Support for Workflow Roles - Currently Leveraging Storage Roles
Status
-
Proposed -
Trialing -
Under review -
Approved -
Retired
Context & Scope
The ingestion-workflow service currently is using common model StorageRole for authorization. In code the following is observed:
import org.opengroup.osdu.core.common.model.storage.StorageRole;
...
@PreAuthorize("@authorizationFilter.hasPermission('" + StorageRole.CREATOR + "')")
public GetStatusResponse getWorkflowStatus(@RequestBody GetStatusRequest request) {...}
@PreAuthorize("@authorizationFilter.hasPermission('" + StorageRole.CREATOR + "')")
public UpdateStatusResponse updateWorkflowStatus(@RequestBody UpdateStatusRequest request) {...}
Note that StorageRole.* is used for auth.
Decision
A new Role model should be created called WorkflowRole and used to assign privelages.
Sample Code
public final class WorkflowRole {
public static final String VIEWER = "service.workflow.viewer";
public static final String CREATOR = "service.workflow.creator";
public static final String ADMIN = "service.workflow.admin";
}Rationale
Each individual core service should have separate Roles to allow granularity for users to give entitlements
Consequences
Need to change Core Common and Entitlements Service? Need Groups Support?
Edited by Stephen Whitley (Invited Expert)