Not a bug - looking for clarification on the documentation and code.
Ideally, one might hope that the session credentials provided by the available identity providers (kerberos, openid, etc.) would be passed along to the CDM data sources to enforce access control at that layer. Furthermore, some users may infer that this level of security exists (possibly incorrectly) after going through the workflow they are familiar with for logging in to their identify provider / domain.
Actual behavior
As far as I can tell from reading the documents and the code, those tokens are only used (via the Shiro framework) to control access to the operational/postgres DB. Credentials for the CDM seem to be handled on a source by source basis, but generally the pattern seems to be using an application service account without passing through any session credentials.
To avoid confusion, it's clear that there are strong RBAC for webapi resources (in postgres/etc.) using the Shiro framework, and in a way this delegates the permissions of the CDM service account. This question is NOT about how session credential are passed from the client to the webapi. Instead, I am looking for clarification on which credentials are passed from the webapi to the CDM.
Question
Does the webapi make an effort to "pass-through" session credentials to the CDM data source in any way, or is the above description accurate?
For example, after going through an oauth flow, a user might expect that this is happening, but it is not clear if that is the case.
Expected behavior
Not a bug - looking for clarification on the documentation and code.
Ideally, one might hope that the session credentials provided by the available identity providers (kerberos, openid, etc.) would be passed along to the CDM data sources to enforce access control at that layer. Furthermore, some users may infer that this level of security exists (possibly incorrectly) after going through the workflow they are familiar with for logging in to their identify provider / domain.
Actual behavior
As far as I can tell from reading the documents and the code, those tokens are only used (via the Shiro framework) to control access to the operational/postgres DB. Credentials for the CDM seem to be handled on a source by source basis, but generally the pattern seems to be using an application service account without passing through any session credentials.
To avoid confusion, it's clear that there are strong RBAC for webapi resources (in postgres/etc.) using the Shiro framework, and in a way this delegates the permissions of the CDM service account. This question is NOT about how session credential are passed from the client to the webapi. Instead, I am looking for clarification on which credentials are passed from the webapi to the CDM.
Question
Does the webapi make an effort to "pass-through" session credentials to the CDM data source in any way, or is the above description accurate?
For example, after going through an oauth flow, a user might expect that this is happening, but it is not clear if that is the case.