Add node level permissions ECFLOW-1960 #189
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #189 +/- ##
===========================================
- Coverage 48.70% 48.70% -0.01%
===========================================
Files 1221 1228 +7
Lines 96120 96492 +372
Branches 14833 14886 +53
===========================================
+ Hits 46818 46992 +174
- Misses 49302 49500 +198 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
marcosbento
force-pushed
the
feature/node_level_permissions
branch
2 times, most recently
from
5979bfd to
826cef9
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
826cef9 to
07d0121
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
3 times, most recently
from
0cac4ce to
f362f13
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
f362f13 to
6012771
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
5 times, most recently
from
ec103ab to
7c0468f
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
7c0468f to
8861c20
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
2 times, most recently
from
afc9cfd to
abce382
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
2 times, most recently
from
d02c59e to
741fd06
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements node-level permissions for the ECflow server system. The changes introduce a comprehensive authentication and authorization framework that enables fine-grained access control based on user permissions defined at different levels in the node hierarchy.
- Replaces legacy authentication methods with a new Identity-based system that supports multiple authentication types (user, custom user, secure user, and task)
- Introduces a permissions system using PERMISSIONS variables that can be defined at server, suite, and node levels with inheritance and override capabilities
- Refactors server environment handling to separate authentication and authorization concerns into dedicated services
Reviewed Changes
Copilot reviewed 144 out of 145 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| libs/server/src/ecflow/server/ServerEnvironment.hpp | Replaces password file handling with AuthenticationService and AuthorisationService |
| libs/server/src/ecflow/server/TcpBaseServer.cpp | Adds identity extraction and assignment to commands |
| libs/node/src/ecflow/node/permissions/* | New permissions framework with Allowed, Permission, Permissions, and ActivePermissions classes |
| libs/core/src/ecflow/core/Identity.hpp | New identity system supporting various user types and authentication methods |
| libs/base/src/ecflow/base/cts/user/*.cpp | Updates user commands to use new authentication/authorization framework |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
marcosbento
force-pushed
the
feature/node_level_permissions
branch
3 times, most recently
from
34d88ea to
b8be18c
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
5 times, most recently
from
2311079 to
c130e9a
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
c130e9a to
a4a5821
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
f375e1e to
a2472a8
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
2 times, most recently
from
069fdec to
8559db5
Compare
marcosbento
force-pushed
the
feature/node_level_permissions
branch
3 times, most recently
from
6e0fdf0 to
f5b2ec8
Compare
Re ECFLOW-1960
Re ECFLOW-1960
Based on the latest discussion, the permissions selection algorithm should only permit restraining allowances when navigating the node tree from the server to the leaves (e.g. a user that starts by having 'rw' permissions, can in a lower node be allowed only 'r' but never will he be allowed to 'rwx'). Re ECFLOW-1960
The server itself (i.e. the Server implementation class) should not be involved in authorisation, as internally all user data is effectively stores as part of the Defs object. Re ECFLOW-1960
Extend the 'rwxo' permissions to 'rwxos' where 's' stands for sticky, and protects the rights of admin users for which the access rights must be safe-guarded. Once a permissions is classified as Sticky, the usual permissions override mechanism is disabled. Re ECFLOW-1960
Re ECFLOW-1960
Re ECFLOW-1960
marcosbento
force-pushed
the
feature/node_level_permissions
branch
from
f5b2ec8 to
df60070
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🌦️ >> Documentation << 🌦️
https://sites.ecmwf.int/docs/dev-section/ecflow/pull-requests/PR-189