Permission system for Flamenco #51039

New Issue

Sybren A. Stüvel · 2017-03-23T12:24:22+01:00

Sybren A. Stüvel commented

2017-03-23 12:24:22 +01:00

We should have a better permission system than just the role flamenco-admin.
Some ideas for access rules:

Users with just subscriber or demo role can only view Flamenco. This is limited to projects they are part of, and Managers they are owner of.
Users with either subscriber or demo role AND flamenco-admin role have unlimited access to all of Flamenco.
Users need either subscriber or demo role AND flamenco-user role to have any write access to Flamenco, even when they are members of a project that's set up for Flamenco.
Ownership of a Manager is defined by a single group. All members of that group are considered equal.
Owners of a Manager can link that manager with projects they manage (i.e. have PUT access to).
Owners of a Manager can unlink that manager from any project.
Owners of a Manager can manage jobs/tasks/task logs belonging to projects they have PUT access to.
Members of a project that are not Owners of a Manager can manage jobs/tasks/task logs belonging to projects they have PUT access to.
Owners of a Manager can see, delete, and create authentication tokens for the Manager's service account. For now, let's just allow a single authentication token per Manager.

We should have a better permission system than just the role `flamenco-admin`. Some ideas for access rules: - Users with just `subscriber` or `demo` role can only view Flamenco. This is limited to projects they are part of, and Managers they are owner of. - Users with either `subscriber` or `demo` role AND `flamenco-admin` role have unlimited access to all of Flamenco. - Users need either `subscriber` or `demo` role AND `flamenco-user` role to have any write access to Flamenco, even when they are members of a project that's set up for Flamenco. - Ownership of a Manager is defined by a single group. All members of that group are considered equal. - Owners of a Manager can link that manager with projects they manage (i.e. have PUT access to). - Owners of a Manager can unlink that manager from any project. - Owners of a Manager can manage jobs/tasks/task logs belonging to projects they have PUT access to. - Members of a project that are not Owners of a Manager can manage jobs/tasks/task logs belonging to projects they have PUT access to. - Owners of a Manager can see, delete, and create authentication tokens for the Manager's service account. For now, let's just allow a single authentication token per Manager.

Sybren A. Stüvel commented

2017-03-23 12:24:22 +01:00

Changed status to: 'Open'

Sybren A. Stüvel commented

2017-03-23 12:24:22 +01:00

Added subscribers: @dr.sybren, @fsiddi

Pablo Vazquez was assigned by Sybren A. Stüvel

2017-05-23 11:00:53 +02:00

Sybren A. Stüvel commented

2017-05-23 11:00:53 +02:00

Added subscriber: @pablovazquez

Sybren A. Stüvel commented

2017-05-23 11:00:53 +02:00

Assigned to @venomgfx to click through and see if things are working / aren't broken.

Pablo Vazquez was unassigned by Francesco Siddi

2017-06-09 12:02:16 +02:00

Francesco Siddi self-assigned this 2017-06-09 12:02:16 +02:00

Francesco Siddi commented

2017-06-09 12:50:25 +02:00

Changed status from 'Open' to: 'Resolved'

Francesco Siddi closed this issue

2017-06-09 12:50:25 +02:00

Francesco Siddi commented

2017-06-09 12:50:25 +02:00

Tested after closing all subtasks and it looks good. Used the description of this task as a draft for docs about the permissions system in 5a429d29e1.
Thanks @dr.sybren !

Tested after closing all subtasks and it looks good. Used the description of this task as a draft for docs about the permissions system in 5a429d29e1da9a3f00cabe94071a7b5c8ae392b6. Thanks @dr.sybren !

Sign in to join this conversation.