diff options
Diffstat (limited to 'topics/authentication')
| -rw-r--r-- | topics/authentication/architecture.gmi | 15 | ||||
| -rw-r--r-- | topics/authentication/development-guide.gmi | 60 | ||||
| -rw-r--r-- | topics/authentication/permission_hooks.gmi | 62 |
3 files changed, 130 insertions, 7 deletions
diff --git a/topics/authentication/architecture.gmi b/topics/authentication/architecture.gmi index 931f9cb..2200745 100644 --- a/topics/authentication/architecture.gmi +++ b/topics/authentication/architecture.gmi @@ -54,13 +54,14 @@ Users are granted privileges (see "Privileges" section) to act upon resources, t Examples of "types" of resources on the system: -- system: The system itself -- group: Collection of users considered a group -- genotype: A resource representing a genotype trait -- phenotype: A resource representing a phenotype trait -- mrna: A resource representing a collection of mRNA Assay traits -- inbredset-group: A resource representing an InbredSet group - +* system: The system itself +* group: Collection of users considered a group +* genotype: A resource representing a genotype trait +* phenotype: A resource representing a phenotype trait +* mrna: A resource representing a collection of mRNA Assay traits +* inbredset-group: A resource representing an InbredSet group + +---- * TODO: Figure out a better name/description for "InbredSet group" -- so far, I have "a classification/grouping of traits/datasets within a species". Another is to use the term "population". ## Users diff --git a/topics/authentication/development-guide.gmi b/topics/authentication/development-guide.gmi new file mode 100644 index 0000000..840c26b --- /dev/null +++ b/topics/authentication/development-guide.gmi @@ -0,0 +1,60 @@ +# GN-AUTH FAQ + +## Tags + +* type: docs, documentation +* status: ongoing, open +* keywords: authentication, authorisation, docs, documentation +* author: @jnduli + +## Quick configuration for local development + +Save a `local_settings.conf` file that has the contents: + +``` +SQL_URI = "mysql://user:password@localhost/db_name" # mysql uri +AUTH_DB = "/absolute/path/to/auth.db/" # path to sqlite db file +GN_AUTH_SECRETS = "/absolute/path/to/secrets/secrets.conf" +``` + +The `GN_AUTH_SECRETS` path has two functions: + +* It contains the `SECRET_KEY` we use in our application +* The folder containing this file is used to store our jwks. + +An example is: + +``` +SECRET_KEY = "qQIrgiK29kXZU6v8D09y4uw_sk8I4cqgNZniYUrRoUk" +``` + +## Quick set up cli commands + +``` +export FLASK_DEBUG=1 AUTHLIB_INSECURE_TRANSPORT=1 OAUTHLIB_INSECURE_TRANSPORT=1 FLASK_APP=gn_auth/wsgi +export GN_AUTH_CONF=/absolute/path/to/local_settings.conf +flask init-dev-clients --client-uri "http://localhost:port" +flask init-dev-users +flask assign-system-admin 0ad1917c-57da-46dc-b79e-c81c91e5b928 +``` + +## Handling verification for users in local development + +* Run flask init_dev_users, which will create a verified local user. +* Run `UPDATE users set verified=1` on the sqlite3 auth database. + +## Errors related to unsupported clients/redirect URIs for client + +Rerun + +``` +FLASK_DEBUG=1 AUTHLIB_INSECURE_TRANSPORT=1 OAUTHLIB_INSECURE_TRANSPORT=1 \ + GN_AUTH_CONF=/absolute/path/to/local_settings.conf FLASK_APP=gn_auth/wsgi \ + flask init-dev-clients --client-uri "http://localhost:port_you_use_for_gn2" +``` + +This will update your clients list to have all the related urls we want. + +## 500 Server Error: INTERNAL SERVER ERROR + +When you see the error: `500 Server Error: INTERNAL SERVER ERROR for url: http://localhost:8081/auth/token`, restart the gn2 server. diff --git a/topics/authentication/permission_hooks.gmi b/topics/authentication/permission_hooks.gmi new file mode 100644 index 0000000..dd475b6 --- /dev/null +++ b/topics/authentication/permission_hooks.gmi @@ -0,0 +1,62 @@ +# Permission Hooks System Design +## Status: Draft + +## Objective + +We want to achieve: + +- Default permissions for users that come from `.edu` domains. +- Support for visitors to the website. + +This should be dynamic and easily maintenable. + +## Design + +### Events + +* Use middleware to plug into the various aspects of a requests life cycle. We'll plug into `after_request` for providing default permissions. +* Create a hook which contains: the event to handle, what part of the life cycle the hook plugs into and the actual functions to call, +* Events can be identified using their `request.base_url` parameter. +* Each hook registers itself to the global set of hooks (TODO: Figure out how to automatically handle the registration). + + +``` +@app.after_request +def handle_hooks(): + for hook in hooks: + if hook.lifecycle == "after_request" and hook.can_handle(): + hook.run() + + +Hooks = [RegistrationHook, ...] + + +class RegistrationHook: + + def can_handle(self): + request.base_url == "register" + + def lifecyle: + return "after_request" + + def run(self): + ... +``` + +### Privilege Hooks + +* After login/registration, use the email to get extra privileges assigned to a user. We use `login` too to ensure that all users have the most up-to-date roles and privileges. +* This means that any user gets assigned these privileges and normal workflows can happen. + +### Storage + +* Create a new role that contains the default privileges we want to assign to users depending on their domain. +* This role will link up with the privileges to be assigned to said user. +* Example privileges we may want to add to users in the `.edu` domain: + * group:resource:edit-resource + * system:inbreadset:apply-case-attribute-edit + * system:inbreadset:edit-case-attribute + * system:inbreadset:view-case-attribute +* Create an extra table that provides a link between some `email identifier` and the role we'd like to pre-assign. We can use python regex for the email identifier e.g. `*.edu$` or `*.utsch.edu`. +* This will be the table used by the Registration Hook. +* This also allows us to edit roles/privileges without code releases. |