Re: [Codematch-develop] DataTracker and CodeMatch access control

Lisandro Zambenedetti Granville <granville@inf.ufrgs.br> Wed, 26 August 2015 18:26 UTC

Return-Path: <granville@inf.ufrgs.br>
X-Original-To: codematch-develop@ietfa.amsl.com
Delivered-To: codematch-develop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB6581B3035 for <codematch-develop@ietfa.amsl.com>; Wed, 26 Aug 2015 11:26:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_BR=0.955, HOST_EQ_BR=1.295, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6N5inTbT9rQ for <codematch-develop@ietfa.amsl.com>; Wed, 26 Aug 2015 11:26:45 -0700 (PDT)
Received: from delivery1.ufrgs.br (delivery1.ufrgs.br [143.54.2.211]) by ietfa.amsl.com (Postfix) with ESMTP id E8EEE1B303E for <codematch-develop@ietf.org>; Wed, 26 Aug 2015 11:26:44 -0700 (PDT)
Received: from delivery1.ufrgs.br (localhost [127.0.0.1]) by delivery1.ufrgs.br (Postfix) with ESMTP id 675583007A2; Wed, 26 Aug 2015 15:26:41 -0300 (BRT)
Received: from msa1.ufrgs.br (msa1.ufrgs.br [143.54.2.208]) by delivery1.ufrgs.br (Postfix) with ESMTP id 969A33D71C; Wed, 26 Aug 2015 15:26:41 -0300 (BRT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Lisandro Zambenedetti Granville <granville@inf.ufrgs.br>
In-Reply-To: <55DDD328.6020709@nostrum.com>
Date: Wed, 26 Aug 2015 15:26:37 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A1D82C2-B60B-4A85-A4B2-E8B524C885D6@inf.ufrgs.br>
References: <0EDC30A8-DD35-4153-B8F1-9AE27CB06E09@inf.ufrgs.br> <55DDD328.6020709@nostrum.com>
To: Robert Sparks <rjsparks@nostrum.com>
X-Mailer: Apple Mail (2.2104)
X-AV-Checked: ClamAV using ClamSMTP
Archived-At: <http://mailarchive.ietf.org/arch/msg/codematch-develop/KeWx9SRdLS1mogrXq2hjNT5y1YA>
Cc: codematch-develop <codematch-develop@ietf.org>, Henrik Levkowetz <henrik@levkowetz.com>
Subject: Re: [Codematch-develop] DataTracker and CodeMatch access control
X-BeenThere: codematch-develop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "\"Discussion forum for the planning, coordination, and development of CodeMatch\"" <codematch-develop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codematch-develop>, <mailto:codematch-develop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codematch-develop/>
List-Post: <mailto:codematch-develop@ietf.org>
List-Help: <mailto:codematch-develop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codematch-develop>, <mailto:codematch-develop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 18:26:48 -0000

Hello Roberts

Comments inline...

> You are not necessarily restricted to the Role names that are defined now (like "chair"). We could add Role names like
> "codematcher" or "codematch_approver" or whatever other name matches the semantic for the permission you're wanting to manage.

That’s great, so that we can expand the current Roles without changing the data model.

> You could then have things like Lisandro Granville is codematch_approver in nmrg.

That is also what we need.

> Does that address the need? If not, could you walk me though a scenario where it makes it harder than it should?

What you mention above is the link among users, roles, and groups. There is another link between roles and permissions that seems to be hardcoded in datatracker. When we say

if has_role(request.user, ["Area Director", "IAB Chair", "Secretariat”]):
	// do things the user with "permission X" can do

it implies that if we want to grant to, e.g., “codematch_approver” the “permission X” above, we should go back to the code and change it to

if has_role(request.user, ["Area Director", "IAB Chair", “Secretariat”, “codematch_approver"]):...

We were then considering the possibility of moving the link between roles and permission to the data model and implement has_right (or has_permission) like:

if has_right(request.user, “permission X”):
	// do things the user with "permission X" can do

If we want “permission X” to be granted to other roles, that would be a matter of including the proper records in the database, instead of changing the code.

Trying not to go too much into details, the summary is that we want to check if assigning permission to roles is ok to be done in the database, instead of changing the code. We are of course talking about the CodeMatch code only; we are not talking about the datatracker code at all, although examples were inspired by has_role, which is used in datatracker.

Lisandro

> On 8/25/15 1:52 PM, Lisandro Zambenedetti Granville wrote:
>> Dear All
>> 
>> Last week we had our traditional CodeMatch meeting. One of the questions discussed in the meeting was about role-based access control (RBAC) in CodeMatch. We would like to propose adding an extra table in the current data model to support RBAC. However, because we want to be as aligned with DataTracker style as possible, we are sending this message to start a discussion, specially with Henrik and Robert.
>> 
>> 1) Style of checking users’ permission
>> 
>> We observed the DataTracker code and it seems that in general, permission checking is hardcoded, in the following style (using “Area Director”, “IAB Chair”, and “Secretariat" as examples):
>> 
>> if has_role(request.user, ["Area Director", "IAB Chair", "Secretariat"]):
>> 	// do something that only area diretor, IAB chair, and secretariat could do, like “Create CodeRequest"
>> 
>> 
>> In CodeMatch, we would like to check permissions in the following way:
>> 
>> if has_right(request.user, “Create CodeRequest”):
>> 	// do something that only authorized people should be able to do, like “Create CodeRequest”
>> 
>> The “has_right” function would check the database to retrieve the users’ roles and, for each role, check if it has permission to “Create CodeRequest”. In this way, permissions are associated to roles, and roles associated to users.
>> 
>> Because permissions and roles in CodeMatch are being defined together with the implementation of the system prototype, the use of “has_right” would allow us to assign permissions to roles just changing the database, instead of changing the CodeMatch code if we use “has_role” instead.
>> 
>> 2) Database
>> 
>> Today, permissions are listed in table auth_permission. Roles are listed in table group_role. We would need a intermediate table linking permissions to roles, i.e., a table linking author_permissions and group_role. That would allow us to say, for example, that a mentor (inside group_role) can add documents to a codeRequest (i.e., a permission inside auth_permission). Adding this intermediate table (let’s call it role_permission for the moment) would not affect today’s database, although it would expand today’s data model.
>> 
>> Do you think doing that is ok?
>> 
>> Best regards,
>> 
>> Lisandro, Wanderson, Matheus
>> 
> 
> _______________________________________________
> Codematch-develop mailing list
> Codematch-develop@ietf.org
> https://www.ietf.org/mailman/listinfo/codematch-develop