-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal-for-Roles-and-Permissions #1096
base: master
Are you sure you want to change the base?
Conversation
feedback or volunteers welcome ;)
I don't think we should limit everything to well known roles. Because this limits the advantages of the role model, as it allows to combine multiple roles for one sessions. This allows very fine grain access to nodes.
|
The main issue is well to implement the lower level permission like AdminFileAccess.. That will require a lot of if then else everywhere . I do not even want to think about it |
No the roles like AdminFileAccess are user defined, for their own purpose. The user adds to the nodes the corresponding rolepermissions and if no rolespermissions are definied the parent/default permissions are used. |
if i got you right: |
I did an example for an api: class RoleAuth:
def on_init_roles(self, server):
self.file_access = server.add_role(NodeId(4, 'RoleFileAccess'), 'FileAccess')
self.write_access = server.add_role(NodeId(4, 'RoleWriteAccess'), 'WriteAccess')
self.read_access = server.add_role(NodeId(4, 'RoleReadAccess'), 'ReadAccess')
def on_auth(self, user: str, server: Server) -> List[ua.Node]:
# Called when user is authenticated
if user == "User1":
return [file_access, read_access]
if user == "User2":
return [write_access]
if user == "Admin":
return [file_access, read_access, write_access, server.roles.admin]
return []
auth = RoleAuth()
server = Server(..., role_auth=auth)
auth.on_init_roles(server)
...
var = server.add_variable(....)
var.add_rolepermission(auth.read_access, PermissionType.Browse | PermissionType.Read | PermissionType.ReceiveEvents)
var.add_rolepermission(auth.write_access, PermissionType.Browse | PermissionType.Read | PermissionType.Write | PermissionType.ReceiveEvents)
file = server.add_object(....)
file.add_rolepermission(auth.file_access, PermissionType.Browse | PermissionType.Read | PermissionType.Call) |
All is just an example. The idea is that on_auth is called after/instead of the old user authentication and the result is added to the session object. Then for every service call the roles of the service are evaluated against the role_permissions. |
feedback or volunteers welcome ;)