Support for Workflow Roles - Currently Leveraging Storage Roles
Status
-
Proposed -
Trialing -
Under review -
Approved -
Retired
Context & Scope
The ingestion-workflow service currently is using common model StorageRole for authorization. In code the following is observed:
import org.opengroup.osdu.core.common.model.storage.StorageRole;
...
@PreAuthorize("@authorizationFilter.hasPermission('" + StorageRole.CREATOR + "')")
public GetStatusResponse getWorkflowStatus(@RequestBody GetStatusRequest request) {...}
@PreAuthorize("@authorizationFilter.hasPermission('" + StorageRole.CREATOR + "')")
public UpdateStatusResponse updateWorkflowStatus(@RequestBody UpdateStatusRequest request) {...}
Note that StorageRole.* is used for auth.
Decision
A new Role model should be created called WorkflowRole and used to assign privelages.
Sample Code
public final class WorkflowRole {
public static final String VIEWER = "service.workflow.viewer";
public static final String CREATOR = "service.workflow.creator";
public static final String ADMIN = "service.workflow.admin";
}
Rationale
Each individual core service should have separate Roles to allow granularity for users to give entitlements
Consequences
Need to change Core Common and Entitlements Service? Need Groups Support?