Anonymous gửi vào
Introduction
This document describes the Authentification API splited in two parts. Tt details who has access to the provisioning API and who can do what.
Permissions convention
This is the important part of the authentication system. Let's summarize every existing resources and http methods. We will then map profiles to their permissions :
Resource | Method | Description |
---|---|---|
groups | POST | Create a new group |
PUT | Create or modify a group | |
PATCH | Partially modify an existing group | |
DELETE | Delete a group | |
PUT | Assigning a user list to a group | |
PUT | Assigning a user to a group | |
PUT | Assigning a subgroup to a group | |
DELETE | Removing a user from a group | |
DELETE | Removing a subgroup from a group | |
GET | Getting a group information | |
GET | Getting the subgroup members of a group | |
GET | Getting the members of a group | |
users | POST | Create a new user |
PUT | Modify a user | |
PATCH | Partially modify an existing user | |
DELETE | Delete a user | |
GET | Getting a user | |
GET | Lists all users | |
profiles | GET | Getting a profile |
GET | Lists all profiles | |
batches | POST | Creates a new batch |
PUT | Commit the batch | |
DELETE | Discard the batch | |
GET | Getting the status of the batch |
Then we describes verbs associated to http methods :
Verbs | Method |
---|---|
create | POST |
read | GET |
update | PUT |
patch | PATCH |
delete | DELETE |
The provisioning authorization system does not use roles. It creates dynamically permissions in the format :
domain_uuid:resources:verbs
That way and except for admin0, a OBM profile has a set of pemissions only on its own domain.
Finally, the table below lists all the default OBM profiles and their permissions on the provisioning API :
Profile | Description | Permissions |
---|---|---|
admin0 | It is the higher profile | : |
admin | Administrator of a domain | : (only on its domain) |
admin_delegue | Same as admin but cannot commit the batch | batches:read,create,delete, users:*, groups:*, profiles:* |
editor | ??? | users:read, groups:read, profiles:* |
user | a simple obm user | users:read, groups:read, profiles:* |
unknown person | an anonymous user | no permission |
Authentification convention
By default, every requests done against the provisioning system must be authenticated. We currently use basic http authentication which then match password with the appropriate DAO.