Add issuing iRODS read-only tickets for assay collections

[mikkonie]

Discussed this with @holtgrewe and @dieter.beule.

Spec (As I've Understood It)

• Enable issuing read-only-tickets to specific assay collections
  • not only limited to track hubs as is currently implemented
• The collections will be accessed via the tickets using DavRODS, similar to how track hubs are right now

Questions/TBD

• Should we allow this for any arbitrary collection within an assay?
  • ..or could there e.g. be some specific collection(s) eligible for this, similar to track hubs?
  • If specific, how do we mark them?
  • The ability to create publicly accessible tickets for any assay collection basically bypasses all project member access control when it comes to accessing iRODS data. This doesn't sound like a good idea to me.
• Who should have the permission to create/revoke these tickets?
  • Owner/delegate only, or all contributors?
  • IMHO, if we decide to allow this for any collection within an assay, it definitely should be limited to project/delegate
• Should we restrict access by host? iRODS tickets allow this
  • In case of Kiosc, is the requesting host the Kiosc server host or the client?
• Do we also need a REST API endpoint for this, or is UI enough?

I'll talk to @january.weiner about this to find out what the exact use case is.

[mikkonie]

One possibility to think of is also: are Davrods tickets the best way to handle this?

In case of e.g. Kiosc, we already have project access known to Kiosc which hosts the docker container, from which we request data?

Would it be possible to have some sort of view in Kiosc or SODAR which would check against the current user's project permissions (or maybe a token) and serve the file directly from iRODS?

Probably would be a lot work and maybe not even feasible, but just thinking aloud.

[mikkonie]

Done. I'll add a separate ticket for REST API views.