[MGNLREST-110] Implement improved REST roles Created: 04/Sep/17  Updated: 24/Oct/17  Resolved: 11/Sep/17

Status: Closed
Project: Magnolia REST Framework
Component/s: delivery, integration
Affects Version/s: None
Fix Version/s: 2.0

Type: Improvement Priority: Major
Reporter: Mikaël Geljić Assignee: Dai Ha
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0d
Time Spent: 2d 7h
Original Estimate: 2.5d

Issue Links:
Relates
relates to MAGNOLIA-7141 Move RemoveRoleFromUserTask which was... Open
causality
is causing MGNLREST-131 rest-service commands-endpoint config... Closed
is causing MGNLREST-113 Results of rest under anonymous will ... Closed
dependency
depends upon MGNLREST-109 Add a delivery base-path Closed
is depended upon by MGNLCACHE-183 Update CacheBrowserAppModuleVersionHa... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:
Epic Link: REST Headless bundle
Sprint: Saigon 112, Saigon 113
Story Points: 3

 Description   

Implement new roles, as per concept - REST Permissions.

The basic proposal is three roles covering different scenarios: rest-admin, rest-anonymous, and rest-editor (the latter renamed from current rest role).

e.g. for rest-admin
Role name: rest-admin
Full name: REST Administrator
Role description: This role bla bla bla...

(Currently, most roles seem to use description as full name, but let's get this better for rest)



 Comments   
Comment by Dai Ha [ 06/Sep/17 ]

As document mentions about renaming current 'rest' role to new 'rest-editor', this should be done in version handler but it causing other modules bootstrap errors. Affected modules so far:

magnolia-rest-services
magnolia-rest-tools
magnolia-cache-browser-app

Suggested solutions are either:

  • keep 'rest' role, only superuser will need to change role to 'rest-admin', all other users will have their roles remain unchanged.
    OR
  • assume that we manage to implement a job that run at then end of deployment, this job should
    + scan for all user, remove current 'rest' role, keep affected users.
    + rename role 'rest' to 'rest-editor'
    + set new role 'rest-editor' to affected users.

mgeljic could you please give your opinions with those above issues?

Comment by Mikaël Geljić [ 07/Sep/17 ]
  • For rest submodules, we should be able to update the source for fresh install
  • Only the rest-integration VH execute the rename in the delta
  • For cache-browser, update the version of the module-dependency to rest-integration to 2.0/*, update the VH extra-install task to lookup for the new path (rest-editor)
Comment by Mikaël Geljić [ 07/Sep/17 ]

I also realized a couple omissions in the concept (updated now):

  • rest-anonymous needs a Deny ACL to /.rest/* in addition to the Get one. This is because anonymous user does not have the security-base role.
  • rest-editor needs the same Get ACL to /.rest/delivery/* as anonymous'. This should be added by a new VH class in content-delivery module.

As for the task updating security-base role, let's keep it untouched, should be fine.

Comment by Dai Ha [ 12/Sep/17 ]

verified with magnolia-enterprise-pro-demo-bundle-5.6-20170911.202509-109-tomcat-bundle.

Generated at Mon Feb 12 06:56:42 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.