[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-23 Thread asfgit 
Github user asfgit closed the pull request at:

https://github.com/apache/incubator-trafficcontrol/pull/544


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629894
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629906
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629747
  
--- Diff: traffic_ops/app/t/api/1.2/capabilities.t ---
@@ -0,0 +1,183 @@
+package main;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use Mojo::Base -strict;
+use Test::More;
+use Test::Mojo;
+use DBI;
+use strict;
+use warnings;
+no warnings 'once';
+use warnings 'all';
+use Test::TestHelper;
+
+#no_transactions=>1 ==> keep fixtures after every execution, beware of 
duplicate data!
+#no_transactions=>0 ==> delete fixtures after every execution
+
+BEGIN { $ENV{MOJO_MODE} = "test" }
+
+my $schema = Schema->connect_to_database;
+my $dbh= Schema->database_handle;
+my $t  = Test::Mojo->new('TrafficOps');
+
+my $false = 0;
--- End diff --

Right. Removed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629730
  
--- Diff: traffic_ops/app/t/api/1.2/api_capabilities.t ---
@@ -0,0 +1,232 @@
+package main;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use Mojo::Base -strict;
+use Test::More;
+use Test::Mojo;
+use DBI;
+use strict;
+use warnings;
+no warnings 'once';
+use warnings 'all';
+use Test::TestHelper;
+
+#no_transactions=>1 ==> keep fixtures after every execution, beware of 
duplicate data!
+#no_transactions=>0 ==> delete fixtures after every execution
+
+BEGIN { $ENV{MOJO_MODE} = "test" }
+
+my $schema = Schema->connect_to_database;
+my $dbh= Schema->database_handle;
+my $t  = Test::Mojo->new('TrafficOps');
+
+my $false = 0;
--- End diff --

Removed, thanks.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629577
  
--- Diff: traffic_ops/app/lib/API/Capability.pm ---
@@ -0,0 +1,184 @@
+package API::Capability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+my $finfo = __FILE__ . ":";
+
+sub index {
+   my $self = shift;
+   my @data;
+   my $orderby = "name";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("Capability")->search( undef, { 
order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub name {
+   my $self = shift;
+   my $name = $self->param('name');
+
+   my $rs_data = $self->db->resultset("Capability")->search( 'me.name' => 
$name );
+   my @data = ();
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub create {
+   my $self   = shift;
+   my $params = $self->req->json;
+
+   if ( !_oper($self) ) {
+   return $self->forbidden();
+   }
+
+   if ( !defined($params) ) {
+   return $self->alert("Parameters must be in JSON format.");
+   }
+
+   my $name= $params->{name}if defined( $params->{name} );
+   my $description = $params->{description} if defined( 
$params->{description} );
+
+   if ( !defined($name) or $name eq "" ) {
+   return $self->alert("Name is required.");
+   }
+
+   if ( !defined($description) or $description eq "" ) {
+   return $self->alert("Description is required.");
+   }
+
+   # check if capability exists
+   my $rs_data = $self->db->resultset("Capability")->search( { 'name' => { 
'like', $name } } )->single();
+   if ( defined($rs_data) ) {
+   return $self->alert("Capability '$name' already exists.");
+   }
+
+   my $values = {
+   name=> $name,
+   description => $description
+   };
+
+   my $insert = $self->db->resultset('Capability')->create($values);
+   my $rs = $insert->insert();
+   if ($rs) {
+   my $response;
+   $response->{name}= $rs->name;
+   $response->{description} = $rs->description;
+
+   ( $self, "Created Capability: '$response->{name}', 
'$response->{description}'", "APICHANGE" );
+
+   return $self->success( $response, "Capability was created." );
+   }
+   else {
+   return $self->alert("Capability creation failed.");
+   }
+}
+
+sub update {
+   my $self   = shift;
+   my $name   = $self->param('name');
+   my $params = $self->req->json;
+
+   if ( !_oper($self) ) {
+   return $self->forbidden();
+   }
+
+   if ( !defined($params) ) {
+   return $self->alert("Parameters must be in JSON format.");
+   }
+
+   my $description = $params->{description} if defined( 
$params->{description} );
+
+   my $capability = $self->db->resultset('Capability')->find( { name => 
$name } );
+   if ( !defined($capability) or $capability eq "" ) {
--- End diff --

Right, done.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629459
  
--- Diff: traffic_ops/app/lib/API/Capability.pm ---
@@ -0,0 +1,184 @@
+package API::Capability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+my $finfo = __FILE__ . ":";
+
+sub index {
+   my $self = shift;
+   my @data;
+   my $orderby = "name";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("Capability")->search( undef, { 
order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub name {
+   my $self = shift;
+   my $name = $self->param('name');
+
+   my $rs_data = $self->db->resultset("Capability")->search( 'me.name' => 
$name );
+   my @data = ();
--- End diff --

Done


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117629295
  
--- Diff: traffic_ops/app/lib/API/ApiCapability.pm ---
@@ -0,0 +1,256 @@
+package API::ApiCapability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+
+
+my $finfo = __FILE__ . ":";
+
+my %valid_http_methods = map { $_ => 1 } ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+sub index {
+   my $self   = shift;
+   my $capability = $self->param('capability');
+
+   my %criteria;
+   if ( defined $capability ) {
+   $criteria{'me.capability'} = $capability;
+   }
+   my @data;
+   my $orderby = "capability";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("ApiCapability")->search( 
\%criteria, { prefetch => ['capability'], order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "id"=> $row->id,
+   "httpMethod"=> $row->http_method,
+   "route" => $row->route,
+   "capName"   => $row->capability->name,
+   "lastUpdated"   => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+
+sub renderResults {
+   my $self = shift;
+   my $rs_data = shift;
+
+   my @data = ();
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "id"=> $row->id,
+   "httpMethod"=> $row->http_method,
+   "route" => $row->route,
+   "capName"   => $row->capability->name,
+   "lastUpdated"   => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub show {
+   my $self = shift;
+   my $id = $self->param('id');
+
+   my $rs_data = $self->db->resultset("ApiCapability")->search( 'me.id' => 
$id );
+   $self->renderResults( $rs_data ) ;
+}
+
+sub is_mapping_valid {
+   my $self = shift;
+   my $id = shift;
+   my $http_method = shift;
+   my $route = shift;
+   my $capability = shift;
+
+   if ( !defined($http_method) ) {
+   return ( undef, "HTTP method is required." );
+   }
+
+   if ( !exists( $valid_http_methods{ $http_method } ) ) {
+   return ( undef, "HTTP method \'$http_method\' is invalid. Valid 
values are: " . join(", ", sort keys %valid_http_methods ) );
+   }
+
+   if ( !defined($route) or $route eq "" ) {
+   return ( undef, "Route is required." );
+   }
+
+   if ( !defined($capability) or $capability eq "" ) {
+   return (undef, "Capability name is required." );
+   }
+   # check if capability exists
+   my $rs_data = $self->db->resultset("Capability")->search( { 'name' => { 
'like', $capability } } )->single();
+   if (!defined($rs_data)) {
+   return (undef, "Capability '$capability' does not exist." );
+   }
+
+   # search a mapping for the same http_method & route
+   $rs_data = $self->db->resultset("ApiCapability")->search( { 'route' => 
{ 'like', $route } } )->search( {
+   'http_method' => { '=', $http_method } } )->single();
+   # if adding a new entry, make sure it is unique
+   if ( !defined( $id ) ) {
+   if (defined($rs_data)) {
+   my $allocated_capability = $rs_data->capability->name;
+   return (undef, "HTTP method '$http_method', route 
'$route' are already mapped to capability: $allocated_capability" );
+   }
+   }
+   else {
+   if (defined($rs_data)) {
+   my $lid = $rs_data->id;
+   if ($lid ne $id) {
+   my

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626941
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON api_capability 
FOR EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- role_capability
+CREATE TABLE role_capability (
+role_id bigint NOT NULL,
+CONSTRAINT fk_role_id FOREIGN KEY (role_id) REFERENCES role(id) ON 
DELETE CASCADE,  
+cap_name text NOT NULL,
+CONSTRAINT fk_cap_name FOREIGN KEY (cap_name) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (role_id, cap_name),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON 
role_capability FOR EACH ROW EXECUTE PROCEDURE 
on_update_current_timestamp_last_updated();
+
+-- user_role
+CREATE TABLE user_role (
+user_id bigint NOT NULL,
--- End diff --

Here, when deleting a user all entries referencing it will automatically be 
deleted, but when a referenced role is deleted an error will occur, so that a 
user won't mistakenly lose her privileges.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626911
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON api_capability 
FOR EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- role_capability
+CREATE TABLE role_capability (
+role_id bigint NOT NULL,
--- End diff --

Not exactly - 
When a role is deleted, all entries in the role_capability table 
referencing that role are also deleted.
But, when a capability is deleted, an error will occur if there are entries 
referencing it from the role_capability table.
This is because I want the user to be aware of the roles she changes when 
deleting capability.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626753
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
--- End diff --

I think a route can belong to several capabilities. In order to operate it, 
the user must have *all* the capabilities a route belong to.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626709
  
--- Diff: docs/source/development/traffic_ops_api/v12/capability.rst ---
@@ -0,0 +1,271 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-capability:
+
+Capabilities
+
+
+.. _to-api-v12-capability-route:
+
+/api/1.2/capabilities
++
+
+**GET /api/1.2/capabilities**
+
+  Get all capabilities.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
+  
+===++=+
+  | ``name``  | string | Capability name.  
  |
+  
+---++-+
+  | ``description``   | string | Describing the APIs covered by the 
capability.  |
+  
+---++-+
+  | ``lastUpdated``   | string |   
  |
+  
+---++-+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "name": "cdn-read",
+  "description": "View CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "name": "cdn-write",
+  "description": "Create, edit or delete CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/capabilities/:name**
+
+  Get a capability by name.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``name``  |   yes| Capability name.|
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
+  
+===++=+
+  | ``name``  | string | Capability name.  
  |
+  
+---++-+
+  | ``description``   | string | Describing the APIs covered by the 
capability.  |
+  
+---++-+
+  | ``lastUpdated``   | string |   
  |
+  
+---++-+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "name": "cdn-read",
+  "description": "View CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**POST /api/1.2/capabilities**
+
+  Create a capability.
+
+  Authentication Required: Yes
+
+  Role(s) Required:  admin or oper
+
+  **Request Parameters**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
--- End diff --

Done


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626714
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
--- End diff --

:-)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626695
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626688
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
--- End diff --

Fixed, thanks.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-21 Thread naamashoresh 
Github user naamashoresh commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r117626655
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115898210
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115896943
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115896288
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115896312
  
--- Diff: traffic_ops/app/db/seeds.sql ---
@@ -81,10 +81,260 @@ insert into role (name, description, priv_level) 
values ('steering', 'Role for S
 insert into role (name, description, priv_level) values ('read-only user', 
'Read-Only user', 10) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('portal', 'Portal 
User', 2) ON CONFLICT (name) DO NOTHING;
 insert into role (name, description, priv_level) values ('disallowed', 
'Block all access', 0) ON CONFLICT (name) DO NOTHING;
+insert into role (name, description, priv_level) values ('root', 'Role for 
full capabilities - super-user ', 30) ON CONFLICT DO NOTHING;
 
 -- tenants
 insert into tenant (name, active, parent_id) values ('root', true, null) 
ON CONFLICT DO NOTHING;
 
+-- capabilities
+insert into capability (name, description) values ('all-read', 'Full read 
access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('all-write', 'Full 
write access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-read', 'View ASN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('asn-write', 'Create, 
edit or delete ASN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('basic-read', 'Basic 
read operations. Every user should have this capability') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('basic-write', 'Basic 
write operations. Every user should have this capability') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values 
('cache-config-files-read', 'View the generated cache configuration files') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-read', 
'View cache-group configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cache-group-write', 
'Create, edit or delete cache-group configuration') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values ('cache-stats-read', 
'View Cache statistics read access') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-read', 'View config snapshot at CDN level') ON CONFLICT 
(name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-config-snapshot-write', 'Config snapshot write access at CDN level') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-health-read', 
'View CDN health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-read', 'View CDN 
configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-write', 'Create, 
edit or delete CDN configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-read', 'View CDN DNSSEC keys') ON CONFLICT (name) DO 
NOTHING;
+insert into capability (name, description) values 
('cdn-security-keys-write', 'Create, edit or delete CDN DNSSEC keys') ON 
CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-read', 'View 
CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('cdn-stats-write', 
'Create, edit or delete CDN statistics') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-read', 
'View change-log') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('change-log-write', 
'Create change-log entries') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-read', 'View 
division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('division-write', 
'Create, edit or delete division configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 'View 
delivery-service cache assignment') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-cache-read', 
'Create, edit or delete delivery-service cache assignment') ON CONFLICT (name) 
DO NOTHING;
+insert into capability (name, description) values ('ds-health-read', 'View 
delivery-service health') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-read', 'View 
delivery-service configuration') ON CONFLICT (name) DO NOTHING;
+insert into capability (name, description) values ('ds-write', 'Create, 
edit or delete delivery-service

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115861924
  
--- Diff: traffic_ops/app/lib/API/ApiCapability.pm ---
@@ -0,0 +1,256 @@
+package API::ApiCapability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+
+
+my $finfo = __FILE__ . ":";
+
+my %valid_http_methods = map { $_ => 1 } ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+sub index {
+   my $self   = shift;
+   my $capability = $self->param('capability');
+
+   my %criteria;
+   if ( defined $capability ) {
+   $criteria{'me.capability'} = $capability;
+   }
+   my @data;
+   my $orderby = "capability";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("ApiCapability")->search( 
\%criteria, { prefetch => ['capability'], order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "id"=> $row->id,
+   "httpMethod"=> $row->http_method,
+   "route" => $row->route,
+   "capName"   => $row->capability->name,
+   "lastUpdated"   => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+
+sub renderResults {
+   my $self = shift;
+   my $rs_data = shift;
+
+   my @data = ();
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "id"=> $row->id,
+   "httpMethod"=> $row->http_method,
+   "route" => $row->route,
+   "capName"   => $row->capability->name,
+   "lastUpdated"   => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub show {
+   my $self = shift;
+   my $id = $self->param('id');
+
+   my $rs_data = $self->db->resultset("ApiCapability")->search( 'me.id' => 
$id );
+   $self->renderResults( $rs_data ) ;
+}
+
+sub is_mapping_valid {
+   my $self = shift;
+   my $id = shift;
+   my $http_method = shift;
+   my $route = shift;
+   my $capability = shift;
+
+   if ( !defined($http_method) ) {
+   return ( undef, "HTTP method is required." );
+   }
+
+   if ( !exists( $valid_http_methods{ $http_method } ) ) {
+   return ( undef, "HTTP method \'$http_method\' is invalid. Valid 
values are: " . join(", ", sort keys %valid_http_methods ) );
+   }
+
+   if ( !defined($route) or $route eq "" ) {
+   return ( undef, "Route is required." );
+   }
+
+   if ( !defined($capability) or $capability eq "" ) {
+   return (undef, "Capability name is required." );
+   }
+   # check if capability exists
+   my $rs_data = $self->db->resultset("Capability")->search( { 'name' => { 
'like', $capability } } )->single();
+   if (!defined($rs_data)) {
+   return (undef, "Capability '$capability' does not exist." );
+   }
+
+   # search a mapping for the same http_method & route
+   $rs_data = $self->db->resultset("ApiCapability")->search( { 'route' => 
{ 'like', $route } } )->search( {
+   'http_method' => { '=', $http_method } } )->single();
+   # if adding a new entry, make sure it is unique
+   if ( !defined( $id ) ) {
+   if (defined($rs_data)) {
+   my $allocated_capability = $rs_data->capability->name;
+   return (undef, "HTTP method '$http_method', route 
'$route' are already mapped to capability: $allocated_capability" );
+   }
+   }
+   else {
+   if (defined($rs_data)) {
+   my $lid = $rs_data->id;
+   if ($lid ne $id) {
+   my

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115859517
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON api_capability 
FOR EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- role_capability
+CREATE TABLE role_capability (
+role_id bigint NOT NULL,
+CONSTRAINT fk_role_id FOREIGN KEY (role_id) REFERENCES role(id) ON 
DELETE CASCADE,  
+cap_name text NOT NULL,
+CONSTRAINT fk_cap_name FOREIGN KEY (cap_name) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (role_id, cap_name),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON 
role_capability FOR EACH ROW EXECUTE PROCEDURE 
on_update_current_timestamp_last_updated();
+
+-- user_role
+CREATE TABLE user_role (
+user_id bigint NOT NULL,
--- End diff --

same thing as above. when a user is deleted all entries are deleted i this 
table where user_id = deleted user id? and when a role is deleted, all entries 
are deleted where role_id = deleted role id?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115858507
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
--- End diff --

so this allows us to put one route in many capabilities if needed, right? 
for example

GET /api/*/asns in asn-read
GET /api/*/asns in foo-read

that's what you want, right? just checking because if the idea is that an 
api can only belong to ONE capability, i believe that should change to 

UNIQUE (http_method, route),


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115863296
  
--- Diff: traffic_ops/app/lib/API/Capability.pm ---
@@ -0,0 +1,184 @@
+package API::Capability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+my $finfo = __FILE__ . ":";
+
+sub index {
+   my $self = shift;
+   my @data;
+   my $orderby = "name";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("Capability")->search( undef, { 
order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub name {
+   my $self = shift;
+   my $name = $self->param('name');
+
+   my $rs_data = $self->db->resultset("Capability")->search( 'me.name' => 
$name );
+   my @data = ();
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub create {
+   my $self   = shift;
+   my $params = $self->req->json;
+
+   if ( !_oper($self) ) {
+   return $self->forbidden();
+   }
+
+   if ( !defined($params) ) {
+   return $self->alert("Parameters must be in JSON format.");
+   }
+
+   my $name= $params->{name}if defined( $params->{name} );
+   my $description = $params->{description} if defined( 
$params->{description} );
+
+   if ( !defined($name) or $name eq "" ) {
+   return $self->alert("Name is required.");
+   }
+
+   if ( !defined($description) or $description eq "" ) {
+   return $self->alert("Description is required.");
+   }
+
+   # check if capability exists
+   my $rs_data = $self->db->resultset("Capability")->search( { 'name' => { 
'like', $name } } )->single();
+   if ( defined($rs_data) ) {
+   return $self->alert("Capability '$name' already exists.");
+   }
+
+   my $values = {
+   name=> $name,
+   description => $description
+   };
+
+   my $insert = $self->db->resultset('Capability')->create($values);
+   my $rs = $insert->insert();
+   if ($rs) {
+   my $response;
+   $response->{name}= $rs->name;
+   $response->{description} = $rs->description;
+
+   ( $self, "Created Capability: '$response->{name}', 
'$response->{description}'", "APICHANGE" );
+
+   return $self->success( $response, "Capability was created." );
+   }
+   else {
+   return $self->alert("Capability creation failed.");
+   }
+}
+
+sub update {
+   my $self   = shift;
+   my $name   = $self->param('name');
+   my $params = $self->req->json;
+
+   if ( !_oper($self) ) {
+   return $self->forbidden();
+   }
+
+   if ( !defined($params) ) {
+   return $self->alert("Parameters must be in JSON format.");
+   }
+
+   my $description = $params->{description} if defined( 
$params->{description} );
+
+   my $capability = $self->db->resultset('Capability')->find( { name => 
$name } );
+   if ( !defined($capability) or $capability eq "" ) {
--- End diff --

i'm not sure this is needed:

or $capability eq ""


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115862965
  
--- Diff: traffic_ops/app/lib/API/Capability.pm ---
@@ -0,0 +1,184 @@
+package API::Capability;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+
+use UI::Utils;
+
+use Mojo::Base 'Mojolicious::Controller';
+use Data::Dumper;
+
+my $finfo = __FILE__ . ":";
+
+sub index {
+   my $self = shift;
+   my @data;
+   my $orderby = "name";
+   $orderby = $self->param('orderby') if ( defined $self->param('orderby') 
);
+
+   my $rs_data = $self->db->resultset("Capability")->search( undef, { 
order_by => $orderby } );
+   while ( my $row = $rs_data->next ) {
+   push(
+   @data, {
+   "name"=> $row->name,
+   "description" => $row->description,
+   "lastUpdated" => $row->last_updated
+   }
+   );
+   }
+   $self->success( \@data );
+}
+
+sub name {
+   my $self = shift;
+   my $name = $self->param('name');
+
+   my $rs_data = $self->db->resultset("Capability")->search( 'me.name' => 
$name );
+   my @data = ();
--- End diff --

you might want to do this

if ( !defined($rs_data) ) { return $self->not_found(); }

so they get back a 404 instead of an empty result set if id is invalid


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115857172
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
--- End diff --

I like that the primary key is name and not id 👍 . I wish we would have 
done that on a bunch of our other tables.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115856064
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115894997
  
--- Diff: traffic_ops/app/t/api/1.2/api_capabilities.t ---
@@ -0,0 +1,232 @@
+package main;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use Mojo::Base -strict;
+use Test::More;
+use Test::Mojo;
+use DBI;
+use strict;
+use warnings;
+no warnings 'once';
+use warnings 'all';
+use Test::TestHelper;
+
+#no_transactions=>1 ==> keep fixtures after every execution, beware of 
duplicate data!
+#no_transactions=>0 ==> delete fixtures after every execution
+
+BEGIN { $ENV{MOJO_MODE} = "test" }
+
+my $schema = Schema->connect_to_database;
+my $dbh= Schema->database_handle;
+my $t  = Test::Mojo->new('TrafficOps');
+
+my $false = 0;
--- End diff --

I don't see where you are using these variables. plus, per our resident 
perl expert, @dangogh, this is not a good idea.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115854793
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115894801
  
--- Diff: traffic_ops/app/lib/TrafficOpsRoutes.pm ---
@@ -669,6 +669,22 @@ sub api_routes {
# Supports ?orderby=key
$r->get("/api/$version/roles")->over( authenticated => 1 )->to( 
'Role#index', namespace => $namespace );
 
+   # -- CAPABILITIES
+   # Supports ?orderby=key
+   $r->get("/api/$version/capabilities")->over( authenticated => 1 )->to( 
'Capability#index', namespace => $namespace );
+   $r->get("/api/$version/capabilities/:name")->over( authenticated => 1 
)->to( 'Capability#name', namespace => $namespace );
+   $r->put("/api/$version/capabilities/:name")->over( authenticated => 1 
)->to( 'Capability#update', namespace => $namespace );
+   $r->post("/api/$version/capabilities")->over( authenticated => 1 )->to( 
'Capability#create', namespace => $namespace );
+   $r->delete("/api/$version/capabilities/:name")->over( authenticated => 
1 )->to( 'Capability#delete', namespace => $namespace );
+
+   # -- API-CAPABILITIES
+   # Supports ?orderby=key
+   $r->get("/api/$version/api_capabilities")->over( authenticated => 1 
)->to( 'ApiCapability#index', namespace => $namespace );
+   $r->get("/api/$version/api_capabilities/:id")->over( authenticated => 1 
)->to( 'ApiCapability#show', namespace => $namespace );
+   $r->put("/api/$version/api_capabilities/:id")->over( authenticated => 1 
)->to( 'ApiCapability#update', namespace => $namespace );
+   $r->post("/api/$version/api_capabilities")->over( authenticated => 1 
)->to( 'ApiCapability#create', namespace => $namespace );
+   $r->delete("/api/$version/api_capabilities/:id")->over( authenticated 
=> 1 )->to( 'ApiCapability#delete', namespace => $namespace );
+
--- End diff --

do you plan to create apis for associated capabilities with roles?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115895225
  
--- Diff: traffic_ops/app/t/api/1.2/capabilities.t ---
@@ -0,0 +1,183 @@
+package main;
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use Mojo::Base -strict;
+use Test::More;
+use Test::Mojo;
+use DBI;
+use strict;
+use warnings;
+no warnings 'once';
+use warnings 'all';
+use Test::TestHelper;
+
+#no_transactions=>1 ==> keep fixtures after every execution, beware of 
duplicate data!
+#no_transactions=>0 ==> delete fixtures after every execution
+
+BEGIN { $ENV{MOJO_MODE} = "test" }
+
+my $schema = Schema->connect_to_database;
+my $dbh= Schema->database_handle;
+my $t  = Test::Mojo->new('TrafficOps');
+
+my $false = 0;
--- End diff --

again, i don't think you need these.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115855843
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115859251
  
--- Diff: 
traffic_ops/app/db/migrations/2017040601_create_capabilities_and_roles.sql 
---
@@ -0,0 +1,91 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+-- +goose Up
+-- SQL in section 'Up' is executed when this migration is applied
+
+
+-- capability
+CREATE TABLE capability (
+name text primary key UNIQUE NOT NULL,
+description text,
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON capability FOR 
EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- http_method_t (enum)
+CREATE TYPE http_method_t as ENUM ('GET', 'POST', 'PUT', 'PATCH', 
'DELETE');
+
+-- api_capability
+
+CREATE TABLE api_capability (
+id BIGSERIAL primary key NOT NULL,
+http_method http_method_t NOT NULL,
+route text NOT NULL,
+capability text NOT NULL,
+CONSTRAINT fk_capability FOREIGN KEY (capability) REFERENCES 
capability(name) ON DELETE RESTRICT,
+UNIQUE (http_method, route, capability),
+last_updated timestamp with time zone DEFAULT now()
+);
+
+CREATE TRIGGER on_update_current_timestamp BEFORE UPDATE ON api_capability 
FOR EACH ROW EXECUTE PROCEDURE on_update_current_timestamp_last_updated();
+
+-- role_capability
+CREATE TABLE role_capability (
+role_id bigint NOT NULL,
--- End diff --

just making sure this does what expected.

on role delete, delete all entries in role_capability where role_id = 
deleted role id
on capability delete, delete all entries in role_capability where cap_name 
= deleted cap name


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115856573
  
--- Diff: docs/source/development/traffic_ops_api/v12/capability.rst ---
@@ -0,0 +1,271 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-capability:
+
+Capabilities
+
+
+.. _to-api-v12-capability-route:
+
+/api/1.2/capabilities
++
+
+**GET /api/1.2/capabilities**
+
+  Get all capabilities.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
+  
+===++=+
+  | ``name``  | string | Capability name.  
  |
+  
+---++-+
+  | ``description``   | string | Describing the APIs covered by the 
capability.  |
+  
+---++-+
+  | ``lastUpdated``   | string |   
  |
+  
+---++-+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "name": "cdn-read",
+  "description": "View CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "name": "cdn-write",
+  "description": "Create, edit or delete CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/capabilities/:name**
+
+  Get a capability by name.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``name``  |   yes| Capability name.|
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
+  
+===++=+
+  | ``name``  | string | Capability name.  
  |
+  
+---++-+
+  | ``description``   | string | Describing the APIs covered by the 
capability.  |
+  
+---++-+
+  | ``lastUpdated``   | string |   
  |
+  
+---++-+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "name": "cdn-read",
+  "description": "View CDN configuration",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**POST /api/1.2/capabilities**
+
+  Create a capability.
+
+  Authentication Required: Yes
+
+  Role(s) Required:  admin or oper
+
+  **Request Parameters**
+
+  
+---++-+
+  |Parameter  |  Type  |   Description 
  |
--- End diff --

can you add a required column here too?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-10 Thread mitchell852 
Github user mitchell852 commented on a diff in the pull request:


https://github.com/apache/incubator-trafficcontrol/pull/544#discussion_r115855505
  
--- Diff: docs/source/development/traffic_ops_api/v12/api_capability.rst ---
@@ -0,0 +1,367 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+.. http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-v12-api_capability:
+
+API-Capabilities
+
+
+.. _to-api-v12-api-capability-route:
+
+/api/1.2/api_capabilities
++
+
+**GET /api/1.2/api_capabilities**
+
+  Get all API-capability mappings.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [
+   {
+  "id": "6",
+  "httpMethod": "GET",
+  "route": "/api/*/asns",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   },
+   {
+  "id": "7",
+  "httpMethod": "GET",
+  "route": "/api/*/asns/*",
+  "capName": "asn-read",
+  "lastUpdated": "2017-04-02 08:22:43"
+   }
+]
+}
+
+|
+
+**GET /api/1.2/api_capabilities/:id**
+
+  Get an API-capability mapping by id.
+
+  Authentication Required: Yes
+
+  Role(s) Required: None
+
+  **Request Route Parameters**
+
+  +-+--+-+
+  |Name | Required |Description  |
+  +=+==+=+
+  |   ``id``|   yes| Mapping id. |
+  +-+--+-+
+
+  **Response Properties**
+
+  
+---++--+
+  |Parameter  |  Type  |   Description 
   |
+  
+===++==+
+  | ``id``| int| Mapping id.   
   |
+  
+---++--+
+  | ``httpMethod``| enum   | One of: 'GET', 'POST', 'PUT', 'PATCH', 
'DELETE'. |
+  
+---++--+
+  | ``route`` | string | API route.
   |
+  
+---++--+
+  | ``capName``   | string | Capability name.  
   |
+  
+---++--+
+  | ``lastUpdated``   | string |   
   |
+  
+---++--+
+
+  **Response Example** ::
+
+{
+ "response": [

[GitHub] incubator-trafficcontrol pull request #544: Authorization model

2017-05-04 Thread naamashoresh 
GitHub user naamashoresh opened a pull request:

https://github.com/apache/incubator-trafficcontrol/pull/544

Authorization model

A new PR instead of #435 with fixes according to comments by @mitchell852 

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/naamashoresh/incubator-trafficcontrol 
authorization_model

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/incubator-trafficcontrol/pull/544.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #544


commit 3f863ee60b6c86f327b7f177853e57d466528f0b
Author: naamashoresh 
Date:   2017-05-04T07:26:17Z

Authorization model -
Adding tables: capability (list of available capabilities), api_capability 
mapping, role_capability mapping & user_role.
Seeding capability & api_capability tables. Also seeding root role.

(cherry picked from commit 4879a2c1138a37786df2fe8652edae3592a4bd12)

commit c3ed3420e4cfade43452bc6d7619eea193b290b2
Author: naamashoresh 
Date:   2017-05-04T07:28:18Z

Adding capabilities & api_capalities APIs

(cherry picked from commit db31205f6cdae581f072a34347f057441721b31c)

commit f46f1e3f133690e410b023594ccbdf368c7830b4
Author: naamashoresh 
Date:   2017-05-04T07:29:00Z

Unit tests for new capabilities & api_capabilities APIs

(cherry picked from commit 78f2f846074d61171a88aa78fd07ec994686)

commit e69ee7f34c646a849a6161fa7af58bfc18e83f0e
Author: naamashoresh 
Date:   2017-05-04T07:30:12Z

Documentation for new capabilities & api_capabilities APIs.

(cherry picked from commit d79f76c2deb11ffbd3f237d4833bac03d87ca61b)

commit f1169d56b55229aae614b8fd5c9e9faa9e615d78
Author: naamashoresh 
Date:   2017-05-04T11:47:10Z

Applying review comments by mitchell852

(cherry picked from commit 0dcee94a32d78da1561038407710662783bed327)




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---