From 33ea992b5819198896b021fd5e4f11b7d6f1093e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Gurhem?= Date: Wed, 9 Oct 2024 17:20:49 +0200 Subject: [PATCH] docs: apply suggested improvements --- .docs/content/1.concepts/3.authentication.md | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.docs/content/1.concepts/3.authentication.md b/.docs/content/1.concepts/3.authentication.md index ba616b204..25d667d1e 100644 --- a/.docs/content/1.concepts/3.authentication.md +++ b/.docs/content/1.concepts/3.authentication.md @@ -23,11 +23,11 @@ ArmoniK allows users to impersonate other users by adding an impersonation heade ArmoniK uses a User-Role-Permission based approach to handle authorization. Each user in the database can have a set of **Roles**. Each role contains a set of **Permissions**. A user cannot receive permissions directly, instead roles containing the permissions have to be created and given to the user. A permission is defined as a string in a specific format. The current version handles the following types of permissions : -|Format|Example|Parameters|Description| ----|---|---|---| -``General:Impersonate:``|``General:Impersonate:Monitoring``|**Rolename**: Name of a role|Grants the right to impersonate a user with the role named \. See [Impersonation](#impersonation) for details| -|``:``|``Submitter:CreateSession``|**Service**: Name of an ArmoniK web service
**Name**: Name of the endpoint|Grants the right to use the endpoint named \ of the service named \| -|``::``|``Submitter:CancelSession:Self``|**Service**: Name of an ArmoniK web service
**Name**: Name of the endpoint
**Target**: Target or scope of the permission|Same as ``:`` as ```` is currently unused| +| Format | Example | Parameters | Description | +|------------------------------------|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| ``General:Impersonate:`` | ``General:Impersonate:Monitoring`` | **Rolename**: Name of a role | Grants the right to impersonate a user with the role named \. See [Impersonation](#impersonation) for details | +| ``:`` | ``Submitter:CreateSession`` | **Service**: Name of an ArmoniK web service
**Name**: Name of the endpoint | Grants the right to use the endpoint named \ of the service named \ | +| ``::`` | ``Submitter:CancelSession:Self`` | **Service**: Name of an ArmoniK web service
**Name**: Name of the endpoint
**Target**: Target or scope of the permission | Same as ``:`` as ```` is currently unused | ## User authorization @@ -60,7 +60,7 @@ flowchart TB ## User administration -Users, roles, permissions and certificates are stored and managed by ArmoniK via environment variables provided to the control plane and compute plane. Administrators in charge of handling user permissions can refer to this section to manage user permissions. +Users, roles, permissions and certificates are stored and managed by ArmoniK via environment variables provided to the control plane and compute plane by the administrator during deployment. Administrators in charge of handling user permissions can refer to this section to manage user permissions. ### Populating the internal MongoDB when deploying ArmoniK @@ -83,19 +83,19 @@ In order to function properly, the authentication needs to have the following co - Handles the association between a user and its roles - Requires the following fields - Name : Unique user name - - Roles : list of objectIds, each matching the _id field in RoleData of the roles given to the user + - Roles : list of role names, each matching the Name field of the roles given to the user - List of [Role](../../../Common/src/Injection/Options/Database/User.cs) - Handles the association between a role and its permissions - Requires the following fields - Name : Unique role name - Permissions : list of strings corresponding to the permissions of the role -These collections of object needs to be provided as JSON objects as detailled in the following sections. +These collections of object need to be provided as JSON objects as detailled in the following sections. #### Environment variables base An InitServices options class was introduced to initialize services. -It contains two classes : Authentication and Partitionning to configure authentications and Partitions respectively. +It contains two classes : Authentication and Partitionning to configure authentication and partitions respectively. Authentication has several list of strings as fields: UserCertificates, Roles and Users. Those fields are JSON strings that are deserialized into corresponding objects that will be inserted into the database. @@ -125,7 +125,7 @@ InitServices__Authentication__Roles__1='{"Name": "Role2", "Permissions": ["Submi #### Specify users -To specify a user with the name "User1" with the role "Role1", use the following command : +To specify a user with the name "User1" with the role "Role1", use the following command: ```bash InitServices__Authentication__Users__0='{"Name": "User1", "Roles": ["Role1"]})' @@ -133,13 +133,13 @@ InitServices__Authentication__Users__0='{"Name": "User1", "Roles": ["Role1"]})' #### Specify certificates -To insert a certificate with Common Name "CN1" and Fingerprint "FP1" associated with the user with the User called "User1", use the following command : +To insert a certificate with Common Name "CN1" and Fingerprint "FP1" associated with the User called "User1", use the following command: ```javascript InitServices__Authentication__UserCertificates__0='{"User": "User1", "CN": "CN1", "Fingerprint": "FP1"}' ``` -To insert an entry matching all certificates with Common Name "CN1" associated with user with UserId "62f4efe6d82645e26e09584f", use the following command : +To insert an entry matching all certificates with Common Name "CN1" associated with the User called "User1", use the following command: ```javascript InitServices__Authentication__UserCertificates__0='{"User": "User1", "CN": "CN1"}'