Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mongo user/resource access control export #5376

Draft
wants to merge 32 commits into
base: develop
Choose a base branch
from
Draft

Mongo user/resource access control export #5376

wants to merge 32 commits into from

Conversation

sblack-usu
Copy link
Contributor

Pull Request Checklist:

  • Positive Test Case Written by Dev
  • Automated Testing
  • Sufficient User and Developer Documentation
  • Passing Jenkins Build
  • Peer Code review and approval

Positive Test Case

  1. [Enter positive test case here]

alvacouch and others added 28 commits March 2, 2023 12:18
@alvacouch
New access control method shortcuts around object definitions
d3ed74c
@alvacouch
Pass flake8
b2ee35e
@alvacouch
Correct for new develop tests.
0b7e8e7
@alvacouch
Sped up User resolution by using only email.
9d19e58
@alvacouch
Minimize local processing
5041b0e
@alvacouch
Performance tuning: no object resolution after query.
9e29178
@alvacouch
Add ability to measure the extent of an access change
46fb163
@alvacouch
Passes elementary tests
029caea
@alvacouch
Add zone_of_publicity, fix bug in test_zone_of_influence
5284175
@alvacouch
list([...]) --> [...]
32cbc42
@sblack-usu
add mongo collection updates in discovery signal processor
55875f5
@sblack-usu
add try/except block for updating mongo
7b60be6
@sblack-usu
json model dump with alias
64d965c
@sblack-usu
send json with isodate objects instead of strings for dates
ae2f994
@sblack-usu
push mongo discovery updates to celery async
b2feac9
@sblack-usu
fix the datetime references
1b80b49
@sblack-usu
Merge branch 'access-control-shortcut' into mongo-discovery-access-co…
554f893 
…ntrol
@sblack-usu
push access control changes to mongo
3104b2d
@sblack-usu
fix the hs_access_control import
0b68e6b
@sblack-usu
add logging
00d4bb4
@sblack-usu
fix typo in kwargs keyname users
ab2a278
@sblack-usu
fix typo with user.object
9610b11
@sblack-usu
process all user resource privileges in one async task
711c16c
@sblack-usu
include more info on the resource and user access export
10d872c
@sblack-usu
include owner information in user_resource_privileges
1f5890b
@sblack-usu
only export resource ids for discoverable resources
831a100
@sblack-usu
Merge remote-tracking branch 'origin/develop' into mongo-discovery-ac…
5546d3b 
…cess-control
@sblack-usu
remove change to discovery package-lock
8578b3f
@sblack-usu sblack-usu marked this pull request as draft February 22, 2024 13:57
pkdash
pkdash reviewed Feb 22, 2024
View reviewed changes
Copy link
Member

@pkdash pkdash left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments.

hs_core/mongo_discovery_processor.py
def parse_query_result(resources):
results = []
for resource in resources.all():
owners = list(resource.raccess.owners.values_list("username", flat=True))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems for minio there is a reason we need to know all the owners of a resource that a user has access to.

hs_access_control/models/shortcut.py
return (users, resources)


def zone_of_publicity(send=True, **kwargs):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, this function seems not doing much except sending the signal.

hs_access_control/models/privilege.py
@@ -132,6 +133,13 @@ def update(cls, **kwargs):
cls.objects.filter(**kwargs) \
.delete()

# notify cache of changes in privilege
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete community from kwargs?

hs_access_control/models/shortcut.py
# both multiple users and multiple resources.
# this sends signal access_changed.

def zone_of_influence(send=True, **kwargs):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be better to check what combinations of keys are needed for this function to work.

hs_access_control/models/shortcut.py
# This saves oodles of time in processing requests from REST calls.
#############################################

def get_user_resource_privilege(email, short_id):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could not find where this function is used except in tests.

hs_access_control/models/shortcut.py
else:
privilege = [PrivilegeCodes.NONE]

# user access
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be checking if the user is active?

hs_core/management/commands/mongo_update.py
resource = get_resource_by_shortkey(r.short_id, or_404=False)
res_show_in_discover = resource.show_in_discover

if res_show_in_discover and r.short_id:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we checking r.short_id?

hs_core/management/commands/mongo_update.py
@@ -0,0 +1,27 @@
from django.core.management.base import BaseCommand
from django.db.models import Q
from hs_core.hydro_realtime_signal_processor import update_mongo
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could not find the function update_mongo

@sblack-usu
Copy link
Contributor Author

I believe I found a better way.
https://min.io/docs/minio/linux/administration/identity-access-management/pluggable-authorization.html#minio-external-access-management-plugin

Basically we implement an endpoint on hydroshare that MinIO calls to check if the user is authorized to do an action. This means we do not have to synchronize policies attached to each user. This is far less work and ensures the access control is consistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkdash pkdash pkdash left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sblack-usu @pkdash @alvacouch