetadata,
ViewMetadata,
DeleteMetadata, // FIXME: Unused right now
EditMetadata, // FIXME: Unused right now
// social annotation
AddTag,
DeleteTag,
ViewTags,
AddComment,
DeleteComment,
EditComment,
// geostreaming api
GSCreateStream,
GSAddDatapoint,
GSViewDatapoints,
GSAddSensor,
GSViewSensor,
GSDeleteSensor,
// users
ViewUser,
EditUser = Value
...