Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

views: integrate API authentication/access control #14

Open
2 tasks
lnielsen opened this issue Nov 20, 2015 · 9 comments
Open
2 tasks

views: integrate API authentication/access control #14

lnielsen opened this issue Nov 20, 2015 · 9 comments

Comments

@lnielsen
Copy link
Member

  • OAuth2 (with scopes)
  • Access control
@lnielsen lnielsen added this to the v1.0.0 milestone Nov 20, 2015
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 3, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 3, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 4, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 7, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 7, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 8, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 9, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Dec 14, 2015
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 11, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 11, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 12, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 12, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 14, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (reference inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 15, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 15, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
nharraud pushed a commit to nharraud/invenio-records-rest that referenced this issue Jan 18, 2016
* NEW Adds customizable access control to record views. Allow
  configuring different permissions per endpoint. (addresses inveniosoftware#14)

Signed-off-by: Nicolas Harraudeau <[email protected]>
@hachreak
Copy link
Member

hachreak commented Aug 8, 2016

@lnielsen do you think we reached the result?

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

  • OAuth2 (with scopes)

?

@hachreak
Copy link
Member

hachreak commented Aug 8, 2016

Should it be done by the permission factories? (see https://github.com/zenodo/zenodo/blob/master/zenodo/config.py#L392)

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016

@lnielsen I am not sure how we can have oauth2 scopes in invenio-records-rest given that it is used in different modules. Shouldn't we have different scopes for the published records and the deposits?

I planned to check the scopes directly in the permission factories as recommended by @jirikuncar (at least that's what I understood).

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

Yes, it should be done by permission factories, but perhaps we should provide some default scopes to rely on and which are easy to integrate?

Just thinking that right now, you can get an access token for deposit, and use that you read records, files, etc. which a user might not want a third-party to do.

For scopes I'm thinking something simple as either just records or alternatively two scopes records:read + records:write/admin/update.

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016

@lnielsen So you mean implementing optional scopes like here without creating any permission factory? If so, I like the idea. Having a records:read and records:update should be enough for most use cases and would enable to have scopes which can be reused in other modules if need be. They should just remain optional.

Note: records:update should not give access to the delete operation (which the admins can do). There should be another scope for delete, if it is needed.

@jirikuncar WDYT?

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

@nharraud possible the records:update/write scope could still be used to protect the delete operation, since in addition to the scope check, there's also a permission check which would fail unless you're admin…… the scopes is just to restrict what a third-party application can do with the delegated access.

@nharraud
Copy link
Member

nharraud commented Aug 8, 2016

@lnielsen I am not sure that as an admin I would give access to the "force" delete operation to any script. Most of the scripts would just get the right to fix/migrate records.

@lnielsen
Copy link
Member Author

lnielsen commented Aug 8, 2016

@nharraud Yes, hence you shouldn't delegate record:update scope to the third-party app :-) However, IMHO you shouldn't even allow force delete to an admin user.

@hjhsalo hjhsalo assigned hjhsalo and unassigned hjhsalo Nov 24, 2017
@lnielsen lnielsen modified the milestones: v1.0.0, someday Mar 11, 2018
switowski pushed a commit to dinosk/invenio-records-rest that referenced this issue May 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants