Scifabric / pybossa

PYBOSSA is the ultimate crowdsourcing framework (aka microtasking) to analyze or enrich data that can't be processed by machines alone.
http://pybossa.com
GNU Affero General Public License v3.0
745 stars 269 forks source link

[super] Authorization #42

Closed teleyinex closed 12 years ago

teleyinex commented 12 years ago

It is important to discuss the minimum requirements that PyBossa will have according to authentication and authorization.

NB: Authentication in WUI already works and API key autentication is #20.

Authentication: for the moment there is a basic authentication method, that allows users to create an account, sign in and sign out.

Authorization: it is mandatory to identify which actions will be valid for different types of users. For the moment I think that the following roles will be possible:

@nigini, @rgrp it will be interesting to have your comments and feedback about these items.

Additional proposal (from RP -- but please mod)

NB: I think it would also be useful to have listed relevant user stories (or, at least, situations). That would help us check we have covered edge cases.

Situations - CRUD on core domain objects

App

Tasks are always related to an App.

See these two (almost identical implementations):

Even simpler option:

nigini commented 12 years ago

1- I think the API ID should not be related to the User, but to the Applications. It will be important to know statistics about API calls by App, and not by users. (at least it is like this at Twitter, Facebook, and others)

2- Inside an Application it will probably be needed the "App Admin" role, where its creator will be the first one and will invite other users to join this.

teleyinex commented 12 years ago

@nigini I think that your two points are really valuable! Unless, @rgrp thinks different, we should proceed with your idea.

rufuspollock commented 12 years ago

To clarify: I've added to main overview a general approach from elsewhere that I've found useful. Specific comments:

@teleyinex

@nigini:

teleyinex commented 12 years ago

@rgrp I just removed the Flask-Login sentence from the first comment.

teleyinex commented 12 years ago

@rgrp I have added some comments to your proposal, and I have fulfilled the TaskRun object.

teleyinex commented 12 years ago

I have updated also the user stories, so we can include them here.

nigini commented 12 years ago

@rgrp! About the API KEY, a user may have many applications, and can share app's administration with other users. If you have an API KEY per user, you will easy expose data from all your application once other developer is invited to help you at one of them. Other important thing is to have API call statics per application, what can be easily done using an APP-KEY.

I imagine that the community have other explanations to do it like this (and I will start studing more about API to help here), but a good plus to this idea is that Google, Twitter and Facebook all implements its services like this.

teleyinex commented 12 years ago

I support @nigini idea, as I see that it could be a problem to have only one owner per application. Thus, a user story for this case would be the following (obviously from my point of view):

As a project organizer I would like to create, update and delete applications becoming the owner of the application. As a project organizer I would like to invite other colleagues to help me to administer my applications, giving them the following permissions:

rufuspollock commented 12 years ago

I've made some minor tweaks to proposal around allowing anonymous visitors to still do task runs.

@teleyinex agreed that definitely nice to have co-administrators but wonder if this is something to leave for the future when the need has clearly arisen. We can probably get by in a first version without this and we should focus on "minimum viable product" (aka You ain't gonna (or may not) need it).

@nigini still not sure i get need for per-task API keys. If you want other collaborators to have access to your app I'd suggest we do this via an explicit collaborator system rather than sharing around a common API key.

nigini commented 12 years ago

@rgrp I agree that are other ways to do it, but I still will search for why the big ones adopts this APP-KEY solution.

teleyinex commented 12 years ago

I have updated the issue: I have unified the term anonymous to visitor to have the same terminology for the issue.

@rgrp fine! Let's move to the next stage, so we can start coding asap.

@nigini and @rgrp which approach do you want to use for this v0.1 (API key)?

rufuspollock commented 12 years ago

I've clearly suggested that we leave API key as is: i.e. on per user (let's keep it ultra-simple!).

In terms of implementation I've added some comments to the main ticket.

nigini commented 12 years ago

OK @rgrp and @teleyinex!

I've readed the code that was pointed at the ticket, but if I'm not wrong, they are focused at authorization. As I'm interested in learning about these king of web development patterns, I was reading about OAuth. I've found this great tutorial about authentication with this pattern.

May I use these coding examples to draft something?

teleyinex commented 12 years ago

Hi,

I think that we have finally something :) Thus, the authentication will be kept: Flask-Login + API key per user. This solution enables two types of users:

Everyone agrees to proceed?

rufuspollock commented 12 years ago

@nigini this ticket is in fact primarily about authorization (authentication could be dropped). If you want to code stuff re oauth outside of PyBossa please go ahead though I note that there is straightforward support for oauth in Flask via the Flask OAuth extension http://packages.python.org/Flask-OAuth/

@teleyinex we're good to go (and i'd suggest that we keep overall summary of what we are doing in the main description of the ticket so we can refer to it later (i've updated yesterday and I think is same as yours)

nigini commented 12 years ago

Sorry guys. I've mixed this issue with the #20 one. Everything I've posted here was related to the API security. Should I rewrite that issue with these observations I've posted here?

nigini commented 12 years ago

@rgrp @teleyinex I've read the suggested code at this issue description and vote for the second one (datahub). I've talked to @pudo (code author) about the solution and he still uses it.

But before I start, I would like to know if you know this library: http://pypi.python.org/pypi/Flask-Principal It probably does something really similar with pudo's solution but it's a Flask extension. The problem is that it's a beta version since 2010!

Do you think it's a good moment to analyse this option? Or should we go with something that's already known?

teleyinex commented 12 years ago

@nigini I have check the web about Flask-Principal and in general no one is using it :) It seems like the popular solution is to create a tailored solution for the project. Thus, let's go for @rgrp solutions!

nigini commented 12 years ago

OK! I'll start today!

teleyinex commented 12 years ago

@nigini can you wait a bit? I'm already assigned the task to me today, and I'm finishing right now the authentication + authorization just for applications. Then, when I submit the code, you can follow the same style.

rufuspollock commented 12 years ago

API pretty much done (though not completely tested). Application create also done in WUI and at the moment nothing else.