Open simonbjorzen-ts opened 8 months ago
cccs-rs
commented
8 months ago Sounds like a use-case for On Behalf Of (OBO), which we currently have support for within Assemblyline. https://github.com/CybercentreCanada/assemblyline-ui/blob/93d385b10f6886c571de3e8fba2c21654292347f/assemblyline_ui/api/v4/authentication.py#L187
This should allow external services to interact with Assemblyline on behalf of the user using the OBO token.
simonbjorzen-ts
commented
8 months ago It looks like that would require using one token per impersonated user if I understand it correctly, which is something we want to avoid. What we want to do is to have one user with one api token be able to impersonate any user.
Thanks!
cccs-rs
commented
8 months ago Sounds like a feature that you would want to lock behind the admin role if it was implemented but I'll let @cccs-douglass @cccs-sgaron chime in.
In essence, you would want a service account to be able to submit but on the behalf of many users.
simonbjorzen-ts
commented
8 months ago Exactly, no need to do a full impersonation of the users, just submit/ingest samples as them.
Is your feature request related to a problem? Please describe. We have an use case where we will submit files via API through an external application, but we still want to preserve the submitting user, as that user may log in to AssemblyLine and view the submission there.
Describe the solution you'd like Add a new API permission for impersonating submitters and allow users with that permission to override the submitter field.
Describe alternatives you've considered We are currently using the metadata field to specify the user information, but we'd like to have it in the regular "submitter" field instead.
Additional context The final submitter field appears to be overriden here, no matter what submitter the API submission is sent with: https://github.com/CybercentreCanada/assemblyline-ui/blob/93d385b10f6886c571de3e8fba2c21654292347f/assemblyline_ui/api/v4/ingest.py#L328