Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TBD IAM <-> Workspace integration allow a user to select other platform users or groups to access shared data #36

Open
achtsnits opened this issue Nov 21, 2024 · 2 comments
Open

TBD IAM <-> Workspace integration allow a user to select other platform users or groups to access shared data #36

achtsnits opened this issue Nov 21, 2024 · 2 comments
Labels
TBD needs discussion and agreement

Comments

@achtsnits
Copy link
Collaborator

at the moment data sharing works via obfuscated links, i.e. anyone with the link hash can access

Salvatore raised the requirement to explicitly select users/groups during data sharing process

questions (partially discussed in meeting 21.11.2024) in this regard

  • should a user of the WorkspaceUI be allowed to see all users and groups (=projects) of the platform so he can pick or may that cause concerns like GDPR,... (technically possible and already verified to retrieve all users and groups of Keycloak from WorkspaceUI)
  • who is responsible to enforce authorization, done in WorkspaceUI->StorageLayer or should there be a IAM BB sitting in front of the Link (Ingress!)
@achtsnits achtsnits added the TBD needs discussion and agreement label Nov 21, 2024
@achtsnits achtsnits mentioned this issue Nov 21, 2024
Closed
@w-scho
Copy link

w-scho commented Nov 22, 2024

Some thoughts regarding enforcement for shared links:
I assume that the list of users who shall be able to access each link differs between links and is typically not known to the IAM. So it cannot protect them systematically without additional information from the Workspace BB.
A simple way to provide this information could be to create an individual link for each user and include the user name or (better) UUID in the path. This would allow the IAM to protect the links in a systematic way using a very simple policy, but somewhat limits the versatility of the shared links. At least on the group level, however, the approach would also work, so that a single link could be shared among a defined group of users.
If more flexibility is required, the Workspace BB needs to provide the relevant information in another way, e.g. by offering access to the list of valid links and the associated users through an API. This way, OPAL could retrieve and replicate this list into OPA, or OPA itself could retrieve single associations on demand. However, this approach would add noticeable complexity and may therefore be less attractive than enforcing authorization within the Workspace BB itself.

@achtsnits
Copy link
Collaborator Author

I like your idea to include the user-guid or group-guid encoded in the link, thanks for this input!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TBD needs discussion and agreement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achtsnits @w-scho