Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdminList AuthZ Plugin: Read-Only vs. Full Admin #893

Closed
bobvanluijt opened this issue Jun 10, 2019 · 2 comments · Fixed by #897
Closed

AdminList AuthZ Plugin: Read-Only vs. Full Admin #893

bobvanluijt opened this issue Jun 10, 2019 · 2 comments · Fixed by #897
Assignees
@etiennedi
Labels
Auth Authentication and Authorization, OIDC/OAuth2, Tokens, etc enhancement

Comments

@bobvanluijt
Copy link
Member

Currently, authentication gives all-or-nothing access. Preferably admins can set read, write or read/write for users of a single Weaviate instance.
@bobvanluijt bobvanluijt added enhancement Auth Authentication and Authorization, OIDC/OAuth2, Tokens, etc labels Jun 10, 2019
@etiennedi
Copy link
Member

etiennedi commented Jun 24, 2019
edited
Loading

We can extend the current AdminList Authorization plugin with a read-only list. Then we have an admin list, and a read-only list. This would still fit the current design and wouldn't be too much effort to implement.

Once we want to go more fine grained than that we should go the full RBAC Route as outlined in #802, but I don't think we need that yet for this simple split between Admin and ReadOnly.

Minor remark to

Preferably admins can set read, write or read/write

Writing always implies reading permissions as well (because of validation and getting back the result you just wrote, etc), so I think the most sensible split would be Admin (i.e. all permissions including write and delete) vs. Read-Only (containing only get and list).

@etiennedi etiennedi self-assigned this Jun 24, 2019
@etiennedi
Copy link
Member

etiennedi commented Jun 24, 2019
edited
Loading

Todos

  • extend admin list with read only list
  • at startup make sure no subject is contained in both lists
  • at authorize time
    • if not member of admin list check if verb is get or list, then check if user is on read-only list
  • update documentation
  • release

etiennedi added a commit that referenced this issue Jun 24, 2019
@etiennedi
gh-893 add read-only user list, validate there is no overlap
40fc940
etiennedi added a commit that referenced this issue Jun 24, 2019
@etiennedi
gh-893 allow read only users when verb is get or list
bc33e86
etiennedi added a commit that referenced this issue Jun 24, 2019
@etiennedi
gh-893: prepare release 0.15.0
cabae58
etiennedi added a commit that referenced this issue Jun 24, 2019
@etiennedi
gh-893 update docs to include read-only users in admin list authz plugin
bdf9141
@etiennedi etiennedi mentioned this issue Jun 24, 2019
Merged
@etiennedi etiennedi changed the title OAuth read/write AdminList AuthZ Plugin: Read-Only vs. Full Admin Jul 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@etiennedi etiennedi

Labels
Auth Authentication and Authorization, OIDC/OAuth2, Tokens, etc enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Extend admin list with read only list weaviate/weaviate
2 participants
@bobvanluijt @etiennedi