search

SciCatProject / scicatlive

Simple getting started procedure for SciCat
9 stars 10 forks source link

oidc-user lacks permissions #375

Closed sbliven closed 5 days ago

sbliven commented 5 days ago

The default oidc-user belongs only to group aGroup (services/backend/services/keycloak/config/facility-realm.json). This does not grant any permissions (services/backend/services/v4/config/.dev.env):

ADMIN_GROUPS=admin,adminingestor
CREATE_DATASET_GROUPS=group1,group2,group3
CREATE_DATASET_WITH_PID_GROUPS=group2
CREATE_DATASET_PRIVILEGED_GROUPS=datasetIngestor,group3
SAMPLE_PRIVILEGED_GROUPS=sampleingestor
SAMPLE_GROUPS=group1

What's a reasonable level of permissions for the example user? I would say they should at least have CREATE_DATASET permissions. Maybe the oidc-user should belong to group1?

sbliven commented 5 days ago

I added a PR. It requires rebuilding keycloak and mongo data. You can also easily hotfix this, either by adding group1 to the user at http://keycloak.localhost or by running this inside the backend container and restarting the server:

export CREATE_DATASET_GROUPS=$CREATE_DATASET_GROUPS,aGroup