Enforce capabilities for API requests #2038
Labels
Comments
mitchell852
added
new feature
|
@DylanVolz is working on this |
This was referenced Aug 24, 2018
mitchell852
added
Traffic Ops
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Each API request needs to be authorized using the capabilities of the user as defined by the user's role. If authorization fails, a 403 Forbidden should be returned probably with a message like "Forbidden. The ds-write capability is required."
Also, need to think about how priv_level will be deprecated or overridden. Maybe a parameter called use_capabilities is introduced. If turned on, priv level is ignored. If turned off, priv level is respected.
However, for 3.0, I think there should be no concept of a priv_level. It should be scrubbed from the code base entirely.
More info here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=68715910
The text was updated successfully, but these errors were encountered: