U/jrbogart/authdb#218
Conversation
…fig_reg_access as a possibility if NERSC default file is not present
JoanneBogart
requested review from
stuartmcalpine
and removed request for
stuartmcalpine
|
This looks good to me for implementing default authentication. It's a simple solution that should be low-maintenance. I do have one higher-level concern. Is there anything in place that prevents a user from modifying/deleting an entry from another user, now that everyone in DESC would be using the same credentials? |
|
The goal is to only allow deletion by the owner and by a collaboration account which will be used for archiving. I originally planned to do all that in a single PR (hence the branch name) but the second part will be deferred to another PR because it's going to be more complicated:
The database part is much easier to deal with. I don't think anyone (except possibly me or other admin in special circumstances) is going to bypass the API. The routines for deleting or replacing entries can check if the caller has the same NERSC userid as the person who created the dataset in the first place (userid is already saved when an entry is created) and if not, refuse to do the operation. Once this PR is merged I'll move on to the rest, perhaps deferring the collaboration account part to yet a third PR since it's not likely to be a stumbling block for a while. |
|
@AstroPatty Please take another look in light of my comments above. Thanks. |
|
@JoanneBogart Great this all sounds good. I think this PR is good to go. |
Thanks, @AstroPatty ! Could you please formally approve? |
2 participants
For running at NERSC (currently the only realistic option), use by default the common authorization file living in /global/common. This eliminates all the fuss which had been necessary to create a personal authorization file.