Add permission-checking service to Governance

[stuehmer]

I need a permission-checking service so that I can validate users from other endpoints.

API should include: Input: UserURI, StreamURI, Mode Output: boolean allowed/disallowed

Input: Token, StreamURI, Mode Output: boolean allowed/disallowed

This can be used by other Web portals and services which must enforce PLAY permissions.

[chamerling]

Do you need it at REST API level (ie user with OAuth token stuff) or at SOAP one?

Then:

• Operation: check(userURI, streamURI, mode) : What is userURI?
• Operation: check(token, streamURI, mode) : What is token?

[stuehmer]

token: your governance user-token useruri: the resource of the user (generated in PLAY.me if I am correct)

[chamerling]

• token: SO you want to expose a service (REST/SOAP?) which takes the token as input parameter. In a real Oauth world we have to creation an 'application' for that, but let's bypass that.
• useruri: Can you check where you saw a user URI? Users are not stored in the resource collection but in a dedicated collection so they do not have any linked URI.

[stuehmer]

• useruri: if they don't have a linked URI, how do you link them to permissions and groups, etc?
• token: ok, if the token is already in the http header we could just have an authenticated request (REST) to check for: check(streamURI, mode), right?

[chamerling]

• useruri: The user has a list of groups he belongs to. In the list a group is a URI. The permission is a resource which contains the agents (ie group).
• token: this will works for current user. Is it what you need ie "I want to check if I can access to a stream in a given mode"

[stuehmer]

On 26.06.2013 16:51, Christophe Hamerling wrote:

• useruri: The user has a list of groups he belongs to. In the list a group is a URI. The permission is a resource which contains the agents (ie group).

ok, then this is not useful I think. let's only have the solution below:

• token: this will works for current user. Is it what you need ie "I want to check if I can access to a stream in a given mode"

yes, exactly what I need

[chamerling]

@stuehmer what will you use for role as operation input?

• http://www.w3.org/ns/auth/acl#Read
• http://www.w3.org/ns/auth/acl#Write
• http://www.w3.org/ns/auth/acl#Subscribe
• http://www.w3.org/ns/auth/acl#Notify

or simple values (read, write, ...) ?

[chamerling]

WDYT about this:

    /**
     * Check is the user can access to the stream in the given mode.
     *
     * @param id
     * @param mode
     * @return HTTP 200 OK if access is authorized, else HTTP 403 unauthorized
     */
    @GET
    @Path("/{id}/access/{mode}")
    @Produces(MediaType.APPLICATION_JSON)
    Response checkAccess(@PathParam("id") String id, @PathParam("mode") String mode);

with mode = read/write/... (without URL)

[stuehmer]

• the API looks good!
• as values for mode I prefer the full URIs. if you need, I created constants for the project in https://github.com/play-project/play-commons/blob/master/play-commons-accesscontrol/src/main/java/org/ow2/play/commons/accesscontrol/api/Permission.java should be reused, if you have the dependency on your classpath