Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Documentation
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Rachael Hu
Documentation
Commits
6a17fd13
Commit
6a17fd13
authored
Sep 01, 2015
by
twl8n
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Authentication and authorization edits
parent
47fe5cc1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
37 additions
and
31 deletions
+37
-31
requirements.md
tat_requirements/requirements.md
+37
-31
No files found.
tat_requirements/requirements.md
View file @
6a17fd13
...
@@ -485,39 +485,45 @@ Authentication is validating user logins to the system. Authorization is
...
@@ -485,39 +485,45 @@ Authentication is validating user logins to the system. Authorization is
the related aspect of controlling which parts of the system users may
the related aspect of controlling which parts of the system users may
access (or even which parts they may know exist).
access (or even which parts they may know exist).
Authentication systems require excessively careful programming since
We can use OpenID for authentication, but we will need a user profile for SNAC roles and authorization. There
they are always attacked. The usual recommendation is to use an
are examples of PHP code to implement OpenID at stackexchange:
off-the-shelf authentication system although this is often difficult
since system requirements vary widely. We should search for an open
http://stackoverflow.com/questions/4459509/how-to-use-open-id-as-login-system
source authentication system, and only write our own if nothing
exists.^
[
[r
]
](#cmnt18)^
OpenID seems to constantly be changing, and sites using change frequently. Google has (apparently) deprecated
OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still works with
Authorization involves controlling what users can do once they are in
OpenID. Stackexchange supports several authentication schemes. If they can do it, so can we. Or we can support
the system. The default is that they can't do anything that isn’t
one scheme for starters and add others as necessary. The SE code is not open source, so we can't see how much
exposed to the non-authenticated public users. Privileges are added and
work it was to support the various OpenID partners.
users are put into groups from which they inherit privileges, and some
privileges can be granted on a per-user basis. The authorization system
Authorization involves controlling what users can do once they are in the system. That function is sort of
is involved in every transaction with the server to the extent that
more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific requirements,
every request to the server is check for authorization before being
especially our roles, and those will not be found in other system. There is not anything we must have from
passed to the code doing the real work.
user profiles. We might want their social networking profile, but social networking is not a core function of
SNAC.
The Linux model of three privilege types "user", “group”, and “other”
works well for authorization permissions and we should use this model.
By default users can't do anything that isn't exposed to the non-authenticated public users. Privileges are
"User" is an authenticated user. “Group” is a set of users, and a user
added and users are given roles (aka groups) from which they inherit privileges. The authorization system is
may belong to several groups. "Other" is any non-authenticated user.
involved in every transaction with the server to the extent that every request to the server is checked for
Users can be in multiple groups and have all the privileges of all the
authorization before being passed to the code doing the real work.
groups to which they belong. Groups membership can change, therefore we
need UI and code to manage that. User information such as name, phone
The Linux model of three privilege types "user", "group", and "other" works well for authorization permissions
number, and even password can also change. User ID values cannot be
and we should use this model. "User" is an authenticated user. "Group" is a set of users, and a user may
changed, and a user ID is never reused.
belong to several groups. Outside the Linux world "group" is known as "role", so SNAC will call them
"roles". "Other" privileges apply to SNAC as public, non-authenticated users.
By and large when we refer to "accounts" we mean web accounts managed by
the Manager/Web admin. It should be possible to use the discovery
Users can have several roles, and will have all the privileges of all the roles they fill. Role membership is
interface without an account, but saving history, searches, and other
managed by an administrative UI and related API code. User information such as name, phone number, and even
password can also change. User ID values cannot be changed, and a user ID is never reused, even after account
deletion.
By and large when we refer to "accounts" we mean web accounts managed by the Manager/Web admin. The general
public can use the discovery interface without an account, but saving search history, and other
session related discovery tools requires an account.
session related discovery tools requires an account.
Every account will be in the "Researcher" group (role). Privileges are
Every account will be in the "Researcher" role which has the same privileges as the general public, but with a
managed by adding other groups to an individual user's account.
TBD set of basic privileges including: search history, certain researcher reports.
[
](#)[
](
#
)
[
](#)[
](
#
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment