wiki:Modules/Auth

Version 59 (modified by jvelde, 14 years ago) (diff)

--

Authentication and Authorization module

Details:

summary: Provide user registration and login, an adminstration panel to group users and set user/group permissions (a.k.a class level security) and enable users to specify per object if they want to share (a.k.a. row-level security)
status: alpha
source: http://www.molgenis.org/browser/gcc/trunk/handwritten/java/plugins/auth
demo:
manual:
design:AuthModule/TechDesign

User stories

These stories are on our todo list or already solved: No results

Known bugs

These are bugs reported as part of this module: No results

Requirements list

Authentication

  • Forms of Authentication:
    • Database (user-pass) (must)
    • OpenID (could)
    • IP-based (could)
    • LDAP-based + specific flavors like RUG and UMCG login (should)
  • Registration of users includes email verification (must)
  • Users should be able to login and logout (must)
  • Users should be able to change their passwords (must)
  • Make implementations of Login singletons so that they can be accessed everywhere (must)

Authorization

  • Resources are tables, rows, columns, query-sets (e.g. only the Lengths in rows where Length > 1.80m), files (for pipelines)
  • Subjects are users, groups, public users (unauthenticated) and exactly one administrator
  • Permissions include read, write (also implies delete), execute (for pipelines) and ownership
  • Modifying (insert, delete, alter) a column is not supported.
  • Modifying a row needs write rights on the row.
  • Resources must have exactly one owner; this can either be a user (must) or a group (should). The latter option is not preferable for us and needs to be set explicitly by the administrator.
  • Permissions are provided for resources x subjects. (must)
  • The administrator has all permissions excluding ownership on all resources. (must)
  • Authenticated users can request permissions for resources. Requests are sent to the user or group with ownership rights of the resource. (must)
  • Groups can be created by users who have write rights on the MolgenisGroup? table. The administrator is the owner of the MolgenisGroup? table and can delegate rights to other users. (must)
  • In case of an UpdateDatabase? all permissions are reset (except for administrator).
  • The public user has by default no reading permissions on any resource, unless explicitly set by the administrator. (should)
  • Administrator can pass on permissions from parent tables to child tables and between xref-linked tables with a toggle button. (should)

New user stories [should be moved into tickets and accepted]