For https://github.com/HumanCellAtlas/data-browser/issues/1662 we need to determine if a snapshot is public. We originally planned on doing this by making two enumerateSnapshots requests, one with the credentials of a service account (the public SA) that has no special permissions in TDR and another one with those of the service account that has access to all snapshots (the indexer SA). From the difference between the two responses we planned to infer which snapshots are public. The original plan turns out to also be complicating our code and making it inefficient.
I think TDR should include a boolean property on both enumerateSnapshots and retrieveSnapshot that is True for public snapshots. Knowing whether a snapshot is public should not have to be inferred by triangulating with requests from different identities. An identity (user, service account) that has special access to non-public snapshots should be able to tell from the TDR response whether a snapshot is accessible to them because it is a non-public snapshot to which they have explicit access, or because it is public.
Assuming that the public status of a snapshot is easily retrievable and does not require additional round-trips to the backend database, this should be easy to implement.
For https://github.com/HumanCellAtlas/data-browser/issues/1662 we need to determine if a snapshot is public. We originally planned on doing this by making two
enumerateSnapshotsrequests, one with the credentials of a service account (the public SA) that has no special permissions in TDR and another one with those of the service account that has access to all snapshots (the indexer SA). From the difference between the two responses we planned to infer which snapshots are public. The original plan turns out to also be complicating our code and making it inefficient.I think TDR should include a boolean property on both
enumerateSnapshotsandretrieveSnapshotthat is True for public snapshots. Knowing whether a snapshot is public should not have to be inferred by triangulating with requests from different identities. An identity (user, service account) that has special access to non-public snapshots should be able to tell from the TDR response whether a snapshot is accessible to them because it is a non-public snapshot to which they have explicit access, or because it is public.Assuming that the public status of a snapshot is easily retrievable and does not require additional round-trips to the backend database, this should be easy to implement.