There has been some discussion for quite some time regarding an overhaul of the TO access control model. I'd like to refresh eveyone's memory on that discussion.
*Current system:* Since the beginning, resources (or routes (UI and API)) have been locked down by role, or more specifically, privilege level. For example, if a route requires a privilege level of 20, then only users with the operations role (priv level=20) or admin role (priv level=30) could access that route. Here are our current roles (and their priv levels): Admin (30) Operations (20) Portal (15) Federation (15) Steering (15) ORT (11) Read-Only (10) Disallowed (0) This method has served us well for quite a while but there are some drawbacks to this approach. Here are a few I can think of: - No clear understanding of which routes each role provides access to. For example, what is the difference between the Admin and Operations role? All I know is that the admin role has a priv level of 30 and operations has 20. I can't tell you which routes an admin has access to that operations does not without reading the code or going thru all the docs. Ain't nobody got time for that! - The "Additive" nature of the roles (via priv level) prevents the ability to create unrelated roles. You can't create 2 roles with unique access. Higher level roles always inherit from lower level roles. The Federation role is a good example. Federation users only need access to a couple routes yet since it has a priv-level=15, federation users look like they can do federation, steering, portal, ort and read-only things... - Not easy to alter the access level of a role. For example, if you wanted the Portal role to have access to a few more routes, what would you do? Raise priv level to 18? Not sure what that would do...if anything. You'd have to make code changes to ensure an 18 would actually do something. - Many API consumers have elevated permissions when they only need access to a few routes. I.e. traffic monitors, traffic routers, traffic stats all have to be given the admin role. so basically, they've been granted access to do EVERYTHING when they only access a few routes. - There is also inconsistency in how roles are enforced. Most routes use priv level to determine access but some routes simply check if the user has the role (i.e. steering). *New proposed system:* *Tenancy* Last summer tenancy was introduced (thanks Qwilt) giving us the ability to "scope" certain resources (delivery services, users and also tenants) to certain users. This was a big step towards self-service as we can now limit what certain users see. Access control is now role + tenancy (if tenancy is applicable and turned on via the use_tenancy parameter). *Roles/Capabilities* Actually, a lot of work has already been done (thanks again, Qwilt) in this area but of course, there is more to do. Let me explain a bit how it works conceptually. Proposed Roles: Admin Operations Content Provider (formerly known as Portal) Federation Cache (formerly known as ORT) Monitor (new) Router (new) Stats (new) Read-Only Disallowed Concept: - a user has one role - a role has N capabilities (i.e. ds-read, ds-write, etc) - a capability is mapped to N API endpoints (i.e. ds-read is mapped to GET /api/deliveryservices and GET /api/deliveryservices/:id) A user's capabilities (and not privilege level) determine whether a user has access to an API endpoint or not. Advantages: - By mapping roles to capabilities and capabilities to API endpoints, it's easy to see what level of API access each role provides. For example, easy to see the difference between the Admin and Operations role. - Roles are not "additive". Unrelated, unique roles can be created. For example, the Federation role and Content Provider role (formerly Portal role) can provide 2 completely different levels of access control. Currently, they provide the exact same level of access because of priv level. - Tightly defined roles with specific capabilities provides better security. I.e. you don't have to give a user an admin role so they can do only 2 things. - Can create custom roles on the fly to only include access to certain API endpoints. If you want to create a Bob role with just the ds-read capability, go for it. You can get very creative with your roles if you want to. Or you can just use those that are provided. Disadvantages: - More setup required. All API endpoints need to be grouped into capabilities (again, Qwilt did a lot of work in this area). Capabilities need to be added to the appropriate roles. If you haven't read enough at this point and are thirsty for more. There is more here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=68715910 Thanks for reading. Looking forward to your comments/concerns. Jeremy
