Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Superuser permissions? #1018

Closed
FLamparski opened this issue Jan 11, 2017 · 3 comments · Fixed by #2245
Closed

Superuser permissions? #1018

FLamparski opened this issue Jan 11, 2017 · 3 comments · Fixed by #2245
Labels
documentation easy-pick scope: permissions

Comments

@FLamparski
Copy link

Is there a way to configure a superuser, identified by (say) a special token, who would have all permissions on all the things without being explicitly listed in the permissions lists for those things?
@glasserc
Copy link
Contributor

As far as I know, there isn't anything that's exactly like what you say -- there's only one circumstance where there's a special permission, and that's the kinto.bucket_create_principals, which lets you define some user that has permission to create buckets, even if they aren't granted any other permission in the database itself. If you had a fixed set of buckets, you might be able to set something up where you create all the buckets yourself and explicitly list the "superuser" among the permissions of that bucket. Because permissions "cascade", this would also grant them permissions on buckets and records. But you specifically said "without being explicitly listed in the permissions lists", and I don't think there's anything like that.

You might be able to implement something as a Kinto plugin which acts as a permission backend by just calling to some other permission backend and adds a "superuser" ID on every get_object_permissions. This wouldn't be a complete solution, but it might be good enough depending on your use case.

@Natim
Copy link
Member

Natim commented Jan 16, 2017

You can give superuser permissions by adding specific principals in your configuration like that:

# Kinto Admins Configuration
## Buckets
kinto.bucket_create_principals = portier:uid
kinto.bucket_write_principals = portier:uid
kinto.bucket_read_principals = portier:uid

## Collections
kinto.collection_create_principals = portier:uid
kinto.collection_write_principals = portier:uid
kinto.collection_read_principals = portier:uid

## Groups
kinto.group_create_principals = portier:uid
kinto.group_write_principals = portier:uid
kinto.group_read_principals = portier:uid

## Records
kinto.record_create_principals = portier:uid
kinto.record_write_principals = portier:uid
kinto.record_read_principals = portier:uid

You can also add permissions for history and other kind of records if need be.

@leplatrem
Copy link
Contributor

Related to #350

Solving it would be an easier answer to this question. In the meantime, this could be added to the FAQ

Natim pushed a commit that referenced this issue Aug 22, 2019
Add admin configuration example in the documentation.
3b94ad4 
Fixes #1018.
@Natim Natim mentioned this issue Aug 22, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation easy-pick scope: permissions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add admin configuration example in the documentation. Kinto/kinto
4 participants
@glasserc @Natim @leplatrem @FLamparski