Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Model Metadata Submission roles #1112

Merged
merged 30 commits into from
Jan 18, 2024
Merged

Model Metadata Submission roles #1112

merged 30 commits into from
Jan 18, 2024

Conversation

naglepuff
Copy link
Collaborator

@naglepuff naglepuff commented Jan 11, 2024
edited
Loading

This creates the infrastructure needed to enforce access control for metadata submissions. It is a home grown attempt to achieve this. I looked at packages like oso and casbin, but the overhead to learn those systems and be efficient developing with them was not worth it at this time. It also appears like we could use those in the future for policy enforcement, so we aren't strictly locked out of third part tools in the future. We also have some special needs due to our storage of the submission metadata as json. Our permission model actually applies the contents of a single column in our database, and it is not simply row-based permissions.

Once again, I found the Sanbox Orcid environment useful for testing changes. I could create multiple users, and do some functional testing of the permissions by adding some users as PIs for other user's submissions, ensuring that those submissions appeared on the list, etc. I am happy to help set that up for anyone who would like to try.

Summary of Changes

The changes here are strictly in backend code. Several files were touched for this PR. Some of the code added is demonstrative of intent, such as crud.py::can_read, which isn't used anywhere but shows how the permissions model can be used to implement additional permission checks at the API level.

New Model

To track permissions, the class/model/table models.py::SubmissionRole has been added. This table links a submission (via FK) to a user (via ORCID string). This way, permissions can be added for users who don't yet have a record in our user_logins table. The tradeoff is that this can lead to permissions that point to nonsense users (fake/wrong ORCID, etc). The permission levels are defined by the SubmissionEditorRole enumeration. See the permissions tab of this spreadsheet for definitions.

New Database Operations

Several new functions have been added to crud.py to be used to enforce the permissions policy defined by the roles. In the future, this kind of check could be used as a wrapper function for api endpoints, or dependencies to be injected via FastAPI.

Some routes have changed slightly

  • GET /api/metadata_submission: The "get all my submissions" endpoint now used a new function which combines the check for authorship with a check for any submissions that the logged in user has a role for. Admin access to all submissions regardless of role is unaffected.
  • POST /api/metadata_submission: The endpoint for creating a new submission now has the added responsibility of creating an owner role for the creator of the submission.
  • GET /api/metadata_submission/{id}: The endpoint for retrieving a single submission uses the can_edit_all check. If that check fails and the user is not an admin, a 403 is returned. This can and should be modified as additional roles are added.
  • PATCH /api/metadata_submission/{id}: Updating a submission is gated by the can_edit_add check as well. Additionally, change to the piOrcid will be detected and create an owner role for that ORCID.

@naglepuff
Add SubmissionRole model
5c4a314
@naglepuff
Allow permissions for nonexistent users
5eab438
@naglepuff
WIP Start setting up oso
f3072a3
@naglepuff
Start enforcing RBAC for submissions
187bbbc 
Add functions to check permission level.
@naglepuff
Add owners property to Submissions
0648367
@naglepuff
Update routes to use roles
7cc8e76
@naglepuff
Cleanup erroneous contraint
966005e
@naglepuff
Create crud function for submission list
982430a
@naglepuff
Remove oso
e9d182b
@naglepuff
Create migration file for submission roles
0757a54
@naglepuff
Explicitly check user model for admin status
af01f52
@naglepuff
Create test for roles
d40133e
@naglepuff
Update join to catch certain submissions
59a825f 
Mostly for legacy submissions. This branch included changes
to create an owner role for the submission author on creation,
but existing submissions don't have those roles. This commit
fixes how we join to find a list of submissions for a given user.
@naglepuff
Add more tests for roles
cf5d96a
@naglepuff
Fix lint/typecheck issues
a0dd90a
@naglepuff
Remove polar policy and commented lines
e37ce62
@naglepuff
Remove print statements
d6bcb0e
@naglepuff
Update 403 message
e115421
@naglepuff
Format
0c9f778
@naglepuff naglepuff marked this pull request as ready for review January 11, 2024 22:27
jeffbaumes
jeffbaumes requested changes Jan 12, 2024
View reviewed changes
Copy link
Collaborator

@jeffbaumes jeffbaumes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a couple of thoughts to consider.

@naglepuff
Use clearer function names for permission checks
92950c9
@naglepuff
Create owner roles for authors on migrate
243b068
@naglepuff
Remove logic for implicit author ownership
6f879bc
@naglepuff
Disable "auto admin" in testing environment
ba8f181 
If the environment was marked as not "production," the proper check for
admin priveleges was skipped. This change turns that check back on for testing.
@naglepuff
Fix linting
888d710
@naglepuff
Update tests for explicit roles
d7b99f4 
Undoing the functionality that made authors implied owners broke the tests.
This change fixes the tests.
@naglepuff naglepuff requested a review from jeffbaumes January 15, 2024 21:18
@naglepuff naglepuff merged commit 98e07d6 into main Jan 18, 2024
2 checks passed
@naglepuff naglepuff deleted the 1078-ufo-permission-model branch January 18, 2024 22:17
@naglepuff naglepuff linked an issue Jan 24, 2024 that may be closed by this pull request
Model Permissions in nmdc-server #1078
Closed
@naglepuff naglepuff mentioned this pull request Jan 24, 2024
Closed
@mslarae13
Copy link
Contributor

@naglepuff just confirming this is for edit permissions for the PI?
I just had @bmeluch & @brynnz22 test this out & Bea made Brynn the PI & she was able to view and edit the submission! Success!

@naglepuff
Copy link
Collaborator Author

Correct!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeffbaumes jeffbaumes jeffbaumes approved these changes

@marySalvi marySalvi Awaiting requested review from marySalvi

Assignees
No one assigned
Labels
None yet
Projects
No open projects
2024 - Sprint 29 - January 29- February 9, 2024
Status: Done
UFO SubPort Squad
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Model Permissions in nmdc-server
3 participants
@naglepuff @mslarae13 @jeffbaumes