Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use user groups and permissions to manage access to some features #6224

Closed
2 tasks done
pktiuk opened this issue Jun 1, 2023 · 7 comments
Closed
2 tasks done

Use user groups and permissions to manage access to some features #6224

pktiuk opened this issue Jun 1, 2023 · 7 comments

Comments

@pktiuk
Copy link
Contributor

pktiuk commented Jun 1, 2023

My actions before raising this issue

Expected Behaviour

Access to some features (like Analytics) or making tasks not visible to all users should be managed in a bit more systematic way.
Instead of basing on flag in user Model there should be some default groups (or permissions) which define access to these features.
(Like group analytics for people which need to see grafana dashboards or limited access for people who should see only tasks assigned to them etc).

Current Behaviour

Now there is no elastic system to manage this.

Other

This issue seems to be linked with: #6125

If the CVAT team finds this idea useful I would be interested in implementing this.
@pktiuk
Copy link
Contributor Author

pktiuk commented Jun 1, 2023

I found also in docs sentence Available roles are: user (default), admin, business, worker., but there is no a single place where it is properly described where what is the purpose of thee groups, because anyway most of the permissions depend on status flags.

image

@bsekachev
Copy link
Member

bsekachev commented Jun 7, 2023
edited
Loading

Basically, CVAT uses Open Policy Agent rules to manage resources.
These groups does not really play role (maybe except for "admin").

@pktiuk
Copy link
Contributor Author

pktiuk commented Jun 7, 2023
edited
Loading

@bsekachev
Thank you for the answer.

Is there anything in docs about using Open Policy Agent in CVAT? (I looked, but I can't find anything)

@bsekachev
Copy link
Member

https://www.cvat.ai/post/cvat-open-policy-agent

@pktiuk
Copy link
Contributor Author

pktiuk commented Jun 7, 2023

Thanks

@pktiuk
Copy link
Contributor Author

pktiuk commented Jun 12, 2023
edited
Loading

@bsekachev

These groups does not really play role (maybe except for "admin").

Are you sure about that? I was looking at some .rego rules used by OPA and there are many places.

allow {
    { utils.UPDATE_STATE, utils.UPDATE_ANNOTATIONS, utils.DELETE_ANNOTATIONS,
      utils.IMPORT_ANNOTATIONS, utils.UPDATE_METADATA }[input.scope]
    utils.is_sandbox
    utils.has_perm(utils.WORKER)
    is_job_staff
}

They are used for something, I don't see any explanation in docs what is the purpose of these groups.
There is nothing about them neither in docs nor in original PR: #3788

@pktiuk
Copy link
Contributor Author

pktiuk commented Jun 12, 2023

@bsekachev
I found an empty docs page, which was supposed to have descriptions of these groups: https://opencv.github.io/cvat/docs/administration/advanced/iam_system_roles/

@pktiuk pktiuk mentioned this issue Jun 12, 2023
Merged
7 tasks
nmanovic pushed a commit that referenced this issue Jun 13, 2023
@pktiuk
docs: Describe changing default OPA permissions (#6294)
f578e47 
Follow up to discussion from: #6224

This issue is linked with: #3788
which introduced IAM, but not document some aspects.
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bsekachev @pktiuk