-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attribute based access control implementation #398
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@litvinovg all your works are great, but this one is amazing. I really like level of tests you covered auth module, as well as comments you added in some classes. I have noticed that License preamble is missing in a lot of Java files as well as ending empty line. Moreover you can find my other comments in my review.
home/src/main/resources/rdf/auth/firsttime/permission_config.n3
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/attribute_types.n3
Outdated
Show resolved
Hide resolved
api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/configuration.n3
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/decisions.n3
Outdated
Show resolved
Hide resolved
home/src/main/resources/rdf/accessControl/firsttime/ontology.n3
Outdated
Show resolved
Hide resolved
...main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AndAuthorizationRequest.java
Show resolved
Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleFactory.java
Outdated
Show resolved
Hide resolved
...main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java
Outdated
Show resolved
Hide resolved
api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java
Outdated
Show resolved
Hide resolved
...src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@litvinovg well done. After additional discussion about the ontology, I think this might be ready for merging.
…ataSetKeyTemplate
…o :hasKeyComponentTemplate
…parqlSelectValuesQuery, :AttributeValuePrefix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@litvinovg please check one my suggestion
.../cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@litvinovg well done. It was really a complex PR and you made it.
VIVO GitHub issue
VIVO PR
What does this pull request do?
Re-implements authorization subsystem to use attribute based access control allowing to define flexible access rules:
For example rules that only apply to certain roles and or conditions computed by SPARQL queries.
Provides the same interface to control access to entities as was provided in Advanced Role Management PR
Policy logic
Policy configuration contains set of access rules, each access rule has attributes. If attributes match, then rule is enforced to authorize or not authorize request. If at least one of attributes didn't match, then the rule is skipped.
Policies can be prioritized by setting priority to a long value. By default policy priority is 0.
Attribute matching is firstly done for less computation expensive attributes:
What's new?
How should this be tested?
There are 2 ways to test it:
Apply changes in PR for Vitro and for VIVO, build and deploy your VIVO.
Check if access works the same as it worked before for object properties, data properties, faux object properties and faux data properties.
If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.
Apply changes in PR for Vitro and for VIVO
Make sure to retain entity permission configurations you had in auth firsttime folder you used for ARM for conversion of ARM permissions into policy datasets.
Build and deploy your VIVO.
Check if access works the same as it worked in ARM. Standard VIVO checks are required to test this PR.
If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.
Additional notes
Interested parties
@chenejac @vivo-project/vivo-committers