Data product dashboard: authentication and authorisation

The data product dashboard front end allows a user to authenticate, and then correctly validates tokens which it then uses with the data lifecycle management database to ensure that the user can only see those things which they are authorised to see, or delete those items which they are authorised to delete. The design and implementation should ensure that we are able to federate later on, when we need to work with SRCNet, and also ensure that we can have fine-grained access control on the databases, which will be needed when we release data to the SRCs and wider scientific community. See also SS-143 list.

In this PI the DPD have been updated to enable only authorized users to view data products that have been assigned to a user group in MS Entra. This has been implemented in the following way: Users need to sign into the DPD with MS Entra. When a user is signed in, a request it made to the DPD API, using the users access token, for the list of data products. The DPD API uses this token and request a list of groups assigned to the user from the SKA Permissions API, which in turn validates the token with MS Entra and returns the list. The list of groups is then used as part of the filter criteria to determine the list of data products to be returned to the Dashboard for the user to view. When a user is not authenticated, or if there is no group assigned to a data product, that product is deemed open and can be viewed by all. Work completed as part of this includes: Updates to the SKA Permissions API: These updates include a new endpoint to serve a validated users list of user group IDs on a rest endpoint: NAL-1146 [DPD API] Update API to return all 'public' or data products to all users. - SKAO Jira (skatelescope.org) MR: NAL-1146: Added getusergroupids endpoint to retrieve user group IDs from MS Entra. (!10) · Merge requests · SKAO / ska-permissions-api · GitLab ,  Documentation: SKAO front-end permissions service API Overview — ska-permissions-api 0.2.0 documentation Updates to the SDP Data Product Dashboard API:   Integrated the API with the SKA Permissions API to enable it to obtain the users assigned user groups from MS Entra. Added the concept of access_group to the test metadata and updated both the in-memory search as well as the Elasticsearch to use the list as part of the filter criteria.     MR: Draft: NAL-1146 (!77) · Merge requests · SKAO / Science Data Processor / SKA SDP Data Product API · GitLab NAL-1146 [DPD API] Update API to return all 'public' or data products to all users. - SKAO Jira (skatelescope.org) Updates to the SDP Data Product Dashboard API: This update includes the SKA Permission API by default with a deployment of the DPD, as well as updates the DPD Dashboard to pass the auth token to the API when requesting the list of Data Products. NAL-1146 [DPD API] Update API to return all 'public' or data products to all users. - SKAO Jira (skatelescope.org) MR: Draft: NAL-1146: Updated request to API to include access token (!156) · Merge requests · SKAO / Science Data Processor / SKA SDP Data Product Dashboard · GitLab Documentation: Documentation for the SKA Data Product Dashboard — ska-sdp-dataproduct-dashboard 0.8.2 documentation (skao.int)   Releases: <PENDING improvements of test coverage as part of NAL-1157> A temporary deployment can be accessed here: https://sdhp.stfc.skao.int/dp-naledi-andre/dashboard/   Future work & limitations of current implementation: The current authentication does not allow for authentication when users access the API directly with scripts or notebooks. (As is currently done inside the cluster / on the VPN at the ITFs) This will limit the use of the scripts or notebooks when access groups are assigned to products in the future. The assumption was made to include the access group information in the metadata file:   context: {   access_group: "not-in-my-access-groups" } It is assumed that this will change in the future, depending on the implication in the DLM.