You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (Jira)" <ji...@apache.org> on 2020/11/12 21:10:00 UTC

[jira] [Commented] (AIRAVATA-3385) group based access to menu items

    [ https://issues.apache.org/jira/browse/AIRAVATA-3385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17230945#comment-17230945 ] 

Marcus Christie commented on AIRAVATA-3385:
-------------------------------------------

On the one hand, getting the groups a user belongs to and then check if the user belongs to a particular group is relatively straightforward. However, there are a couple of issues:
- group ids will be different in different environments, i.e., production group ids will be different from development environment group ids, so having a mapping from a logical name for the group to the actual group identifier would help here
- fetching group membership and comparing will require a lot of custom code, but the Django portal itself could take care of a lot of this
- one must make sure to not only hide/show UI elements but also protect the REST API from access by members of groups that don't have access. Again, utility code can be provided making it easier to only permit REST APIs to be accessed by members of a particular group.

So the outline of the solution:
- a new Django setting with a map of logical names to group ids. This will be stored in the {{settings_local.py}} file. For example:
{code:python}
MAPPED_GROUPS = {
  "Global Admins": "88b1099a-44ed-461e-9eda-257403a0321a"
}
{code}
- The Django portal to load a user's groups on each request (already does this) and populate a list of mapped groups on the user Session object (https://github.com/apache/airavata-django-portal/blob/develop/django_airavata/apps/api/static/django_airavata_api/js/session/Session.js)
- Session will also have utility function for checking membership in a mapped group
{code:javascript}
if (Session.memberOf("Global Admins")) {
  // ...
}
{code}
- Custom Django REST Framework permission implementation that makes it easy mark a REST API or specific methods of a REST endpoint as requiring membership in a mapped group


> group based access to menu items
> --------------------------------
>
>                 Key: AIRAVATA-3385
>                 URL: https://issues.apache.org/jira/browse/AIRAVATA-3385
>             Project: Airavata
>          Issue Type: Bug
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major
>
> Interactwel custom django app has a requirement to allow only certain groups of users to see certain menu items or other UI elements. This task is to develop guidance on how to implement that sort of thing.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)