Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Groups membership support #2186

Assignees

Comments

@ntarocco
Copy link
Contributor

ntarocco commented May 4, 2021

The logged in user, in some organizations, might be a member of some groups that can be useful to define advanced authorization policy.
An example could be that the logged in user is admin of a specific Invenio community because (s)he belongs to a group "foo-community-admins".
The list of such groups for which the user is member of are normally not added to the authentication payload (it might be the case for some OAuth providers) but they have to be fetched after the authentication succeeded.

  • The developer should be able to easily implement a post login hook to parse the auth payload to get the groups (some OAuth) or perform an extra call to fetch the groups. In case that this operation of retrieving groups is a long or complex or heavy operation, the developer should be able to trigger this in a async way.
  • Since users and groups have to be searchable to define authorization when setting permissions (e.g. sharing), all organization users and groups should in Invenio DB. It should be easy for developers to implement a recurrent task that will sync users/groups and import them.
  • Groups should simply become roles in Invenio when imported.

To read

Tasks

  • Read and understand the doc of invenio-access about permissions.
  • Change invenio-accounts role table:
    • The primary key should be an unique ID, non-autoincrement. This is because it can be set by the external identity provider when fetching groups externally. Two cases here:
      1. The primary key value could come from the external groups database, which has stable-unique IDs per group.
      2. When local role (managed by Invenio), it should probably be a randomly generated UUID.
    • Add the new db col is_managed.
    • Mare sure that created/updated columns are there.
    • Fix foreign key, tests, etc...
  • invenio-users-resources:
    • Change the GroupsAggregator and groups code in invenio-users-resources (currently is_managed is hardcoded to True). This has to be changed. The new groups should be indexed in OpenSearch.
    • Change the hooks to avoid the creation of a celery task per user and group, but rather one celery task with all the users and another celery task with all the groups. Think about any possible issue here.
    • Make sure that it is easy to re-index all roles, found in the DB, in OpenSearch, in case something goes wrong.
  • invenio-oauthclient:
    • add a new handler, after login, to get or fetch user's. This might be an expensive operation! A developer might want to do this sync or async, to avoid blocking the authentication flow with an HTTP request timeout
    • when all the user groups are fetched:
      1. new user's groups, now yet existing in the roles table, should be inserted - groups in OpenSearch must be re-indexed
      2. the table userroles should be updated, so that the logged in user will have all fetched roles. To do that, we should:
      • insert missing user <-> role
      • delete the previously existing user <-> role for which the role is not any more in the user's fetched groups
      1. on login, the groups of the logged in user should be added to the session if possible and not persisted to the DB. This is to avoid leaking to sysadmins if a user belongs to a group, by checking the DB. This has to be tested well, e.g. make sure that a user, member of a group set as community's owner, is owner of the community. It looks like that invenio-communities needs to be changed: the roles in the current user session should also be added as, now, only the user.roles (the ones in the users-roles table) are taken into account.

Only roles for which is_managed is False (not managed by Invenio) should be touched. Internally managed roles are instead managed via Invenio CLI. We should double-check that the Invenio CLI will not touch the is_managed:False roles.

WIP PRs

@ntarocco ntarocco self-assigned this Dec 15, 2022
ntarocco referenced this issue in ntarocco/invenio-oauthclient Jan 26, 2023
* closes #245
@ntarocco ntarocco assigned TLGINO and unassigned ntarocco Apr 5, 2023
@ntarocco ntarocco transferred this issue from inveniosoftware/invenio-oauthclient Apr 5, 2023
TLGINO added a commit to TLGINO/invenio-communities that referenced this issue Apr 19, 2023
TLGINO added a commit to TLGINO/invenio-access that referenced this issue Apr 19, 2023
TLGINO added a commit to TLGINO/invenio-communities that referenced this issue Apr 23, 2023
TLGINO added a commit to TLGINO/invenio-access that referenced this issue Apr 23, 2023
TLGINO added a commit to TLGINO/invenio-access that referenced this issue Apr 24, 2023
TLGINO added a commit to TLGINO/invenio-communities that referenced this issue Apr 24, 2023
TLGINO added a commit to TLGINO/invenio-access that referenced this issue Apr 27, 2023
TLGINO added a commit to TLGINO/invenio-users-resources that referenced this issue May 6, 2023
TLGINO added a commit to TLGINO/invenio-oauthclient that referenced this issue May 8, 2023
 * DB integration for groups handler
 * Roles integration for groups handler
 * added dummy handler for groups
 * closes inveniosoftware/invenio-app-rdm#2186
TLGINO added a commit to TLGINO/invenio-users-resources that referenced this issue May 8, 2023
 * changed number of workers per celery task based on task type
 * closes inveniosoftware/invenio-app-rdm#2186
TLGINO added a commit to TLGINO/invenio-accounts that referenced this issue May 9, 2023
 * added migration recipe dependencies
 * added dependency for invenio_access for alembic versioning suppport
 * wip tests
 * closes inveniosoftware/invenio-app-rdm#2186
TLGINO added a commit to TLGINO/invenio-users-resources that referenced this issue May 9, 2023
 * changed number of workers per celery task based on task type
 * closes inveniosoftware/invenio-app-rdm#2186
jrcastro2 added a commit to jrcastro2/docs-invenio-rdm that referenced this issue May 11, 2023
TLGINO added a commit to TLGINO/invenio-access that referenced this issue May 12, 2023
jrcastro2 added a commit to jrcastro2/invenio-users-resources that referenced this issue May 12, 2023
TLGINO added a commit to TLGINO/invenio-rdm-records that referenced this issue May 12, 2023
TLGINO added a commit to TLGINO/docs-invenio-rdm that referenced this issue May 12, 2023
jrcastro2 added a commit to TLGINO/invenio-communities that referenced this issue Jun 13, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* fixes display of group names
* updates hooks to invalidate cache on user/role change
* adds identity cache
* adds celery task to clean the identity cache

Co-authored-by: jrcastro2 <[email protected]>
jrcastro2 added a commit to TLGINO/invenio-accounts that referenced this issue Jun 13, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* updated cli to pass ids on create role

Co-authored-by: jrcastro2 <[email protected]>
jrcastro2 added a commit to TLGINO/invenio-access that referenced this issue Jun 13, 2023
 * fix role instantiation
 * closes inveniosoftware/invenio-app-rdm#2186

Co-authored-by: jrcastro2 <[email protected]>
jrcastro2 added a commit to jrcastro2/invenio-users-resources that referenced this issue Jun 13, 2023
jrcastro2 added a commit to TLGINO/invenio-communities that referenced this issue Jun 13, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* fixes display of group names
* updates hooks to invalidate cache on user/role change
* adds identity cache
* adds celery task to clean the identity cache

Co-authored-by: jrcastro2 <[email protected]>
jrcastro2 added a commit to TLGINO/invenio-accounts that referenced this issue Jun 14, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* updated cli to pass ids on create role
* models: add managed flag to group (breaking change)

Co-authored-by: jrcastro2 <[email protected]>
kpsherva pushed a commit to inveniosoftware/invenio-accounts that referenced this issue Jun 14, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* updated cli to pass ids on create role
* models: add managed flag to group (breaking change)

Co-authored-by: jrcastro2 <[email protected]>
@kpsherva kpsherva self-assigned this Jun 14, 2023
kpsherva added a commit to inveniosoftware/invenio-access that referenced this issue Jun 14, 2023
* model: Update role_id column
 * fix role instantiation
 * closes inveniosoftware/invenio-app-rdm#2186

Co-authored-by: jrcastro2 <[email protected]>

* setup: upgrade invenio-accounts
* alembic: fix syntax issue for mysql

---------

Co-authored-by: jrcastro2 <[email protected]>
Co-authored-by: Karolina Przerwa <[email protected]>
jrcastro2 added a commit to jrcastro2/invenio-oauthclient that referenced this issue Jun 14, 2023
* roles integration for groups handler
* added dummy handler for groups
* closes inveniosoftware/invenio-app-rdm#2186

Co-authored-by: jrcastro2 <[email protected]>
kpsherva pushed a commit to inveniosoftware/invenio-oauthclient that referenced this issue Jun 14, 2023
* roles integration for groups handler
* added dummy handler for groups
* closes inveniosoftware/invenio-app-rdm#2186

Co-authored-by: jrcastro2 <[email protected]>
kpsherva pushed a commit to inveniosoftware/invenio-users-resources that referenced this issue Jun 15, 2023
kpsherva pushed a commit to inveniosoftware/invenio-communities that referenced this issue Jun 15, 2023
* closes inveniosoftware/invenio-app-rdm#2186
* fixes display of group names
* updates hooks to invalidate cache on user/role change
* adds identity cache
* adds celery task to clean the identity cache

Co-authored-by: jrcastro2 <[email protected]>
kpsherva pushed a commit that referenced this issue Jun 15, 2023
TLGINO added a commit to TLGINO/invenio-users-resources that referenced this issue Jun 16, 2023
 * changed number of workers per celery task based on task type
 * closes inveniosoftware/invenio-app-rdm#2186
TLGINO added a commit to TLGINO/invenio-rdm-records that referenced this issue Jun 16, 2023
TLGINO added a commit to TLGINO/docs-invenio-rdm that referenced this issue Jun 26, 2023
TLGINO added a commit to TLGINO/docs-invenio-rdm that referenced this issue Jun 27, 2023
zzacharo pushed a commit to zzacharo/docs-invenio-rdm that referenced this issue Jun 30, 2023
zzacharo pushed a commit to inveniosoftware/docs-invenio-rdm that referenced this issue Jun 30, 2023
ntarocco pushed a commit to inveniosoftware/docs-invenio-rdm that referenced this issue Jul 13, 2023
ntarocco pushed a commit to inveniosoftware/docs-invenio-rdm that referenced this issue Jul 28, 2023
kpsherva pushed a commit to kpsherva/docs-invenio-rdm that referenced this issue Jun 8, 2024
kpsherva pushed a commit to kpsherva/docs-invenio-rdm that referenced this issue Jun 10, 2024
anikachurilova pushed a commit to anikachurilova/docs-invenio-rdm that referenced this issue Jun 10, 2024
fenekku pushed a commit to martinobersteiner/docs-invenio-rdm that referenced this issue Jul 10, 2024
fenekku pushed a commit to inveniosoftware/docs-invenio-rdm that referenced this issue Jul 12, 2024
fenekku pushed a commit to inveniosoftware/docs-invenio-rdm that referenced this issue Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment