Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POC on permissions for account management #124

Open
exalate-issue-sync bot opened this issue Jul 21, 2020 · 8 comments
Open

POC on permissions for account management #124

exalate-issue-sync bot opened this issue Jul 21, 2020 · 8 comments
Labels
OCIS-Sprint-15 OCIS-Sprint-16 OCIS-Sprint-17 p3-medium story User Story

Comments

@exalate-issue-sync
Copy link

As a service provider I want the account management (API/UI) to only be accessible by users that have the respective role.

  • MVP requirement: one permission "Manage accounts" that comprises all the functionality around accounts, e.g., users and groups (list, create, delete, enable/disable, etc.).

    • Protect API
    • Protect UI

  • Find out how to do it => POC

  • Meets DoD? => Show in reviews

  • Doesn't meed DoD? => Create follow-up tasks, schedule next sprint

  • Not an EOS MVP blocker
@exalate-issue-sync exalate-issue-sync bot added Exalated This issue is under sync p3-medium story User Story labels Jul 21, 2020
@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: [~pmaier] Can you please elaborate/refine? At least a list of desired permissions is required to estimate story points for this story. I can take care of creating subtasks after that.

@exalate-issue-sync
Copy link
Author

Patrick Maier commented: Let's start with one permission "Manage accounts" that comprises all the functionality around accounts, e.g., users and groups (list, create, delete, enable/disable, etc.).

@exalate-issue-sync
Copy link
Author

Remote key is https://jira.owncloud.com/browse/OCIS-82

@exalate-issue-sync exalate-issue-sync bot added OCIS-Sprint-15 and removed Exalated This issue is under sync labels Jul 21, 2020
@exalate-issue-sync exalate-issue-sync bot changed the title Research on permissions for account management POC on permissions for account management Aug 18, 2020
@exalate-issue-sync exalate-issue-sync bot removed the 17 label Aug 19, 2020
@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: Important note: implementation for this will break the existing accounts cli, as it will enforce permission checks, since the accounts cli is doing gRPC calls and has no user context.

cc [~ineumann]

@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: I managed to build an http middleware for ocis-accounts, which checks the roles of the authenticated user + the service handler from the request against a permission endpoint from ocis-settings. Making pull requests to ocis-accounts, ocis-settings, ocis-pkg and ocis-proxy tomorrow morning.

@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: PR owncloud/ocis-accounts#100 is currently blocked by failing UI tests. Reason is, that ocis-accounts can't talk to ocis-settings for setting roles of the builtin default users, thus failing to create them at all.

@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: PR is owncloud/ocis#505

@exalate-issue-sync
Copy link
Author

Benedikt Kulmann commented: We moved parts of this story into a new story: https://jira.owncloud.com/browse/OCIS-443

@micbar micbar mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OCIS-Sprint-15 OCIS-Sprint-16 OCIS-Sprint-17 p3-medium story User Story
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants