Marcus Christie created AIRAVATA-3371:
-----------------------------------------
Summary: Allow retrieving some minimal information about SSH
credentials when user doesn't have READ access?
Key: AIRAVATA-3371
URL: https://issues.apache.org/jira/browse/AIRAVATA-3371
Project: Airavata
Issue Type: Improvement
Components: Airavata API, Credential Store, Sharing
Reporter: Marcus Christie
Assignee: Marcus Christie
Problem: user has access (READ or WRITE) to a Group Resource Profile but is
missing access to the credential token it uses. In this case, the user can't
retrieve any information about the credential and so is kind of stuck and
unable to properly rectify the situation.
Solution: return some basic information about the credential even to users who
have no READ access, such as owner and description. This would at least allow
the user to know who to contact in case the user needs the owner to grant them
access to the credential.
Also it might be worth reconsidering what READ access to a credential means. In
practice, it means that the user can make use of the credential in compute
preferences, etc. Since the secret part of the credential (password or private
key) is never reveal through the API server, there's no reason (I can think of)
to not allow all users to retrieve CredentialSummary for all credentials. As
long as the API server checks that the user has READ access to a token before
allowing them to use it in a Group Resource Profile etc then I think we're fine
from a security perspective.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
