[
https://issues.apache.org/jira/browse/AIRAVATA-3385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17230945#comment-17230945
]
Marcus Christie commented on AIRAVATA-3385:
-------------------------------------------
On the one hand, getting the groups a user belongs to and then check if the
user belongs to a particular group is relatively straightforward. However,
there are a couple of issues:
- group ids will be different in different environments, i.e., production group
ids will be different from development environment group ids, so having a
mapping from a logical name for the group to the actual group identifier would
help here
- fetching group membership and comparing will require a lot of custom code,
but the Django portal itself could take care of a lot of this
- one must make sure to not only hide/show UI elements but also protect the
REST API from access by members of groups that don't have access. Again,
utility code can be provided making it easier to only permit REST APIs to be
accessed by members of a particular group.
So the outline of the solution:
- a new Django setting with a map of logical names to group ids. This will be
stored in the {{settings_local.py}} file. For example:
{code:python}
MAPPED_GROUPS = {
"Global Admins": "88b1099a-44ed-461e-9eda-257403a0321a"
}
{code}
- The Django portal to load a user's groups on each request (already does this)
and populate a list of mapped groups on the user Session object
(https://github.com/apache/airavata-django-portal/blob/develop/django_airavata/apps/api/static/django_airavata_api/js/session/Session.js)
- Session will also have utility function for checking membership in a mapped
group
{code:javascript}
if (Session.memberOf("Global Admins")) {
// ...
}
{code}
- Custom Django REST Framework permission implementation that makes it easy
mark a REST API or specific methods of a REST endpoint as requiring membership
in a mapped group
> group based access to menu items
> --------------------------------
>
> Key: AIRAVATA-3385
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3385
> Project: Airavata
> Issue Type: Bug
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> Interactwel custom django app has a requirement to allow only certain groups
> of users to see certain menu items or other UI elements. This task is to
> develop guidance on how to implement that sort of thing.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
