Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v3.0.0: Site roles, program authz, user authz #57

Merged
merged 47 commits into from
May 6, 2024
Merged

v3.0.0: Site roles, program authz, user authz #57

merged 47 commits into from
May 6, 2024

Conversation

daisieh
Copy link
Member

@daisieh daisieh commented May 2, 2024
edited
Loading

v3.0.0: Site roles, program authz, user authz

  • Site roles, including site admin, now defined in Opa
  • Program authorizations are defined in Opa's vault secret store
  • User-specific program authorizations are defined in Opa's vault secret store
  • Refactored rego policies and created unit tests
  • Tagged as a release in this repo
  • Passes integration tests on a development instance
  • Images pushed to Dockerhub

daisieh added 30 commits March 6, 2024 13:22
@daisieh
add CANDIG_USER_KEY to initialization
c3f13a3
@daisieh
interpolate VAULT_URL in all regos
eb472ce
@daisieh
clarify vault_token
a1eda73
@daisieh
change site_admin to role-based
a9d71a1
@daisieh
user_key instead of user or email
a6c31ce
@daisieh
Merge pull request #51 from CanDIG/daisieh/site-admin
4164bb9 
DIG-1520: Site admin is a role defined in Opa, not in jwt
@daisieh
change site_admin to role-based
7621cd9
@daisieh
move default files out of permissions_engine
2e9e807
@daisieh
new authx for adding/removing programs
3c81886
@daisieh
load in default programs
8a4de00
@daisieh
remove unused bits
9d199bd
@daisieh
find programs for the user
9cd6908
@daisieh
boolean allowed
5153220
@daisieh
site admins can see all programs
7a48d0c
@daisieh
oh right, we don't need access anymore
1c6c601
@daisieh
Update README.md
9ad39b2
@daisieh
Update README.md
3dc9188
@daisieh
Update requirements.txt
a4c2e2b
@daisieh
Update requirements.txt
e8cd8d6
@daisieh
Merge pull request #52 from CanDIG/daisieh/opa-update
f4e7604 
DIG-1518: Rego policies now based on ProgramAuthorizations
@daisieh
improved healthcheck
66448c5
@daisieh
interpolate default users
887d86f
@daisieh
Merge pull request #53 from CanDIG/daisieh/site-admin
a4b32ed 
Interpolate default usernames from .env file instead of hardcoding
@daisieh
rename roles to site_roles
0075f01
@daisieh
authorize opa_service_token to get site admin
20b1315
@daisieh
move all vault accesses to vault.rego
3133e57
@daisieh
actually, site admin w/o root token doesn't need special access
81f48ee
@daisieh
pick up aud from saved key
8e5fdfc
@daisieh
install runtime opa in opa-runner (for testing)
24950aa
@daisieh
better healthcheck
bbeaef9
daisieh and others added 17 commits April 18, 2024 21:47
@daisieh
for future use: need to be able to tell if we issued this
b6cd636
@daisieh
ha, caught a bug
9fd0462
@daisieh
set up testing
6b7bdcf
@daisieh
Merge pull request #54 from CanDIG/daisieh/unit-tests
acef8ff 
DIG-1546: Opa unit tests
@daisieh
initialize pending users
58a95a7
@daisieh
user can read authorized programs
2ed64a1
@daisieh
move site_admin
4f60556
@daisieh
testing for user auths
2ba55bc
@daisieh
delete paths should be accessible by curators
15a5f64
@daisieh
move bash entrypoint to docker-compose
df90d1b
@daisieh
test github action
0a57210
@daisieh
only initialize pending_users if it doesn't exist
ee071fb
@daisieh
consolidate and update readme
5cf0874
@daisieh
update authx to v2.3.0
a18d67a
@kcranston
Merge pull request #55 from CanDIG/daisieh/users
0e9f58a 
DIG-1502: Opa implements user-specific authorizations
@daisieh
allow service_token to view user_key
9aba05c
@daisieh
Merge pull request #56 from CanDIG/daisieh/user_id
a989584 
DIG-898: allow service_token to view user_key
@daisieh daisieh requested a review from kcranston May 3, 2024 16:59
@kcranston
Copy link
Member

Thanks for this! Couple of questions:

  • for data ingest workflow, how does the Program data get created in opa? Would the user uploading a new Program have a site curator role which allows for adding new Program data, or does ingest do this on the user's behalf using a service token? Or does a system admin need to create the program before a curator can upload data?
  • is there a sister PR with new integration tests for these changes? or a ticket with the integration tests that should be written?

@daisieh
Copy link
Member Author

daisieh commented May 6, 2024

Documentation for the ingest workflow was added in CanDIG/candigv2-ingest#93. When ingesting a Program Authorization for the first time, Opa needs the user to be someone with permission to ingest any program for the site. At the moment, the only site role for that is Admin, but in future, we could add a site-curator role that would be allowed to do this as well.

If the Program Authorization has not been ingested before data is ingested, the only user that would be allowed to ingest data for that program is the site admin. If the site admin adds the Program Authorization first, any listed program curator in the Program Authorization would then have the authz to ingest data.

Integration tests were added in CanDIG/CanDIGv2#550, which was the sister PR to #52 and CanDIG/candigv2-ingest#80.

kcranston
kcranston reviewed May 6, 2024
View reviewed changes
Dockerfile Show resolved Hide resolved
Dockerfile Show resolved Hide resolved
@daisieh daisieh merged commit c7b7ccc into stable May 6, 2024
5 checks passed
@daisieh daisieh deleted the stable-candidate-v3.0.0 branch May 6, 2024 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcranston kcranston kcranston approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daisieh @kcranston