-
Notifications
You must be signed in to change notification settings - Fork 15
Boss Project Auth Tutorial
The Boss uses groups and permissions to control access to the different resources in the data model. When accessing a resource in the data model, the Boss first identifies which groups the user belongs to. Next, it determines if at least one of those groups contains the permission that matches the operation the user wishes to perform.
By default, a group has no permissions to a resource until permissions are explicitly assigned. The exception is the resource creator's special group. This special group is automatically created for each new user when their account is created. This "owner" group has full permissions to that resource.
Note that only a user who has the resource-manager
role or the admin
role has the privileges to perform the actions in this tutorial.
These permissions are common to all resources in the data model:
read
add
update
delete
assign_group
remove_group
Channels have additional permissions:
read_volumetric_data
add_volumetric_data
delete_volumetric_data
Using the data hierarchy created in the "Creating Your Data Hierarchy" tutorial, let's assign groups and permissions to those resources.
First, we create our Remote
and resource instances.
from intern.remote.boss import BossRemote
from intern.resource.boss.resource import *
rmt = BossRemote()
collection = CollectionResource('JHUAPL')
experiment = ExperimentResource('Mouse17', 'JHUAPL', coord_frame='JHUAPLFrame')
channel = ChannelResource('EM', 'JHUAPL', 'Mouse17', 'image')
ann_chan = ChannelResource(
'Algorithm1', 'JHUAPL', 'Mouse17', 'annotation')
Next, let's create the groups that we'll assign to the resources. Group names must be unique across the entire system, so we prefix our groups with 'jhuapl'. We will create four groups:
- jhuapl_interns
- jhuapl_scientists
- jhuapl_analysts
- jhuapl_computer_vision
interns = 'jhuapl_interns'
scientists = 'jhuapl_scientists'
analysts = 'jhuapl_analysts'
computer_vision = 'jhuapl_computer_vision'
admins = 'jhuapl_admins'
rmt.create_group(interns)
rmt.create_group(scientists)
rmt.create_group(analysts)
rmt.create_group(computer_vision)
rmt.create_group(admins)
Now, we assign permissions we want each group to have for each resource in our
data hierarchy. We'll start with the JHUAPL collection. Everyone gets read
permission and also add
permission if they are human users. Finally, admin
users get all permissions. At the collection level, the add
permission
allows creation of experiments.
rmt.add_permissions(interns, collection, ['read', 'add'])
rmt.add_permissions(scientists, collection, ['read', 'add'])
rmt.add_permissions(analysts, collection, ['read', 'add'])
rmt.add_permissions(computer_vision, collection, ['read'])
rmt.add_permissions(
admins, collection,
['read', 'add', 'update', 'delete', 'assign_group','remove_group'])
Next, we'll assign permissions to the Mouse17 experiment. For this
experiment, everyone gets read
and add
permissions including users that are
computer vision algorithms. At the experiment level, add
allows the creation
of channels.
rmt.add_permissions(interns, experiment, ['read', 'add'])
rmt.add_permissions(scientists, experiment, ['read', 'add', 'update'])
rmt.add_permissions(analysts, experiment, ['read', 'add', 'update'])
rmt.add_permissions(computer_vision, experiment, ['read', 'add'])
rmt.add_permissions(
admins, experiment,
['read', 'add', 'update', 'delete', 'assign_group','remove_group'])
Let's do the permissions for the channels. As mentioned before, these resource types have additional permissions because actual data is associated with these resources.
First, we'll do the image channel.
rmt.add_permissions(interns, channel, ['read', 'read_volumetric_data'])
rmt.add_permissions(
scientists, channel,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.add_permissions(
analysts, channel,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.add_permissions(
computer_vision, channel, ['read', 'read_volumetric_data'])
rmt.add_permissions(
admins, channel,
['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
Finally, we'll assign permissions for the annotation channel.
rmt.add_permissions(
interns, ann_chan,
['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.add_permissions(
scientists, ann_chan,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.add_permissions(
analysts, ann_chan,
['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
rmt.add_permissions(
computer_vision, ann_chan,
['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.add_permissions(
admins, ann_chan,
['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
'read_volumetric_data', 'add_volumetric_data',
'delete_volumetric_data'])
If you make a mistake, you can update or completely delete permissions that a group has to a resource.
# No longer allow interns to add new data to the annotation channel.
rmt.update_permissions(
interns, ann_chan, ['read', 'read_volumetric_data'])
# Remove all permissions for interns from the annotation channel.
rmt.delete_permissions(interns, ann_chan)
Find out which resources have been associated with a particular group like so.
rmt.get_group(computer_vision)
An entire group may be deleted. Let's say we no longer want to allow computer vision algorithms access to any of the resources.
rmt.delete_group(computer_vision)
Now that permissions for groups are assigned, users can be added as members to the groups.
# Assume there is a user named john.doe.
rmt.add_group_member(interns, 'john.doe')
By default, the creator of a group is the maintainer. Other users may be added to assist with group management.
# Assume there is a user named jane.doe.
rmt.add_group_maintainer(interns, 'jane.doe')
There are delete methods to remove both users and maintainers from a group.
rmt.delete_group_member(interns, 'john.doe')
rmt.delete_group_maintainer(interns, 'jane.doe')
Use the list methods to determine who belongs to a group and who the maintainers are.
rmt.list_group_members(interns)
rmt.list_group_maintainers(interns)
These operations return information about the user using intern to access the Boss API.
Find out what groups you belong to using the group list command.
rmt.list_groups()
You can filter on groups that you are a member or maintainer of.
# Get only the groups you are a member of.
rmt.list_groups('member')
# Get only the groups that you have maintainer access for.
rmt.list_groups('maintainer')
If you ever need to find out which permissions you have, you can list them.
rmt.list_permissions()
To manage the amount of output, permissions may be filtered by group name and/or a resource.
# Filter by group name.
rmt.list_permissions(scientists)
# Filter by EM channel.
rmt.list_permissions(resource=channel)
# Filter by both group name and resource.
rmt.list_permissions(analysts, ann_chan)
Table of Contents:
- Overview
- Installation
- Get started
- Boss
- Boss Bounding Box Tutorial
- Boss Download Cutout Tutorial
- Boss Examples
- Boss Ids in Region Tutorial
- Boss Project Auth Tutorial
- Boss Project Metadata Tutorial
- Boss Project Setup Tutorial
- Boss Reserve Ids Tutorial
- Boss Setup Tutorial
- Boss Tutorials
- Boss Upload Cutout Tutorial
- Boss User Management Tutorial
- Dvid
- HDF5