Closed drsm79 closed 12 years ago
rickw: Added entries in the table in https://twiki.cern.ch/twiki/bin/view/CMS/ReqMgrSystemDesign#REST_Interface Feel free to change.
metson: Looks good. The only thing I'd change is all to authenticated (which probably just means a note at the top). ReqMgr is the kind of thing we've been asked to not give free access (world readable) to in the past.
rickw: How do we define who goes in what role? In other words, how do we make me a reqmgr admin?
metson: I set some flags in SiteDB for your account. Available roles: {{{
Admin
CRAB Server Operator
DBSExpert
DBSOperator
Data Manager
Developer
DocDB Admin
FTS Contact
Global Admin
GlobalTag Manager
PADA Admin
PhEDEx Contact
Production Manager
Production Operator
Results Service
Site Admin
Site Executive
StageManager
StageRequest
T0 Operator
_admin
}}}
Available groups:
{{{
AnalysisOps
CondDB
CouchDB
DBS
DataOps
DataQuality
FacOps
LCG production team 1
LCG production team 2
LCG production team 3
LCG production team 4
LCG production team 5
LCG production team 6
LCG production team 7
OSG production team 1
OSG production team 2
b-physics
b-tagging
e-gamma_ecal
ewk
exotica
forward
global
heavy-ions
higgs
jets-met_hcal
muon
phedex
qcd
site
susy
tau-pflow
top
tracker-dpg
tracker-pog
trigger
}}}
rickw: OK. Making me developer is good enough. Then I'll restrict all the privileged operations, to Admin or Data Manager, and Developer. Later we can worry about restricting developers, but at least we've reduced the number of possible suspects to ten or so.
rickw: Big problem. How do you decorate REST methods? I'd like this to block me, but it doesn't. {{{ @cherrypy.tools.secmodv2(role=['Honey Badger']) def getRequest(self, requestName=None): return "Welcome, honey badger" }}}
metson: Replying to [comment:5 rickw]:
OK. Making me developer is good enough. Then I'll restrict all the privileged operations, to Admin or Data Manager, and Developer. Later we can worry about restricting developers, but at least we've reduced the number of possible suspects to ten or so.
Sounds good - I've set you up as a Data Ops:Developer (https://cmsweb.cern.ch/sitedb/people/?name=Rick%20Wilkinson)
mnorman: Where are we in this? I notice this hasn't been touched in a while.
swakef: I added a first pass at the relevant functions in #2397, not sure what the plan is there though...
mnorman: I have no idea what this is on, so I'll probably close this at the end of the month unless someone complains.
sfoulkes: You'll need to update Rick's twiki with the changes made in #3348.
mnorman: Okay. Done (actually none of the Admin roles were listed, I guess he assumed people knew who they were). What else?
mnorman: Updated again. Looks like the rest of this can probably go into #2863.
Admin group/roles are documented, so I'm going to close this eventually if there is no further information.
mnorman: No further input, so I'm closing this. Other questions can go on the general documentation ticket (#2863)
Each REST method should have a clearly documented set of roles/groups that are allowed to call them, to make adding in the security simpler.