ACL-based auth policy and the @permission_required_for_context decorator. For now used with /users API #234

nhoening · 2021-11-09T10:05:05Z

closes #201

we might not do table-based authorization for a while (table-level auth: let data classes define which roles are allowed #200), as I did not find a nice way in this PR to do it, without having to separate acl lists
I simplified how GET /users works - it can only get users per one account. Simplifying APIs is usually a good idea, I believe. It is a breaking change which I'll mention, but I'm very certain no-one relied on it yet.
The users API does some column-based checks (authorize a request based on what fields are affected). We could even address this in our auth policy, I believe, but I don't see a clean way. Let's leave this to the endpoints for now. There should not be many more examples, maybe none (users are a bit special).
We can still discuss what to do with service listings and /getService from here on out. They list required roles for each service. Will that persist?

…uired_for_context decorator. Used for one /user endpoint (GET /user/<id>)

…g /users to work for one account only, and moving API context factories to a common location

…plification

…s for principals matching

Flix6x

Besides some minor fixes, I feel like we should be incorporating more Marshmallow functionality here.

And about your question:

We can still discuss what to do with service listings and /getService from here on out. They list required roles for each service. Will that persist?

I think this might be two questions actually:

Will the USEF roles in those service listings become obsolete? I believe they might, but I haven't completely thought this through.
Do we want the service listings to list relevant ACL? I believe we do.

documentation/changelog.rst

flexmeasures/api/common/factories.py

flexmeasures/auth/policy.py

flexmeasures/api/v2_0/implementations/users.py

flexmeasures/api/common/responses.py

flexmeasures/api/common/factories.py

… already pins it >3)

…ecking decorator to get the resource from keyword args

…sion decorator a bit

…points

nhoening · 2021-11-17T14:54:45Z

I believe the way we list auth access for services will be addressed a bit later. I might be interesting to put the ACLs in natural language, actually. I'll add a card to this project (https://github.com/SeitaBV/flexmeasures/projects/4).

Flix6x

Only small requests left: mainly some questions about documentation and the wish for a policy regarding raising errors or returning error messages in decorators.

flexmeasures/auth/decorators.py

flexmeasures/data/models/user.py

flexmeasures/auth/decorators.py

Flix6x

Possibly still needs an adjustment to the function signature of the error handler.

flexmeasures/auth/decorators.py

flexmeasures/auth/error_handling.py

nhoening added 8 commits November 9, 2021 11:03

first implementation of ACL-based auth policy and the @permission_req…

ec93cc7

…uired_for_context decorator. Used for one /user endpoint (GET /user/<id>)

make GET /users and PATCH /user/<id> work. Inn the process simplifyin…

977dc82

…g /users to work for one account only, and moving API context factories to a common location

resolve circular import

cab6083

always log the authorization failure for debugging purposes

16ea49c

adapt UI crud so it lists users from all accounts again after API sim…

e46c9f0

…plification

check for valid permissions and allow the ADMIN_READER role to read

158a945

separate checking admin access and principals within policy, add test…

c33f982

…s for principals matching

changelog entry

d65f85f

nhoening marked this pull request as ready for review November 10, 2021 08:47

fix test

a6acf8d

nhoening requested a review from Flix6x November 10, 2021 08:56

Add test for multiple roles and multiple account roles

8734e8d

Flix6x requested changes Nov 11, 2021

View reviewed changes

nhoening added 8 commits November 15, 2021 21:28

smaller haul from review

1da1a6e

replace deprecated marshmallow parameters

fff7705

explicitly require marshmallow>3 as we use recent parameters (app.txt…

0a0c250

… already pins it >3)

replace load_account with Marshmallow field; enable the permission-ch…

9588501

…ecking decorator to get the resource from keyword args

move load_user factory to marshmallow field, as well; refactor permis…

0ef64a1

…sion decorator a bit

update documentation

2aaeb70

permissions: use update over write (-> CRUD)

7bb46e8

use @auth_required in place of @login_required in non-user-facing end…

c6f8300

…points

nhoening added this to In progress in Authorization based on accounts Nov 17, 2021

nhoening removed this from In progress in Authorization based on accounts Nov 17, 2021

nhoening requested a review from Flix6x November 17, 2021 14:56

Flix6x added this to In progress in Authorization based on accounts via automation Nov 17, 2021

Flix6x requested changes Nov 20, 2021

View reviewed changes

nhoening added 2 commits November 20, 2021 12:25

doc improvements from review

58e6ab5

nicer way to state conditions for account roles decorators

670bc1d

nhoening requested a review from Flix6x November 20, 2021 16:25

Flix6x and others added 3 commits November 20, 2021 19:04

Typo

8637d48

Auth decorators raise 403/401, simplify invalid_sender

6f4af62

Add type annotation

fe84e6e

Flix6x requested changes Nov 23, 2021

View reviewed changes

flexmeasures/auth/decorators.py Outdated Show resolved Hide resolved

flexmeasures/auth/decorators.py Outdated Show resolved Hide resolved

flexmeasures/auth/error_handling.py Show resolved Hide resolved

nicer error messages in auth decorators

782569b

Flix6x approved these changes Nov 24, 2021

View reviewed changes

nhoening merged commit c9c410f into main Nov 24, 2021

Authorization based on accounts automation moved this from In progress to Done Nov 24, 2021

nhoening deleted the central-auth-policy-for-users branch November 24, 2021 10:12

nhoening restored the central-auth-policy-for-users branch November 24, 2021 10:12

nhoening deleted the central-auth-policy-for-users branch November 24, 2021 10:12

Flix6x added this to the 0.8.0 milestone Jan 20, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACL-based auth policy and the @permission_required_for_context decorator. For now used with /users API #234

ACL-based auth policy and the @permission_required_for_context decorator. For now used with /users API #234

nhoening commented Nov 9, 2021 •

edited

Flix6x left a comment

nhoening commented Nov 17, 2021 •

edited by Flix6x

Flix6x left a comment

Flix6x left a comment

ACL-based auth policy and the @permission_required_for_context decorator. For now used with /users API #234

ACL-based auth policy and the @permission_required_for_context decorator. For now used with /users API #234

Conversation

nhoening commented Nov 9, 2021 • edited

Flix6x left a comment

Choose a reason for hiding this comment

nhoening commented Nov 17, 2021 • edited by Flix6x

Flix6x left a comment

Choose a reason for hiding this comment

Flix6x left a comment

Choose a reason for hiding this comment

nhoening commented Nov 9, 2021 •

edited

nhoening commented Nov 17, 2021 •

edited by Flix6x