Skip to content

Boss Project Auth Tutorial

Jump to bottom
Tim Gion edited this page Nov 9, 2016 · 10 revisions

Access Control for Your Data

Introduction

The Boss uses groups and permissions to control access to the different resources in the data model. When accessing a resource in the data model, the Boss first identifies which groups the user belongs to. Next, it determines if at least one of those groups contains the permission that matches the operation the user wishes to perform.

By default, a group has no permissions to a resource until permissions are explicitly assigned. The exception is the resource creator's special group. This special group is automatically created for each new user when their account is created. This "owner" group has full permissions to that resource.

Note that only a user who has the resource-manager role or the admin role has the privileges to perform the actions in this tutorial.

Permissions

These permissions are common to all resources in the data model:

  • read
  • add
  • update
  • delete
  • assign_group
  • remove_group

Channels have additional permissions:

  • read_volumetric_data
  • add_volumetric_data
  • delete_volumetric_data

Example

Using the data hierarchy created in the "Creating Your Data Hierarchy" tutorial, let's assign groups and permissions to those resources.

First, we create our Remote and resource instances.

from intern.remote.boss import BossRemote
from intern.resource.boss.resource import *

rmt = BossRemote()

collection = CollectionResource('JHUAPL')
experiment = ExperimentResource('Mouse17', 'JHUAPL', coord_frame='JHUAPLFrame')
channel = ChannelResource('EM', 'JHUAPL', 'Mouse17', 'image')
ann_chan = ChannelResource(
    'Algorithm1', 'JHUAPL', 'Mouse17', 'annotation')

Next, let's create the groups that we'll assign to the resources. Group names must be unique across the entire system, so we prefix our groups with 'jhuapl'. We will create four groups:

  • jhuapl_interns
  • jhuapl_scientists
  • jhuapl_analysts
  • jhuapl_computer_vision
interns = 'jhuapl_interns'
scientists = 'jhuapl_scientists'
analysts = 'jhuapl_analysts'
computer_vision = 'jhuapl_computer_vision'
admins = 'jhuapl_admins'

rmt.create_group(interns)
rmt.create_group(scientists)
rmt.create_group(analysts)
rmt.create_group(computer_vision)
rmt.create_group(admins)

Now, we assign permissions we want each group to have for each resource in our data hierarchy. We'll start with the JHUAPL collection. Everyone gets read permission and also add permission if they are human users. Finally, admin users get all permissions. At the collection level, the add permission allows creation of experiments.

rmt.add_permissions(interns, collection, ['read', 'add'])
rmt.add_permissions(scientists, collection, ['read', 'add'])
rmt.add_permissions(analysts, collection, ['read', 'add'])
rmt.add_permissions(computer_vision, collection, ['read'])
rmt.add_permissions(
    admins, collection,
    ['read', 'add', 'update', 'delete', 'assign_group','remove_group'])

Next, we'll assign permissions to the Mouse17 experiment. For this experiment, everyone gets read and add permissions including users that are computer vision algorithms. At the experiment level, add allows the creation of channels.

rmt.add_permissions(interns, experiment, ['read', 'add'])
rmt.add_permissions(scientists, experiment, ['read', 'add', 'update'])
rmt.add_permissions(analysts, experiment, ['read', 'add', 'update'])
rmt.add_permissions(computer_vision, experiment, ['read', 'add'])
rmt.add_permissions(
    admins, experiment,
    ['read', 'add', 'update', 'delete', 'assign_group','remove_group'])

Let's do the permissions for the channels. As mentioned before, these resource types have additional permissions because actual data is associated with these resources.

First, we'll do the image channel.

rmt.add_permissions(interns, channel, ['read', 'read_volumetric_data'])
rmt.add_permissions(
    scientists, channel,
    ['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])
rmt.add_permissions(
    analysts, channel,
    ['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])
rmt.add_permissions(
    computer_vision, channel, ['read', 'read_volumetric_data'])
rmt.add_permissions(
    admins, channel,
    ['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
    'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])

Finally, we'll assign permissions for the annotation channel.

rmt.add_permissions(
    interns, ann_chan,
    ['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.add_permissions(
    scientists, ann_chan,
    ['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])
rmt.add_permissions(
    analysts, ann_chan,
    ['read', 'update', 'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])
rmt.add_permissions(
    computer_vision, ann_chan,
    ['read', 'read_volumetric_data', 'add_volumetric_data'])
rmt.add_permissions(
    admins, ann_chan,
    ['read', 'add', 'update', 'delete', 'assign_group', 'remove_group',
    'read_volumetric_data', 'add_volumetric_data',
    'delete_volumetric_data'])

If you make a mistake, you can update or completely delete permissions that a group has to a resource.

# No longer allow interns to add new data to the annotation channel.
rmt.update_permissions(
    interns, ann_chan, ['read', 'read_volumetric_data'])

# Remove all permissions for interns from the annotation channel.
rmt.delete_permissions(interns, ann_chan)

Find out which resources have been associated with a particular group like so.

rmt.get_group(computer_vision)

An entire group may be deleted. Let's say we no longer want to allow computer vision algorithms access to any of the resources.

rmt.delete_group(computer_vision)

Now that permissions for groups are assigned, users can be added as members to the groups.

# Assume there is a user named john.doe.
rmt.add_group_member(interns, 'john.doe')

By default, the creator of a group is the maintainer. Other users may be added to assist with group management.

# Assume there is a user named jane.doe.
rmt.add_group_maintainer(interns, 'jane.doe')

There are delete methods to remove both users and maintainers from a group.

rmt.delete_group_member(interns, 'john.doe')
rmt.delete_group_maintainer(interns, 'jane.doe')

Use the list methods to determine who belongs to a group and who the maintainers are.

rmt.list_group_members(interns)
rmt.list_group_maintainers(interns)

Operations for the Current User

These operations return information about the user using intern to access the Boss API.

Find out what groups you belong to using the group list command.

rmt.list_groups()

You can filter on groups that you are a member or maintainer of.

# Get only the groups you are a member of.
rmt.list_groups('member')

# Get only the groups that you have maintainer access for.
rmt.list_groups('maintainer')

If you ever need to find out which permissions you have, you can list them.

rmt.list_permissions()

To manage the amount of output, permissions may be filtered by group name and/or a resource.

# Filter by group name.
rmt.list_permissions(scientists)

# Filter by EM channel.
rmt.list_permissions(resource=channel)

# Filter by both group name and resource.
rmt.list_permissions(analysts, ann_chan)

Table of Contents:

Clone this wiki locally