Jobs Authorization
Jobs subsystem relies on groups defined in the configuration file for the backend:
| Configuration Group List | Description |
|---|---|
| ADMIN_GROUPS | Users of the listed groups can create, modify and read any job. They cannot delete jobs. |
| CREATE_JOB_PRIVILEGED_GROUPS | Users of the listed groups can create and read any job. They can only modify jobs that belong to their user or group depending on the configuration of given job (see Job Create Authorization Table ). They cannot delete jobs. |
| UPDATE_JOB_PRIVILEGED_GROUPS | Users of the listed groups can modify and read any job. They can only create jobs that belong to their user or group depending on the configuration of given job (see Job Update Authorization Table ). They cannot delete jobs. |
| DELETE_JOB_GROUPS | Users whose group is listed here are allowed to delete any job |
CASL ability actions
This is the list of the permission methods available for Jobs and all their endpoints.
The authorization for jobs is consistently different from all the other endpoints.
Endpoint Authorization
- JobCreate
- JobRead
- JobUpdate
- JobDelete
(Data) Instance Authorization
- JobCreateConfiguration (The job's create section of the configuration dictates if the user can create the job)
- JobCreateOwner (Users with this privilege can create jobs for others)
- JobCreateAny (Users with this privilege can create jobs for any of the users that are defined in the create section of the job configuration)
- JobReadAccess
- JobReadAny
- JobUpdateConfiguration (The job's update section in configuration dictates if the user can update the job)
- JobUpdateOwner (Users with this privilege can update jobs belonging to others)
- JobUpdateAny (Users with this privilege can update any job)
Priority
graph LR;
JobCreate-->JobCreateConfiguration;
JobCreateConfiguration-->JobCreateAny;
JobRead-->JobReadAccess;
JobReadAccess-->JobReadAny;
JobUpdate-->JobUpdateConfiguration;
JobUpdateConfiguration-->JobUpdateAny;
JobDelete;
Authorization table
| HTTP method | Endpoint | Endpoint Authentication | Anonymous | Authenticated | Create Jobs Groups | Update Jobs Groups | Admin Groups | Delete Groups |
|---|---|---|---|---|---|---|---|---|
| POST | Jobs | JobCreate | JobCreateConfiguration | JobCreateConfiguration | Any JobsCreateOwner |
no | Any JobsCreateAny |
no |
| GET | Jobs | JobReadMany | no | Has Access JobReadAccess |
Has Access JobReadAccess |
no | Any JobReadAny |
no |
| GET | Jobs/jid | JobReadOne | no | Has Access JobReadAccess |
Has Access JobReadAccess |
no | Any JobReadAny |
no |
| PATCH | Jobs/jid | JobUpdate | no | JobUpdateConfiguration | no | Owner JobUpdateOwner |
Any JobUpdateAny |
no |
| DELETE | Jobs/jid | JobDelete | no | no | no | no | no | no |
Job Create Authorization Table
The JobCreateConfiguration authorization permissions are configured directly in the create section of the job configuration.
Any positive match will result in the user acquiring JobCreate endpoint authorization, which applies to the jobs endpoint POST:Jobs
| Job Create Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
|---|---|---|---|---|
| #all | #all | any user can access this endpoint, both anonymous and authenticated | #all | Any user can create this instance of the job |
| #datasetPublic | #all | any user can access this endpoint, both anonymous and authenticated | #datasetPublic | the job instance will be created only if all the datasets listed are public |
| #authenticated | #user | any valid users can access the endpoint, independently from their groups | #user | any valid users can create this instance of the job |
| #datasetAccess | #all | any user can access this endpoint, both anonymous and authenticated | #datasetAccess | the job instance will be created only if the specified user group or otherwise any of the user's groups has access to all the datasets listed |
| #datasetOwner | #all | any user can access this endpoint, both anonymous and authenticated | #datasetOwner | the job instance will be created only if the specified user group or otherwise any of the user's groups is part of all the datasets' owner group |
| @GROUP | #all | any user can access this endpoint, both anonymous and authenticated | GROUP | the job instance will be created only if the user belongs to the group specified |
| USER | #all | any user can access this endpoint, both anonymous and authenticated | USER | the job instance can be created only by the user indicated |
| #jobAdmin | #all | any user can access this endpoint, both anonymous and authenticated | #jobAdmin | the job instance can be created by users of ADMIN_GROUPS and CREATE_JOB_PRIVILEGED only |
IMPORTANT: use option #all carefully, as it allows anybody to create a new job. It is mostly used for debugging and testing.
Job Update Authorization Table
The JobUpdateConfiguration authorization permissions are configured directly in the update section of the job configuration.
Any positive match will result in the user acquiring JobUpdate endpoint authorization, which applies to the jobs endpoint PATCH:Jobs/id
| Job Update Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
|---|---|---|---|---|
| #all | #all | any user can access this endpoint, both anonymous and authenticated | #all | Any user can update this job instance |
| #jobOwnerUser | #user | any user can access this endpoint, both anonymous and authenticated | #jobOwnerUser | only the user that is listed in field ownerUser can perform the update |
| #jobOwnerGroup | #user | any user can access this endpoint, both anonymous and authenticated | #jobOwnerGroup | any user that belongs to the group listed in field ownerGroup can perform the update |
| @GROUP | GROUP | any user can access this endpoint, both anonymous and authenticated | GROUP | the job can be updated only by users who belong to the group specified |
| USER | USER | any user can access this endpoint, both anonymous and authenticated | USER | the job can be updated only by the user indicated |
| #jobAdmin | #all | any user can access this endpoint, both anonymous and authenticated | #jobAdmin | the job instance can be created by users of ADMIN_GROUPS and UPDATE_JOB_PRIVILEGED only |
IMPORTANT: use option #all carefully, as it allows anybody to update the job. It is mostly used for debugging and testing.
Job Authorization priority
The endpoint authorization is the most permissive authorization across all the jobs defined. The priority between job create and update authorization is as follows:
graph LR;
all-->user;
user-->GROUP;
GROUP-->USER;
USER-->ADMIN_GROUPS;