Documentation missing for user groups

[pieterlukasse]

In section https://github.com/cBioPortal/cbioportal/wiki/File-Formats#cancer-study it is mentioned:

"groups (optional): When using an authenticating cBioPortal, lists the user-groups that are allowed access to this study. Multiple groups are separated with a semicolon ";". The study will be invisible to users not in at least one of the listed groups, as if it wasn't loaded at all. e.g., "PUBLIC;GDAC;SU2C-PI3K". see User-Authorization for more information on groups"

Problem: it is not clearly documented how to get a user in a group.

[zheins]

On the wiki https://github.com/cBioPortal/cbioportal/wiki/User-Authorization it states this needs to be done directly using mysql.

We are currently managing this via a python script and Google spreadsheets. When someone requests access to a portal, a record gets inserted into a google spreadsheet. Once they are approved (by changing a field in this spreadsheet manually), the script (which runs periodically) checks and adds the appropriate authorities in the database.

A more general built-in solution may be something we would want to consider. I could see adding a column in the authorities table for approval status working, with maybe an admin page where this status could be changed? Or maybe just some scripts to return users pending approval and allow an admin to approve or reject the request. @n1zea144, what do you think?

[tweep]

Hi @pieterlukasse et al,

is there any update on this issues ? I like the simplicity of the google spreadsheet solution - however we need a kind of more complex solution for this - which allows to grant access to user groups - probably via LDAP.

Potential solutions I see are :

1. Self-standing UI Creating a separate, independent UI which can be configured to pull data from LDAP and manages the mysql user / authority table - some kind of Admin UI for cbioportal. We might have other data we like to manipulate via this interface so it would be easily extendible - the draw-back I see is that changes to the tables within cbioportal will affect this independent solution; however if we start and move towards flyway
2. Modular solution within cbioportal creating a module within cbioportal and have this module manage the user table. This increases the complexity of the app cause it would add some "admin" interface to it. To be honest I don't really like that solution at all.
3. Scripted solution Some kind of scripted solution, kind of more quick and dirty, maybe managed with jenkins. Not re-usable for others.

Any comments are welcome - I hope to create a multi-purpose solution which is re-usable for others.

[pieterlukasse]

Hi @tweep , I like solution 1. A few suggestions:

• I would like to see this set up as an authorization service with a clear interface. Then let the cBioPortal application query this interface rather than querying some table in mysql. This should help isolate the authorization as a separate module (outside cBioPortal portal code base) and simplify the dependency it now has on cBioPortal code and dbschema.
• solution 1 also sounds generic enough to make me think it is probably implemented already. Maybe you can find a reusable example?

[tweep]

@pieterlukasse, IIUIC you like to have the authorization handled and administered by a separate application, right ?Like the micorservice way :-) It might require some major refactoring on the cbio side how authorization is currently handled, but I'll be a great benefit. Best outcome for us would be if this solution also supports authorization via the R API - so specific users can access "their" studies via R. I've not had a look at the R integration code now. Do you know who's currently handling this side of the project?

[pieterlukasse]

@tweep : that's right. It is similar to your proposal nr. 1, but it goes a bit further and moves some of the parts out of cBioPortal and into this new app. It should help to get the dependency order right, i.e. if one wants authorization in cBioPortal, then one can choose to include this new app (which on its turn takes care of other possible dependencies, like creating the necessary tables in mysql or in another repository if preferred) . See also attached figure.

I have not been involved in the R API so far, so I can't really comment on that. One comment is that I think what you want via R is an authentication mechanism to the cBioPortal. The authorization is something that cBioPortal will verify directly with the authorization app when handling the authenticated request.

[jjgao]

@pieterlukasse is there anything we should do about this one?

[fedde-s]

Do the things we've started doing with Keycloak basically implement the solution discussed here?

[fedde-s]

Ah, I think the answer might be ‘not completely’—I think I've only seen Keycloak being applied to interactive use of the web app via a browser.

[pieterlukasse]

Closing this issue since at The Hyve we advocate Keycloak as the solution to use for all authorization configuration.