Uploaded image for project: 'SAFe Program'
  1. SAFe Program
  2. SP-3063

SI: Rule-based permissions service

Change Owns to Parent OfsSet start and due date...
    XporterXMLWordPrintable

Details

    • SRCnet
    • Hide

      This feature will enable permission checking in Storage Inventory at a SRC.  This in turn will allow users, with tokens from IAM, to write files and read proprietary files from Storage Inventory.

      The primary benefit of baldur is that grants are decoupled from storage, so a single rule in baldur can grant access to an arbitrary number of files more or less instantaneously.

      Also, this allows grants to be centralized and thus controlled in one place.  The service is designed so the having mirrors for high availability is trivial.

      Show
      This feature will enable permission checking in Storage Inventory at a SRC.  This in turn will allow users, with tokens from IAM, to write files and read proprietary files from Storage Inventory. The primary benefit of baldur is that grants are decoupled from storage, so a single rule in baldur can grant access to an arbitrary number of files more or less instantaneously. Also, this allows grants to be centralized and thus controlled in one place.  The service is designed so the having mirrors for high availability is trivial.
    • Hide

      A service implementing the baldur API is deployed.  A user is given permissions (from the rules in baldur) to write files to a test namespace through membership of a test group in IAM.  The user, with a token obtained from IAM, will call the minoc API to write a file.  minoc will makes calls to baldur then gms to confirm the permission is granted and allow the user to proceed to write the file.

      Code and deployment documentation will be checked into gitlab.  Unit tests and integration tests must accompany the code.

      Show
      A service implementing the baldur API is deployed.  A user is given permissions (from the rules in baldur) to write files to a test namespace through membership of a test group in IAM.  The user, with a token obtained from IAM, will call the minoc API to write a file.  minoc will makes calls to baldur then gms to confirm the permission is granted and allow the user to proceed to write the file. Code and deployment documentation will be checked into gitlab.  Unit tests and integration tests must accompany the code.
    • Team_PURPLE
    • Hide

      Baldur was deployed by Thoughtworks and proven to work as the permission service for minoc.

      Show
      Baldur was deployed by Thoughtworks and proven to work as the permission service for minoc.
    • 17.6
    • Stories Completed, Demonstrated

    • PI24 - UNCOVERED

    • SRC-AAI SRC-DM SRC-SI SRCPB

    Description

      To support permission checks in Storage Inventory, the rule-based permission service `baldur` must be available at a SRC.  https://github.com/opencadc/storage-inventory/tree/master/baldur

      See the attached screenshot for a reference the dependencies for SI permission checking.  baldur is the 'SI Grants' box.

      The permissions API is simple and could be trivially implemented if there is another system that is source for permissions (in this case, permission to read or write files with certain identifiers).

      When a group membership check is required, it will use the GMS service (SP-2859) to do so.  A token will be passed on the call.

      Attachments

        Issue Links

          depends on

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-2859 IVOA / IAM Wrapping layer

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done
          is required by

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-2905 SI and IAM integration

          • Must have - Items labelled as "Must have" are critical to the current delivery timebox in order for it to be a success.
          • Done
          relates to

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3065 Service Registry

          • Could have - Items labelled as "Could have" are desirable but not necessary and could improve the user experience or customer satisfaction for a little development cost. These will typically be included if time and resources permit.
          • Done

          Feature - A Feature is a service that fulfills a stakeholder need. Each feature includes a benefit hypothesis and acceptance criteria, and is sized or split as necessary to be delivered by a single Agile Release Train (ART) in a Program Increment (PI). SP-3064 Inter-Service Communication with Tokens

          • Could have - Items labelled as "Could have" are desirable but not necessary and could improve the user experience or customer satisfaction for a little development cost. These will typically be included if time and resources permit.
          • Done
          mentioned in

          Page Loading...

          Structure

            Activity

              People

                B.Major Major, Brian
                B.Major Major, Brian
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Feature Progress

                  Story Point Burn-up: (0%)

                  Feature Estimate: 0.0

                  IssuesStory Points
                  To Do00.0
                  In Progress   00.0
                  Complete00.0
                  Total00.0

                  Dates

                    Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel