Groups and upload visibility
This replaces #1691 (closed), #1692 (closed)
Currently uploads have a main_author: User
(owner), coauthors: User[]
, and reviewers: User[]
. At least the coauthors
and reviewers
roles should also be assignable via user groups.
First steps
-
add reviewer_groups: str
andcoauthor_groups: str
to the upload mongo model (nomad/processing/data.py::Upload
) -
add a mongo collection groups
with keysowner: User
,group_name
,group_id
,members: User[]
-
add reviewer_groups: str
andcoauthor_groups: str
to the EntryMetadata (nomad/datamodel/datamodel.py::EntryMetadata
) -
populate the new EntryMetadata fields (somewhere in nomad/processing/data.py
) -
extend queries to mongo, e.g. in nomad/app/v1/routers/uploads.py
-
add tests ( tests/app/v1/routers/test_uploads.py
,tests/app/v1/routers/test_groups.py
) -
extend queries to elastic search in nomad/search.py::_owner_es_query
-
add some basic groups
CRUD API
Manage visibility with groups
- introduce a special group_id 'all' to make uploads visible or editable to everyone
- this could replace visibility rules constructed around
published
and reduced the published state to be only concerned with immutability
Further steps
- a UI to create and manage groups
- add groups to the UI for managing coauthors and reviewers
Potentially managing groups with keycloak:
- Keycloak groups are global groups with no owner or any other scope but the realm. It seams unlikely that this can be used, especially not for the central keycloak. Conclusively, we cannot use any group management UI and have to build our own.
- Keycloak users can have attributes. Group membership could be persisted as a
groups
attribute for users. However, additional group metadata, like name, owner, etc. still needs to be stored somewhere. We also still need to write our own management UI. It will also be hard to distinguish between different groups on different oases.
Conclusively, keycloak does not seem to be helpful for group management.
Questions
- Should coauthor/reviewer (groups) be split into access right concepts and authorshop/reference concepts?
- Should the coauthor/reviewer groups of an upload be converted into immutable coauthors/reviewers when an upload is published?
- Should the coauthors list (returned) also includes users from the coauthor groups or be kept separate?