Optimize permission lookups for a user

IQSS / dataverse

Open source research data repository software

http://dataverse.org

Other

882 stars 493 forks source link

Optimize permission lookups for a user #6467

Open scolapasta opened 4 years ago

scolapasta commented 4 years ago

When we recently added the ability to modify the "Host Dataverse" upon creating a dataverse / dataset, we ran into the "what dataverses does User x have Permission y on" challenge (in this case add dataverse/ dataset permission).

Because of how our permission system^* works with groups, there is currently no straightforward way to start from the user and get the dataverses for which that user has a certain permission, without having to get all dataverses and check each one (though we mitigated some for this by filtering the list with an autocomplete and only checking a subset of all dataverses).

^*if we ever allowed permissions to cascade from one dataverse to its child, that would also present a challenge

@landreev and I discussed at the time that it would be nice to be able to start from the user direction, so this issue is to track the investigation / solution for how to make that work.

related #784

scolapasta commented 3 years ago

The basic idea here will be to create a simple method that takes in a user and a permission and returns a List of Dataverses. We'll want it in a performant way, so will want to query the db directly as much as possible. (for direct assignments easy, we also need to determine groups the user is in...)

djbrooke commented 3 years ago

Do we do something in MyData that we could leverage here? Not sure if we do, but let's check. MyData may not account for groups (or groups within groups)
Possible solution: get user, figure groups they are in, get list of roles for that user groups
What speed(s) should constitute success here? Some powerusers may take longer. Some benchmarking would be helpful here.
We've optimized the other way (object to user) so there may be something to be learned there

cmbz commented 8 months ago

2024/03/14

sized at 10 for investigation, might be larger. @scolapasta may have insight.

cmbz commented 2 months ago

To focus on the most important features and bugs, we are closing issues created before 2020 (version 5.0) that are not new feature requests with the label 'Type: Feature'.

If you created this issue and you feel the team should revisit this decision, please reopen the issue and leave a comment.

stevenwinship commented 1 month ago

@scolapasta @pdurbin @landreev Is this API being called as a User with their credentials to get their accessible collections or is it being called by an Administrator? The main reason for the ask is around IPgroups and ShibGroup. Neither of these would allow an admin to figure out the access since the user is not connected with an IP address or logged in with Shibboleth.