Vereinfachte Permissions

mwa commented 3 years ago

Entwurf für vereinfachte Permissions, welche identische Rechte für Datasets/Ressourcen in allen QWC Services bereitstellen.

Diese Permissions sollen in den QWC Services beim Laden in die bisherige permissions.json Struktur umgewandelt werden. Diese Funktionalität sollte zentral über den PermissionsReader im qwc-services-core gelöst werden können.

Neu:

unified_permissions zur Kennzeichnung der vereinfachten Version
wms_name und wfs_name für Name des WMS/WFS in wms_services bzw. wfs_services
all_services statt servicespezifische Permissions
- name: Identifier des Dataproducts/Ressource
- attributes: Liste der erlaubten Attribute für Vektordatasets
- writable: Schreibrechte im Data Service, falls gesetzt (default: false)

Neben allen Dataproducts müssen zudem die internen Printlayer, Hintergrundkarten, Print Templates, Document Templates und die Standard Solr Facets in all_resources eingetragen werden.

Beispielkonfiguration

WMS Layertree: ``` * somap (WMS Root Layer) * ch.so.afu.baugrundklassen * ch.so.agi.av.amtliche_vermessung * ch.so.agi.av.grundstuecke (Facade) * ch.so.agi.av.grundstuecke.grenzpunkte * ch.so.agi.av.grundstuecke.rechtskraeftig * ch.so.agi.av.rohrleitungen * ch.so.agi.av.grundstuecke.rechtskraeftig * 1_hintergrundkarte_sw (interner Print Layer für hintergrundkarte_sw) ``` Hintergrundkarte: `hintergrundkarte_sw` `permissions.json`: ```jsonc { "$schema": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json", "unified_permissions": true, "users": [ { "name": "demo", "groups": [], "roles": [ "edit_demo" ] } ], "groups": [], "roles": [ { "role": "public", "permissions": { // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap", "all_services": [ // Dataproducts { "name": "somap" }, { "name": "ch.so.afu.baugrundklassen", "attributes": [ "bgk_txt", "gz_txt", "bericht", "geometry" ] }, { "name": "ch.so.agi.av.amtliche_vermessung" }, { "name": "ch.so.agi.av.grundstuecke" }, { "name": "ch.so.agi.av.grundstuecke.grenzpunkte", "attributes": [ "punktzeichen_txt", "geometry" ] }, { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig", "attributes": [ "nummer", "art_txt", "flaechenmass", "egrid", "bfs_nr", "geometry" ] }, { "name": "ch.so.agi.av.rohrleitungen", "attributes": [ "betreiber", "geometry" ] }, // interner Print Layer { "name": "1_hintergrundkarte_sw" }, // Hintergrundkarten { "name": "hintergrundkarte_sw" }, // Print Templates { "name": "A4 hoch" }, // Document templates { "name": "grundstuecksbeschrieb" }, // Standard Solr Facets { "name": "foreground" }, { "name": "background" } ] } }, { "role": "edit_demo", "permissions": { // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap", "all_services": [ // Dataproducts { "name": "somap" }, { "name": "ch.so.afu.baugrundklassen", "attributes": [ "bgk_txt", "gz_txt", "bericht", "geometry" ] }, { "name": "ch.so.agi.av.amtliche_vermessung" }, { "name": "ch.so.agi.av.grundstuecke" }, { "name": "ch.so.agi.av.grundstuecke.grenzpunkte", "attributes": [ "punktzeichen_txt", "geometry" ], // zusätzliche Schreibrechte "writable": true }, { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig", "attributes": [ "nummer", "art_txt", "flaechenmass", "egrid", "bfs_nr", "geometry" ] }, { "name": "ch.so.agi.av.rohrleitungen", "attributes": [ "betreiber", "geometry" ], // zusätzliche Schreibrechte "writable": true }, // interner Print Layer { "name": "1_hintergrundkarte_sw" }, // Hintergrundkarten { "name": "hintergrundkarte_sw" }, // Print Templates { "name": "A4 hoch" }, // Document templates { "name": "grundstuecksbeschrieb" }, // Standard Solr Facets { "name": "foreground" }, { "name": "background" } ] } } ] } ```

JSON Schema

```jsonc { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json", "title": "QWC Services unified Permissions", "description": "Unified and simplified permissions if resource permissions are identical in all QWC Services", "type": "object", "properties": { "$schema": { "title": "JSON Schema", "description": "Reference to JSON schema of these permissions", "type": "string", "format": "uri", "default": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json" }, "unified_permissions": { "title": "Mark as unified permissions", "type": "boolean", "const": true }, "users": { "title": "Users", "type": "array", "items": { "title": "User", "type": "object", "properties": { "name": { "description": "User name", "type": "string" }, "groups": { "title": "Group memberships", "type": "array", "items": { "type": "string" } }, "roles": { "title": "Role memberships", "type": "array", "items": { "type": "string" } } }, "required": [ "name", "groups" ] } }, "groups": { "title": "Groups", "type": "array", "items": { "title": "Group", "type": "object", "properties": { "name": { "description": "Group name", "type": "string" }, "roles": { "title": "Role memberships", "type": "array", "items": { "type": "string" } } }, "required": [ "name", "roles" ] } }, "roles": { "title": "Roles", "type": "array", "items": { "title": "Role", "type": "object", "properties": { "role": { "description": "Role name", "type": "string" }, "permissions": { "title": "Permissions for role", "type": "object", "properties": { "wms_name": { "description": "WMS service name", "type": "string" }, "wfs_name": { "description": "WFS service name", "type": "string" }, "all_services": { "title": "All services", "description": "Permitted resources for all QWC services", "type": "array", "items": { "title": "Resource permissions", "type": "object", "properties": { "name": { "description": "Resource name", "type": "string" }, "attributes": { "description": "Permitted attributes for vector datasets", "type": "array", "items": { "type": "string" } }, "writable": { "description": "Dataset is writable in Data service if set", "type": "boolean" } }, "required": [ "name" ] } } }, "required": [ "wms_name", "wfs_name", "all_services" ] } }, "required": [ "role" ] } } }, "required": [ "unified_permissions", "users", "groups", "roles" ] } ```

ojeker commented 3 years ago

Für Meeting:

Das wäre config, oder? Wieso braucht es das? // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap",

Und nochmals { "name": "somap" },

Geometrie-Felder jeweils auch enthalten?

Besprechen - verstehen:

grundstuecke (Facade)
grundstuecke.grenzpunkte

Grouplayer - Facadelayer - Einzellayer...?

Templates, Facets....

pka commented 3 years ago

Feststellungen:

unified_permissions nur falls nötig
wms_name, wfs_name: Auf top-level verschieben, da immer gleich
"name": "somap": Root-Layer für OGC services (noch zu diskutieren)
Geometrie-Feld soll implizit dabei sein (geometry ist nur Platzhalter für Geometriespalte)

ojeker commented 3 years ago

  "roles": [
    {
      "role": "public",
      "permissions": {
        // WMS Name für wms_services
        "wms_name": "somap",
        // WFS Name für wfs_services
        "wfs_name": "somap",
        "all_services": [
          // Dataproducts
          {
            "name": "myfacade"
          },
"details" : {
"myfacade"{
"child1":[att1, att2]
},
"child2":[att3, att4]
}

mwa commented 3 years ago

Variante mit ausgelagerten Details für Gruppen- und Einzellayer (vgl. oben)

Beispielkonfiguration

```jsonc { "users": [], "groups": [], "roles": [ { "role": "public", "permissions": { "all_services": [ // Dataproducts: Referenzen auf "dataproducts" /* Rootlayer? { "name": "somap" }, */ { "name": "ch.so.afu.baugrundklassen", } { "name": "ch.so.agi.av.amtliche_vermessung" }, { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig" }, // Document templates { "name": "grundstuecksbeschrieb" } ] } } ], // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap", // Details zu Dataproducts aus "all_services" "dataproducts": [ // Gruppenlayer /* Rootlayer? { "name": "somap", "sublayers": [ "ch.so.afu.baugrundklassen", "ch.so.agi.av.amtliche_vermessung", "ch.so.agi.av.grundstuecke.rechtskraeftig" ] }, */ { "name": "ch.so.agi.av.amtliche_vermessung", "sublayers": [ "ch.so.agi.av.grundstuecke", "ch.so.agi.av.rohrleitungen" ] } // Facadelayer { "name": "ch.so.agi.av.grundstuecke", "sublayers": [ "ch.so.agi.av.grundstuecke.grenzpunkte", "ch.so.agi.av.grundstuecke.rechtskraeftig" ] /* oder verschachtelt: "sublayers": [ { "name": "", "attributes": [ "" ], "writable": false } ] */ }, // Facade Sublayer { "name": "ch.so.agi.av.grundstuecke.grenzpunkte", "attributes": [ "punktzeichen_txt" ] }, // Einzellayer / Sublayer { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig", "attributes": [ "nummer", "art_txt", "flaechenmass", "egrid", "bfs_nr" ] }, { "name": "ch.so.agi.av.rohrleitungen", "attributes": [ "betreiber" ], // zusätzliche Schreibrechte "writable": true } // ... ], // zusätzliche Ressourcen, welche nie eingeschränkt werden "common_resources": [ // interner Print Layer { "name": "1_hintergrundkarte_sw" }, // Hintergrundkarten { "name": "hintergrundkarte_sw" }, // Print Templates { "name": "A4 hoch" }, // Standard Solr Facets { "name": "foreground" }, { "name": "background" } // oder als einfache Liste von Strings ] } ```

Zu klären:

Workflow im Generator: Welche Informationsblöcke werden genau verarbeitet (zuerst alle Gruppen, dann Layerdetails?)
Rootlayer?
Einzellayer trotzdem in all_services?
writable pro Rolle?
Aufteilung in verschiedene Blöcke macht die Struktur eher uneinheitlich

pka commented 3 years ago

Überarbeitete Variante grundsätzlich ok
writable zu Permissions verschieben

ojeker commented 3 years ago

Aktualisiertes json folgt noch von Matthias - gebe dann Feedback

mwa commented 3 years ago

Überarbeitete Version:

Beispielkonfiguration

```jsonc { "schema": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json", "users": [ { "name": "demo", "groups": [], "roles": [ "edit_demo" ] } ], "groups": [], "roles": [ { "role": "edit_demo", "permissions": { "all_services": [ // top-level Dataproducts: Referenzen auf "dataproducts" { "name": "ch.so.afu.baugrundklassen" }, { "name": "ch.so.agi.av.amtliche_vermessung" }, { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig" }, // zusätzliche Layer mit Schreibrechten { "name": "ch.so.agi.av.rohrleitungen", "writable": true }, // Document templates { "name": "grundstuecksbeschrieb" } ] } } ], // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap", // Details zu Dataproducts aus "all_services" "dataproducts": [ // Gruppenlayer { "name": "ch.so.agi.av.amtliche_vermessung", "sublayers": [ "ch.so.agi.av.grundstuecke", "ch.so.agi.av.rohrleitungen" ] }, // Facadelayer { "name": "ch.so.agi.av.grundstuecke", "sublayers": [ "ch.so.agi.av.grundstuecke.grenzpunkte", "ch.so.agi.av.grundstuecke.rechtskraeftig" ] }, // Facade Sublayer { "name": "ch.so.agi.av.grundstuecke.grenzpunkte", "attributes": [ "punktzeichen_txt" ] }, // Einzellayer / Sublayer { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig", "attributes": [ // Attribute ohne "geometry" "nummer", "art_txt", "flaechenmass", "egrid", "bfs_nr" ] }, { "name": "ch.so.agi.av.rohrleitungen", "attributes": [ "betreiber" ] } // ... ], // zusätzliche Ressourcen, welche nie eingeschränkt werden "common_resources": [ // interner Print Layer "1_hintergrundkarte_sw", // Hintergrundkarten "hintergrundkarte_sw", // Print Templates "A4 hoch", // Standard Solr Facets "foreground", "background" ] } ```

JSON Schema

```jsonc { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json", "title": "QWC Services unified Permissions", "description": "Unified and simplified permissions if resource permissions are identical in all QWC Services", "type": "object", "properties": { "$schema": { "title": "JSON Schema", "description": "Reference to JSON schema of these permissions", "type": "string", "format": "uri", "default": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json" }, "users": { "title": "Users", "type": "array", "items": { "title": "User", "type": "object", "properties": { "name": { "description": "User name", "type": "string" }, "groups": { "title": "Group memberships", "type": "array", "items": { "type": "string" } }, "roles": { "title": "Role memberships", "type": "array", "items": { "type": "string" } } }, "required": [ "name", "groups" ] } }, "groups": { "title": "Groups", "type": "array", "items": { "title": "Group", "type": "object", "properties": { "name": { "description": "Group name", "type": "string" }, "roles": { "title": "Role memberships", "type": "array", "items": { "type": "string" } } }, "required": [ "name", "roles" ] } }, "roles": { "title": "Roles", "type": "array", "items": { "title": "Role", "type": "object", "properties": { "role": { "description": "Role name", "type": "string" }, "permissions": { "title": "Permissions for role", "type": "object", "properties": { "all_services": { "description": "Permitted resources for all services (top-level permitted layers and group layers, datasets with write permissions, document templates)", "type": "array", "items": { "title": "Resource permissions", "type": "object", "properties": { "name": { "description": "Dataproduct reference or document template name", "type": "string" }, "writable": { "description": "Writable flag for datasets with write permissions", "type": "boolean" } }, "required": [ "name" ] } } }, "required": [ "all_services" ] } }, "required": [ "role" ] } }, "wms_name": { "description": "Name of WMS service and its root layer", "type": "string" }, "wfs_name": { "description": "WFS service name", "type": "string" }, "dataproducts": { "title": "Dataproducts", "type": "array", "items": { "oneOf": [ {"$ref": "#/definitions/layer"}, {"$ref": "#/definitions/group_layer"} ] } }, "common_resources": { "description": "Additional resources with no restrictions (internal print layers, background layers, print templates, default solr facets)", "type": "array", "items": { "description": "Resource name", "type": "string" } } }, "required": [ "users", "groups", "roles", "wms_name", "wfs_name", "dataproducts", "common_resources" ], "definitions": { "layer": { "title": "Layer", "description": "Single layer", "type": "object", "properties": { "name": { "description": "Layer name", "type": "string" }, "attributes": { "description": "List of attributes, excluding 'geometry'", "type": "array", "items": { "type": "string" } } }, "required": [ "name", "attributes" ], "additionalProperties": false }, "group_layer": { "title": "Group Layer", "description": "Group layer with sublayers", "type": "object", "properties": { "name": { "description": "Group layer name", "type": "string" }, "sublayers": { "description": "List of sublayer references", "type": "array", "items": { "description": "Sublayer identifier", "type": "string" } } }, "required": [ "name", "sublayers" ], "additionalProperties": false } } } ```

ojeker commented 3 years ago

Danke Mathias für das update im obigen Kommentar. Passt für mich --> freigegeben

pka commented 3 years ago

Schema ist https://github.com/qwc-services/qwc-services-core/ publiziert.

mwa commented 3 years ago

Das Laden der vereinfachten Permissions wird mit qwc-services-core v1.2.6 unterstützt.

Aktualisierte QWC Services mit dieser qwc-services-core Version:

qwc-data-service:v2.0.3
qwc-document-service:v2.0.1
qwc-feature-info-service:v2.0.5
qwc-fulltext-search-service:v2.1.1
qwc-legend-service:v2.0.1
qwc-map-viewer:v2.0.2
qwc-ogc-service:v2.0.2
sogis-dataproduct-service:v2.0.6

mwa commented 3 years ago

Refactoring von all_services zu Dict statt Liste (vgl. #11)

Beispielkonfiguration

```jsonc { "schema": "https://github.com/qwc-services/qwc-services-core/raw/master/schemas/qwc-services-unified-permissions.json", "users": [ { "name": "demo", "groups": [], "roles": [ "edit_demo" ] } ], "groups": [], "roles": [ { "role": "edit_demo", "permissions": { "all_services": { // top-level Dataproducts: Referenzen auf "dataproducts" "ch.so.afu.baugrundklassen": {}, "ch.so.agi.av.amtliche_vermessung": {}, "ch.so.agi.av.grundstuecke.rechtskraeftig": {}, // zusätzliche Layer mit Schreibrechten "ch.so.agi.av.rohrleitungen": { "writable": true }, // Document templates "grundstuecksbeschrieb": {} } } } ], // WMS Name für wms_services "wms_name": "somap", // WFS Name für wfs_services "wfs_name": "somap", // Details zu Dataproducts aus "all_services" "dataproducts": [ // Gruppenlayer { "name": "ch.so.agi.av.amtliche_vermessung", "sublayers": [ "ch.so.agi.av.grundstuecke", "ch.so.agi.av.rohrleitungen" ] }, // Facadelayer { "name": "ch.so.agi.av.grundstuecke", "sublayers": [ "ch.so.agi.av.grundstuecke.grenzpunkte", "ch.so.agi.av.grundstuecke.rechtskraeftig" ] }, // Facade Sublayer { "name": "ch.so.agi.av.grundstuecke.grenzpunkte", "attributes": [ "punktzeichen_txt" ] }, // Einzellayer / Sublayer { "name": "ch.so.agi.av.grundstuecke.rechtskraeftig", "attributes": [ // Attribute ohne "geometry" "nummer", "art_txt", "flaechenmass", "egrid", "bfs_nr" ] }, { "name": "ch.so.agi.av.rohrleitungen", "attributes": [ "betreiber" ] } // ... ], // zusätzliche Ressourcen, welche nie eingeschränkt werden "common_resources": [ // interner Print Layer "1_hintergrundkarte_sw", // Hintergrundkarten "hintergrundkarte_sw", // Print Templates "A4 hoch", // Standard Solr Facets "foreground", "background" ] } ```

JSON Schema

Aktualisierte QWC Services mit qwc-services-core v1.2.7:

qwc-data-service:v2.0.4
qwc-document-service:v2.0.2
qwc-feature-info-service:v2.0.6
qwc-fulltext-search-service:v2.1.2
qwc-legend-service:v2.0.3
qwc-map-viewer:v2.0.4
qwc-ogc-service:v2.0.4
sogis-dataproduct-service:v2.0.7

sogis / json2qgs

Vereinfachte Permissions #4