Feature #20640
Updated by Peter Amstutz 10 months ago
Requested by user:
They would like to synchronize permissions set in Arvados to another system. This system does not support OpenID, users will log in with LDAP and they can do a mapping between username and arvados uuid. However it is not convenient to generate and use Arvados tokens or do permission lookups on the fly.
Proposed solution is to have an admin API where the client can send a list of users and/or projects and get back the permissions associated with each user and/or project. This would make it possible to write a periodic synchronization task that gets the current permissions from Arvados for the set of users/projects of interest and applies them to the 3rd party system.
Design sketch:
Implement a "list" API that behaves similarly to other list APIs, supporting our filter syntax. It return a list of items with the user uuid, target uuid, and permission level.
The permission level is numeric internally but it might make sense to transform it to can_read, can_write or can_manage for the external API -- because if we ever want to tweak the implementation or introduce new types of permission, it would be better not to be committed to a specific numeric representation of permission.
Since it is read only and rows don't have standalone identifiers, the endpoint would only support "list" method and not "get" or anything else.
It should be usable by both admins and regular users.
Admins have unrestricted access.
Regular users are limited to permissions for targets which they have "manage" access (this includes "self" so they can always see their own permissions), implemented as a self-join on the permission table.