Actions
Task #2662
closed
Idea #1904: User can get a no-auth-required link to an Arvados object, i.e., turn on "anyone with the link can view" permission
Workbench can get an API token, good for reading only one object
Status:
Resolved
Priority:
Normal
Assigned To:
Target version:
Description
The API token will be "for" the current user, with very limited scope. The token should be persisted, so that the user can expire it later if desired.
TBD:- How much of this work happens in the API server, and how much in Workbench?
Updated by Brett Smith over 10 years ago
In #arvados we hashed out how we want scopes to work.
- They take the form of
VERB PATHSPEC, unless they're a special one like the current 'all'. VERBis an HTTP verb.PATHSPECis matched against the path of the API request. IfPATHSPECends with/, the request must start withPATHSPEC. Otherwise, the path must equalPATHSPEC.
Notes:
- To grant multiple permissions to the same resource, make multiple scopes with the same
PATHSPECbut different verbs. - To grant full read permission to a collection, including its index and all its contents, specify two scopes,
GET /collections/hashandGET /collections/hash/.
Updated by Brett Smith over 10 years ago
- Status changed from New to In Progress
- Start date set to 04/18/2014
- Remaining (hours) changed from 8.0 to 4.0
Updated by Brett Smith over 10 years ago
- Remaining (hours) changed from 4.0 to 1.0
The branch 1904-object-scopes-wip introduces general scopes to give API tokens limited permissions. Once it's merged, Workbench just has to be taught to make the right queries to get and make these specialized tokens. That teaching work is #2664.
Updated by Brett Smith over 10 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
- Remaining (hours) changed from 1.0 to 0.0
Applied in changeset arvados|commit:03e570095885982d23e234bce8e1c068314b63af.
Actions