Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add configurations to define ACLs for upload #510

Merged
merged 6 commits into from
Mar 25, 2020
Merged

Add configurations to define ACLs for upload #510

merged 6 commits into from
Mar 25, 2020

Conversation

LukasKalbertodt
Copy link
Member

Fixes #477
Fixes #478

A review from @wsmirnow would be appreciated to make sure this system is powerful enough for the customer systems you manage. Your adjustments here should be simple: just take the default ACL template and add the part you added in the linked commit.

This change of yours was a bit more tricky as it required values taken from user roles. But I think with this PR, we can achieve the same effect with this ACL template:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Policy PolicyId="episodeACL"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
  Version="2.0"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  {{ #defaultReadRoles }}
    <Rule RuleId="{{ . }}_read_Permit" Effect="Permit">
      <Target>
        <Actions>
          <Action>
            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
      <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{{ . }}</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
      </Condition>
    </Rule>
  {{ /defaultReadRoles }}
  {{ #defaultWriteRoles }}
    <Rule RuleId="{{ . }}_write_Permit" Effect="Permit">
      <Target>
        <Actions>
          <Action>
            <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
              <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                DataType="http://www.w3.org/2001/XMLSchema#string"/>
            </ActionMatch>
          </Action>
        </Actions>
      </Target>
      <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{{ . }}</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
      </Condition>
    </Rule>
  {{ /defaultWriteRoles }}
  <Rule RuleId="DenyRule" Effect="Deny"/>
</Policy>

(Note that the {{ #foo }} bar{{ . }}baz {{ /foo }} syntax repeats bar{{ . }}baz for every element in foo, with {{ . }} replace by that element.)

@wsmirnow
Copy link

If you define an ACL template block like this:

{{ #ltiCourseId }} <my acl here>{{ . }} <other block> {{ /ltiCourseId }}

and the user serve studio not from an LTI session. The ltiCourseId will be undefined. Will the block dissappear in the produced ACL or does the process fail?

@LukasKalbertodt
Copy link
Member Author

LukasKalbertodt commented Mar 25, 2020
edited
Loading

Will the block dissappear in the produced ACL or does the process fail?

@wsmirnow The block will disappear. See this part of the Mustache documentation. So these {{ #foo }} ... {{ /foo }} blocks completely disappear if foo is false, undefined, an empty list or other "falsy" values.

wsmirnow
wsmirnow approved these changes Mar 25, 2020
View reviewed changes
Copy link

@wsmirnow wsmirnow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with it. Good job.

lkiesow
lkiesow reviewed Mar 25, 2020
View reviewed changes
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@LukasKalbertodt LukasKalbertodt merged commit c495271 into elan-ev:master Mar 25, 2020
@LukasKalbertodt LukasKalbertodt deleted the acl-template branch March 25, 2020 19:31
lkiesow pushed a commit that referenced this pull request Mar 25, 2020
Build #1691 (Wed Mar 25 19:36:12 UTC 2020) | c495271 Merge pull request
810b1fa 
#510 from LukasKalbertodt/acl-template
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lkiesow lkiesow lkiesow left review comments

@wsmirnow wsmirnow wsmirnow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Define an episode ACL (template) for ingest Disable creating/uploading episode ACL
3 participants
@LukasKalbertodt @wsmirnow @lkiesow