Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make empty auth list equivalent to [!ALL]? #265

Closed
hjoliver opened this issue Oct 20, 2021 · 1 comment
Closed

Make empty auth list equivalent to [!ALL]? #265

hjoliver opened this issue Oct 20, 2021 · 1 comment
Labels
authorization wontfix This will not be worked on
Milestone
cylc-uiserver 0.6.0

Comments

@hjoliver
Copy link
Member

Ref: #204 (comment)
@hjoliver hjoliver added question Flag this as a question for the next Cylc project meeting. authorization labels Oct 20, 2021
@hjoliver hjoliver added this to the cylc-uiserver 1.0.0 milestone Oct 20, 2021
@hjoliver hjoliver mentioned this issue Oct 20, 2021
Merged
5 tasks
@datamel
Copy link
Contributor

datamel commented Oct 20, 2021

We have discussed this at MO end, although perhaps good to discuss this at the VC.

For info, the consensus here is to raise an exception if an empty list appears in the config. The thinking is that an empty list could potentially be ambiguous, it could either mean

  • do not add or remove any permissions, group permissions apply. i.e. there is no contribution to existing permissions.
  • remove permissions (the same as !ALL), in which case what would happen on user1 being a member of groupa in this case....
"user1" : []

"group:groupa" : ["READ"]

I think safest with things security related is to have the user explicitly say what they want.

Currently we raise an exception at the time of access, the uiserver continues running and but with failed authorization (no access to the user). So essentially current implementation does remove permissions.

However, I think if we want to seek explicit clarification from the user, this exception would be better implemented at validation (see issue) and perhaps we should shut down the ui-server on this error?

@hjoliver hjoliver added wontfix This will not be worked on and removed question Flag this as a question for the next Cylc project meeting. labels Oct 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authorization wontfix This will not be worked on
Projects
None yet
Milestone
cylc-uiserver 0.6.0
Development

No branches or pull requests
3 participants
@hjoliver @oliver-sanders @datamel