Ticket #1094 (new enhancement) — at Version 4
[super] Refactor the Auth System
Reported by: | thejimmyg | Owned by: | thejimmyg |
---|---|---|---|
Priority: | critical | Milestone: | ckan-v1.5 |
Component: | ckan | Keywords: | |
Cc: | Repository: | ckan | |
Theme: | none |
Description (last modified by dread) (diff)
Here are some proposed changes related to CKAN's authorization system - they aren't very big, but should provide for some forthcoming use cases including #787.
Two man reasons for the changes are:
- We have a completely refactored architecture now which introduces a logic layer. These Auth changes are designed to better support the way we work with that layer.
- Different CKAN extension apps may need radically different authentication/authorisation so we need to allow whatever we have to be override-able.
The first two changes revolve around the is_authorized method, which is called by the logic layer to ask whether a particular user (e.g. Bob) is allowed to do a certain action (e.g. edit) on a certain object (e.g. Package).
- The first thing the is_authorized method is a hook to a plugin
which *overrides* the current call with its own implementation (note: in previous discussions we have considered allowing a chain of plugins, no longer!)
Reason: authorization can be completely delegated to another system (or partially)
- is_authorized method currently takes (username, action, object)
but for action=create_package, the object supplied is System, and for action=edit the object supplied is the package. Instead action should always be the string name of a function in the logic layer and object should always be the object passed to that function. This means our auth system is based around the actual actions we are performing (rather than a model them) and with the actual data that forms the action (rather than a related object). You never need a System object in this model.
- Rename these two classes to better reflect what they are
- AuthorizationGroup? -> UserGroup?
- Group -> PackageGroup?
- Rename the Editor role to PriveledgeUser? since Editors sometimes can't edit.
Although this sounds a bit radical we already have auth extensions.
Read-only CKAN Web UI
(Additional requirement from #764)
Whilse using CKAN web interface, you are not tempted to edit stuff:
- You know at all times this CKAN is read-only
- All editing facilities are still seen but greyed-out with an indication why it is.
Change History
comment:2 Changed 3 years ago by johnlawrenceaspden
UserGroup/PackageGroup? might also be confusing.
A PackageGroup? is *just* a group of packages.
A UserGroup? is both a group of users, and a thing affecting authorizations.
Perhaps PackageGroup? and UserAuthorizationGroup?? Or PackageGroup? and AuthorizedUserGroup??
I was quite confused by all this at first.
I think I understand how the whole thing works pretty well now, and I still can't think of good names for the two concepts, although I can already feel the normal English meanings of the words changing to what I now know they are for.
We should be a little wary of this. Things that are even slightly difficult to understand end up being understood by very few people. Would any of us be prepared to sit an exam on exactly how UNIX file permissions work, even though we all use them?
See also comments on the mailing list.
Item 1 seems fine (what is difference from current extension mechanism?)
Item 2: concerns here. What about list views? What about editing 'permissions'? I also think getting rid of System object isn't really a benefit (if anything may be a cost).
Item 3: feel this may be better as part of big domain model change (also gives us time to really dig into this -- this is an important requirement/conceptual issue).
Item 4: No objections but seems very minor gain for fairly significant migration work.