Closed pieterlukasse closed 5 years ago
On the wiki https://github.com/cBioPortal/cbioportal/wiki/User-Authorization it states this needs to be done directly using mysql.
We are currently managing this via a python script and Google spreadsheets. When someone requests access to a portal, a record gets inserted into a google spreadsheet. Once they are approved (by changing a field in this spreadsheet manually), the script (which runs periodically) checks and adds the appropriate authorities in the database.
A more general built-in solution may be something we would want to consider. I could see adding a column in the authorities table for approval status working, with maybe an admin page where this status could be changed? Or maybe just some scripts to return users pending approval and allow an admin to approve or reject the request. @n1zea144, what do you think?
Hi @pieterlukasse et al,
is there any update on this issues ? I like the simplicity of the google spreadsheet solution - however we need a kind of more complex solution for this - which allows to grant access to user groups - probably via LDAP.
Potential solutions I see are :
Any comments are welcome - I hope to create a multi-purpose solution which is re-usable for others.
Hi @tweep , I like solution 1. A few suggestions:
@pieterlukasse, IIUIC you like to have the authorization handled and administered by a separate application, right ?Like the micorservice way :-) It might require some major refactoring on the cbio side how authorization is currently handled, but I'll be a great benefit. Best outcome for us would be if this solution also supports authorization via the R API - so specific users can access "their" studies via R. I've not had a look at the R integration code now. Do you know who's currently handling this side of the project?
@tweep : that's right. It is similar to your proposal nr. 1, but it goes a bit further and moves some of the parts out of cBioPortal and into this new app. It should help to get the dependency order right, i.e. if one wants authorization in cBioPortal, then one can choose to include this new app (which on its turn takes care of other possible dependencies, like creating the necessary tables in mysql or in another repository if preferred) . See also attached figure.
I have not been involved in the R API so far, so I can't really comment on that. One comment is that I think what you want via R is an authentication mechanism to the cBioPortal. The authorization is something that cBioPortal will verify directly with the authorization app when handling the authenticated request.
@pieterlukasse is there anything we should do about this one?
Do the things we've started doing with Keycloak basically implement the solution discussed here?
Ah, I think the answer might be ‘not completely’—I think I've only seen Keycloak being applied to interactive use of the web app via a browser.
Closing this issue since at The Hyve we advocate Keycloak as the solution to use for all authorization configuration.
In section https://github.com/cBioPortal/cbioportal/wiki/File-Formats#cancer-study it is mentioned:
"groups (optional): When using an authenticating cBioPortal, lists the user-groups that are allowed access to this study. Multiple groups are separated with a semicolon ";". The study will be invisible to users not in at least one of the listed groups, as if it wasn't loaded at all. e.g., "PUBLIC;GDAC;SU2C-PI3K". see User-Authorization for more information on groups"
Problem: it is not clearly documented how to get a user in a group.