Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attribute based access control implementation #398

Merged
merged 148 commits into from
Dec 1, 2023

Conversation

litvinovg
Copy link
Contributor

@litvinovg litvinovg commented Jun 14, 2023

VIVO GitHub issue

VIVO PR

What does this pull request do?

Re-implements authorization subsystem to use attribute based access control allowing to define flexible access rules:
For example rules that only apply to certain roles and or conditions computed by SPARQL queries.
Provides the same interface to control access to entities as was provided in Advanced Role Management PR

Policy logic

Policy configuration contains set of access rules, each access rule has attributes. If attributes match, then rule is enforced to authorize or not authorize request. If at least one of attributes didn't match, then the rule is skipped.
Policies can be prioritized by setting priority to a long value. By default policy priority is 0.
Attribute matching is firstly done for less computation expensive attributes:

  1. Equality checks
  2. Contains in set checks
  3. Attributes that use SPARQL to check matching.

What's new?

  • A new graph http://vitro.mannlib.cornell.edu/default/access-control has been created to store access control configurations.
  • Created Dynamic policies to be loaded from graph configurations that replaced old policies in java files, stored in accessControl/firsttime/ directory.
  • Created PolicyStore instead of PolicyList to store policy instances
  • Permissions were converted into simple permission policies.
  • Policies were converted into dynamic policy configurations in n3 files.
  • AuthorizationRequests was refactored to only serve as a container for authorization request, action classes were converted into access objects.
  • Created access rules
  • Removed outdated identifier factories
  • Created attributes, attribute types, access objects
  • All java policies were replaced by dynamically loaded policy configuration from n3 files.
  • Fixed authorization requests to provide more information
  • Some singleton classes were refactored to remove not needed dependencies on servlet context.
  • Created code to load policies and update test data sets in policies.
  • Created migration code for migrations from annotation based authorization currently in use in Vitro and VIVO
  • Created migration code for migrations from ARM based authorization used by some Vitro and VIVO community members.
  • Test were created to test policy loading and migration

How should this be tested?

There are 2 ways to test it:

  • Migration from currently in use VIVO instance
    Apply changes in PR for Vitro and for VIVO, build and deploy your VIVO.
    Check if access works the same as it worked before for object properties, data properties, faux object properties and faux data properties.
    If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.
  • Migration from Advanced role management
    Apply changes in PR for Vitro and for VIVO
    Make sure to retain entity permission configurations you had in auth firsttime folder you used for ARM for conversion of ARM permissions into policy datasets.
    Build and deploy your VIVO.
    Check if access works the same as it worked in ARM. Standard VIVO checks are required to test this PR.
    If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.

Additional notes

  • Documentation will need to be updated.

Interested parties

@chenejac @vivo-project/vivo-committers

Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg all your works are great, but this one is amazing. I really like level of tests you covered auth module, as well as comments you added in some classes. I have noticed that License preamble is missing in a lot of Java files as well as ending empty line. Moreover you can find my other comments in my review.

chenejac
chenejac previously approved these changes Sep 12, 2023
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg well done. After additional discussion about the ontology, I think this might be ready for merging.

…parqlSelectValuesQuery, :AttributeValuePrefix
Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg please check one my suggestion

Copy link
Contributor

@chenejac chenejac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@litvinovg well done. It was really a complex PR and you made it.

@chenejac chenejac merged commit 5bc701e into vivo-project:main Dec 1, 2023
1 check passed
@chenejac chenejac linked an issue Dec 1, 2023 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants