Task #2662
closed
Story #1904: User can get a no-auth-required link to an Arvados object, i.e., turn on "anyone with the link can view" permission
Workbench can get an API token, good for reading only one object
Added by Brett Smith almost 11 years ago.
Updated almost 11 years ago.
Description
The API token will be "for" the current user, with very limited scope. The token should be persisted, so that the user can expire it later if desired.
TBD:
- How much of this work happens in the API server, and how much in Workbench?
In #arvados we hashed out how we want scopes to work.
- They take the form of
VERB PATHSPEC, unless they're a special one like the current 'all'.
VERB is an HTTP verb.PATHSPEC is matched against the path of the API request. If PATHSPEC ends with /, the request must start with PATHSPEC. Otherwise, the path must equal PATHSPEC.
Notes:
- To grant multiple permissions to the same resource, make multiple scopes with the same
PATHSPEC but different verbs.
- To grant full read permission to a collection, including its index and all its contents, specify two scopes,
GET /collections/hash and GET /collections/hash/.
- Status changed from New to In Progress
- Start date set to 04/18/2014
- Remaining (hours) changed from 8.0 to 4.0
- Remaining (hours) changed from 4.0 to 1.0
The branch 1904-object-scopes-wip introduces general scopes to give API tokens limited permissions. Once it's merged, Workbench just has to be taught to make the right queries to get and make these specialized tokens. That teaching work is #2664.
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
- Remaining (hours) changed from 1.0 to 0.0
Applied in changeset arvados|commit:03e570095885982d23e234bce8e1c068314b63af.
Also available in: Atom
PDF
Updated by