-
Notifications
You must be signed in to change notification settings - Fork 0
Boss Project Auth Tutorial
The Boss uses groups and permissions to control access to the different resources in the data model. When accessing a resource in the data model, the Boss first identifies which groups the user belongs to. Next, it determines if at least one of those groups contains the permission that matches the operation the user wishes to perform.
By default, a group has no permissions to a resource until permissions are explicitly assigned. The exception is the resource creator's special group. This special group is automatically created for each new user when their account is created. This "owner" group has full permissions to that resource.
Note that only a user who has the resource-manager role or the admin
role has the privileges to perform the actions in this tutorial.
These permissions are common to all resources in the data model:
readaddupdatedeleteassign_groupremove_group
Channels and layers have additional permissions:
read_volumetric_dataadd_volumetric_datadelete_volumetric_data
Using the data hierarchy created in the "Creating Your Data Hierarchy" tutorial, let's assign groups and permissions to those resources.
First, we create our Remote and resource instances.
from ndio.remote.boss.remote import Remote
from ndio.ndresource.boss.resource import *
rmt = Remote()
collection = CollectionResource('JHUAPL')
experiment = ExperimentResource('Mouse 17', 'JHUAPL')
channel = ChannelResource('EM', 'JHUAPL', 'Mouse 17')
layer = LayerResource('Algorithm1', 'JHUAPL', 'Mouse 17')Next, let's create the groups that we'll assign to the resources. Group names must be unique across the entire system, so we prefix our groups with 'jhuapl'. We will create four groups:
- jhuapl_interns
- jhuapl_scientists
- jhuapl_analysts
- jhuapl_computer_vision
interns = 'jhuapl_interns'
scientists = 'jhuapl_scientists'
analysts = 'jhuapl_analysts'
computer_vision = 'jhuapl_computer_vision'
admins = 'jhuapl_admins'
rmt.group_create(interns)
rmt.group_create(scientists)
rmt.group_create(analysts)
rmt.group_create(computer_vision)Now, we assign permissions we want each group to have for each resource in our
data hierarchy. We'll start with the JHUAPL collection. Everyone gets read
permission and also add permission if they are human users. Finally, admin
users get all permissions. At the collection level, the add permission
allows creation of experiments.
rmt.permissions_add(interns, collection, ['read', 'add'])
rmt.permissions_add(scientists, collection, ['read', 'add'])
rmt.permissions_add(analysts, collection, ['read', 'add'])
rmt.permissions_add(computer_vision, collection, ['read'])
rmt.permissions_add(
admins, collection,
['read', 'add', 'update', 'delete', 'assign_group','remove_group'])Next, we'll assign permissions to the Mouse 17 experiment. For this
experiment, everyone gets read and add permissions including users that are
computer vision algorithms. At the experiment level, add allows the creation
of channels and layers.
rmt.permissions_add(interns, experiment, ['read', 'add'])
rmt.permissions_add(scientists, experiment, ['read', 'add', 'update'])
rmt.permissions_add(analysts, experiment, ['read', 'add', 'update'])
rmt.permissions_add(computer_vision, experiment, ['read', 'add'])
rmt.permissions_add(
admins, experiment,
['read', 'add', 'update', 'delete', 'assign_group','remove_group'])Let's do the permissions for the channel and layer. As mentioned before, these resource types have additional permissions because actual data is associated with these resources.
First, we'll do the channel.
rmt.permissions_add(interns, channel, ['read', 'read_volumetric_data'])
rmt.permissions_add(
scientists, channel,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.permissions_add(
analysts, channel,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.permissions_add(
computer_vision, channel, ['read', 'read_volumetric_data'])
rmt.permissions_add(
admins, channel,
['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])Finally, we'll assign permissions for the layer.
rmt.permissions_add(
interns, layer,
['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.permissions_add(
scientists, layer,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.permissions_add(
analysts, layer,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.permissions_add(
computer_vision, layer,
['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.permissions_add(
admins, layer,
['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])Now that permissions for groups are assigned, users can be added to the groups.
# At the time of writing, it is assumed email addresses will be used as
# user names.
rmt.group_add_user(interns, '[email protected]')