-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OEP-66: Authorization Best Practices #520
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hsinkoff I left a couple of small comments but this generally looks good. Do you want to take a pass through this before we push this out of draft and open it up for general review?
- `OEP-04`_, `OEP-42`_ | ||
|
||
.. _OEP-04: https://open-edx-proposals.readthedocs.io/en/latest/oeps/oep-0004.html | ||
.. _OEP-42: https://open-edx-proposals.readthedocs.io/en/latest/best-practices/oep-0042-bp-authentication.html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `OEP-04`_, `OEP-42`_ | |
.. _OEP-04: https://open-edx-proposals.readthedocs.io/en/latest/oeps/oep-0004.html | |
.. _OEP-42: https://open-edx-proposals.readthedocs.io/en/latest/best-practices/oep-0042-bp-authentication.html | |
- | |
* :doc:`/architectural-decisions/oep-0004-arch-oauth-scopes` | |
* :doc:`/best-practices/oep-0042-bp-authentication` |
When in the same repo, we should link to the local version of the document so that local builds don't accidentally point to the deployed docs.
Implicit roles grant users permissions, but are not specifically assigned | ||
to a user. | ||
|
||
Systems/Protocols Overview |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be useful to move the Best Practice
section above this overview since that is meant to replace these other ways of managing permissions. I think it would also be helpful to be more clear that these tactics should be avoided unless there are very good reasons not to do this.
@feanil Yes, give me 24 hours to make the updates first. |
oeps/best-practices/oep-0066/Open_edX_Authorization_Systems_Table.rst
Outdated
Show resolved
Hide resolved
One more day for general review, then I'll do a final review to figure out if there are any changes needed before we can merge this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really great - thanks for the hard work on this, everyone. I added just a couple questions and some style notes (particularly, "Open edX" is an adjective per our trademark guidelines).
|
||
There are a variety of manners in which authorization is handled within the Open edX ecosystem. | ||
The goal of OEP-66 is to provide best practices that should be used with all the | ||
systems/protocols and outline the currently in use systems/protocols. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
systems/protocols and outline the currently in use systems/protocols. | |
systems/protocols and outline the systems/protocols currently in use. |
I had to reread this phrasing a few times to understand what was trying to be said
* - Authors | ||
- Hilary Sinkoff (hsinkoff@2u.com), Jeremy Bowman (jbowman@edx.org) | ||
* - Arbiter | ||
- Feanil Patel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Feanil Patel | |
- Feanil Patel <feanil@axim.org> |
Best Practices Motivation | ||
-------------------------- | ||
To date, the implementation and verification of permissions have been somewhat | ||
conflated in the edX codebase. When a user attempts an action which is not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conflated in the edX codebase. When a user attempts an action which is not | |
conflated in the Open edX codebase. When a user attempts an action which is not |
unified documentation on the systems/protocols. This OEP aims to compile existing | ||
knowledge and documentation into a central document that will give an overview of each | ||
system/protocol. The aim is not to be the only source of information for each system/protocol, | ||
but rather a starting point when learning about authorization within Open edX. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but rather a starting point when learning about authorization within Open edX. | |
but rather a starting point when learning about authorization within the Open edX codebase. |
"Open edX" should be used as an adjective
it can be difficult to avoid accidentally changing other permissions with | ||
a similar implementation. | ||
|
||
In Use System/Protocol Motivation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This title confuses me and I don't know what even to suggest. Is it something like, "Currently Used Systems/Protocols"?
Open edX Authorization Systems Diagram | ||
|
||
.. image:: oep-0066/Open_edX_Authorization.png | ||
:alt: A diagram that shows the different systems/protocols used in Open edX to control authorization. The information in the diagram is also in the Open edX Authorization Systems Table (linked to in this document). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:alt: A diagram that shows the different systems/protocols used in Open edX to control authorization. The information in the diagram is also in the Open edX Authorization Systems Table (linked to in this document). | |
:alt: A diagram that shows the different systems/protocols used in the Open edX codebase to control authorization. The information in the diagram is also in the Open edX Authorization Systems Table (linked to in this document). |
|
||
oep-0066/Open_edX_Authorization_Systems_Table.rst | ||
|
||
django Admin (auth_permission) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason django
is lowercase in this section but uppercase previously?
In this way, it can grant permissions to a user that they will not be able to use. | ||
|
||
auth_permission users and groups are assigned through the django Admin Dashboard. Each | ||
service can have its own django Admin Dashboard. In Open edX, the LMS django Admin Dashboard |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
service can have its own django Admin Dashboard. In Open edX, the LMS django Admin Dashboard | |
service can have its own django Admin Dashboard. In the Open edX software, the LMS django Admin Dashboard |
on data that is not role assignment data. | ||
|
||
Implicit roles grant users permissions, but are not specifically assigned | ||
to a user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implicit roles don't seem... good? I understand this is just a definition section, but this definition leaves me scratching my head about the "why" this would possibly exist in a system
* auth_user_groups table with group_id, id, user_id, _sdc_deleted_at fields | ||
* auth_user_user_permissions table with id, permission_id, user_id fields | ||
|
||
edX rbac |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since this is a code package should we call it edx-rbac
(with dash, no lower case) here and within the following table?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hsinkoff: Apologies that I forgot about this and can't immediately get to a detailed review. I understand that that means this will land without that, which is completely fine. Another general comment is that there might be some definitions or details that are noted in https://openedx.atlassian.net/wiki/spaces/AC/pages/935919751/Authorization that might be helpful. For example, what is a "system-wide role" and what are examples? What is a super user, and global staff, etc.? Something to consider. We discussed this doc in the past, so maybe you've already captured everything you wish to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for bringing in some updates from my examples from https://openedx.atlassian.net/wiki/spaces/AC/pages/935919751/Authorization. Rather than me going through each point, I'd like to ask my question in a different way...
Once this OEP lands, would you feel comfortable archiving the above Confluence doc with a note that reads that its contents are now represented in OEP-66. If the answer is yes, great. If the answer is no, please consider moving in whatever gaps you find.
Also, maybe you can respond with a comment as well, if needed. For example, do you think the diagrams in that document are redundant, or unclear, or misleading, or unhelpful?
I'm hopeful that this OEP can replace older Authorization related documentation, which is why I ask. This is what I did with legacy Authentication related documentation when creating the AuthN OEP.
Thank you. Also, I don't have really strong opinions because my head is not in that space. @iloveagent57 made edits to that page, so maybe he has stronger opinions?
One additional diagram, along with text describing the diagram, and key take-aways from it have been added to the OEP. With this addition, I think the OEP will allow for archiving https://openedx.atlassian.net/wiki/spaces/AC/pages/935919751/Authorization |
* Global Staff - propogated in JWTs as the "administrator" field | ||
|
||
Example AuthZ User Access Flows | ||
------------------------------- | ||
.. image:: oep-0066/Open_edX_Authorization_User_Flows.png |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you provide a link to the diagram source as well?
..
Something like this might add a hidden note in the doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The diagram was created specifically for this OEP.
It is based on one in https://openedx.atlassian.net/wiki/spaces/AC/pages/935919751/Authorization, but with a few modifications aimed at highlighting certain use cases. The changes are significant enough that I don't think we'd want to link to that diagram as the source.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. I meant the source of the new png. How was it created, and what happens if someone wants to update it? (Same might be true of other diagrams.)
Exported Diagrams. In order to keep diagrams updated across time, they will need to be exported from whichever tool they were created in, with the exported version maintained in GitHub.
- draw.io diagrams will be exported and imported as XML files.
- Lucidchart diagrams will be exported and imported as Visio (VDX) files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've re-worked the diagrams in order to ensure they are editable in the future. I've also separated the data tables by diagram. Please take a look when you have a chance.
d853396
to
8d1333f
Compare
8d1333f
to
200f65a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like all comments have been addressed and I see no major issues. I'm marking this OEP as accepted and will merge it shortly.
No description provided.