Add default permissions set to anonymous, user and admin groups

Ouranosinc / Magpie

AuthN/AuthZ services

https://pavics-magpie.readthedocs.io

Apache License 2.0

1 stars 5 forks source link

Add default permissions set to anonymous, user and admin groups #36

Closed dbyrns closed 5 years ago

dbyrns commented 6 years ago

If one of these group needs to be created a default set of permission should be added.

Anonymous :
- thredds: no rights
- ncwms: Allow GetCapabilities, Forbids other method
- geoserverwms: Allow GetCapabilities, Forbids other method
- wfs: Allow DescribeFeatureType and GetCapabilities, Forbids other methods
- wps: Allow DescribeProcess and GetCapabilities, Execute forbidden
User : (Anonymous rights +)
- thredds: read on root and write on specific folder (TBD) ?
- wps: Allow Execute
Admin :
- Allow magpie permissions management
- No other rights (not intended to 'use' the platform)

huard commented 6 years ago

I think this needs to be discussed.

From my POV, some thredds directory should be open to the public. @tlogan2000 would know which directories are public and which are not. For example, the DEH dataset is public.

Now does that mean that anonymous has thredds access rights, or that we define another user category (e.g. public) for users that register but are not Ouranos members?

dbyrns commented 6 years ago

I agree that we can give more permissions if wanted, but this is a strict minimum so that the platform works. If some thredds datasets are "public", for me it means that you are not required to log in and in turn that means that yes anonymous has some read access.

tlogan2000 commented 6 years ago

I can go though the datasets currently on boreas to evaluate which I think could be flagged as public. However, even for some 'public' datasets there can be conditions of use (e.g. how to acknowledge/cite in any publications, not for profit use only etc etc). Do we have a mechanism in place for users to agree to these types of conditions for the ensemble of data on the platform? It could potentially be somewhat tricky to manage long-term??....

huard commented 6 years ago

Good point. Please open a ticket for us to follow through on that.

tlogan2000 commented 6 years ago

Ok. This would be under 'Magpie' or more general in your opinion

tomLandry commented 6 years ago

My opinion is that it should be more general than Magpie. As you said, it's not only a problem or authorisation, it's also attribution. A way to go advance this might be a static "credits" panel where you see copyrights info of data sources available (again, static). That would be part of PAVICS platform. Then the whole dynamic mechanism, another story.

fmigneault commented 6 years ago

references Ouranosinc/pavics-sdi#51

fmigneault commented 6 years ago

will be addressed via #47

fmigneault commented 5 years ago

should be possible using magpie 0.9.0 with permissions.cfg config