Currently, there is no mechanism in place to establish a clear linkage between Keycloak users and the metadata catalogue database. This lack of linkage poses a significant security risk as it allows users to potentially edit assets belonging to others without proper authorisation.
Upon a closer look at the existing system, it appears that the only protection against overwriting asset data is on an entity-type level. Consequently, if multiple users possess editing privileges for datasets, there exists a loophole wherein one user can edit another user's datasets. This is clearly not desirable behaviour, as users should typically only be able to modify their own assets unless they are part of a more privileged group.
Proposed Solution:
To mitigate this issue, it's essential to introduce a mechanism that associates each asset with its rightful owner using the user's ID from Keycloak. This linkage should be established at the time of dataset creation in the catalogue, ensuring that users can only edit assets that belong to them.
Additionally, it's crucial to update the aiod entry to reflect this linkage. Currently, the entry only lists the editor as a generic "Person," lacking any connection to Keycloak. This update will ensure that the ownership information is accurately captured and reflected in the metadata catalogue.
Next Steps:
Investigate the feasibility of linking Keycloak users to the metadata catalogue database.
Implement the necessary changes to associate assets with their respective owners during dataset creation.
Update the aiod entry to include the Keycloak user information.
This issue should be addressed promptly to enhance the security and integrity of the system by ensuring that users can only modify assets that they own.
Currently, there is no mechanism in place to establish a clear linkage between Keycloak users and the metadata catalogue database. This lack of linkage poses a significant security risk as it allows users to potentially edit assets belonging to others without proper authorisation.
Upon a closer look at the existing system, it appears that the only protection against overwriting asset data is on an entity-type level. Consequently, if multiple users possess editing privileges for datasets, there exists a loophole wherein one user can edit another user's datasets. This is clearly not desirable behaviour, as users should typically only be able to modify their own assets unless they are part of a more privileged group.
Proposed Solution: To mitigate this issue, it's essential to introduce a mechanism that associates each asset with its rightful owner using the user's ID from Keycloak. This linkage should be established at the time of dataset creation in the catalogue, ensuring that users can only edit assets that belong to them.
Additionally, it's crucial to update the aiod entry to reflect this linkage. Currently, the entry only lists the editor as a generic "Person," lacking any connection to Keycloak. This update will ensure that the ownership information is accurately captured and reflected in the metadata catalogue.
Next Steps:
This issue should be addressed promptly to enhance the security and integrity of the system by ensuring that users can only modify assets that they own.
_Originally from discussion in https://github.com/aiondemand/AIOD-rest-api/pull/298#discussion_r1576033267_