[RFC] Data Authorizaton Middleware#1213
Conversation
MikeNeilson
left a comment
MikeNeilson
left a comment
There was a problem hiding this comment.
Some minor picks that will really only matter at time of implementation. Otherwise everything seems reasonable to me.
Will wait on feedback from others.
| public ResponseEntity<List<TimeSeries>> getTimeSeries( | ||
| String office, Context ctx) { | ||
|
|
||
| QueryBuilder query = QueryBuilder.create().table("cwms_ts_data"); |
There was a problem hiding this comment.
The table information would either not be known at this point or possibly meaningless.
What CDA does know is the endpoint URL and the DTOs involved. I would suspect that would be able to provide the required information checks.
Doesn't negate the point the sample is making though, same concept different source.
|
|
||
| 1. **Dependency Injection**: `@Autowired` helper in controllers | ||
| 2. **Annotation-Based**: `@CwmsAuthorized` with AOP interceptors | ||
| 3. **Filter-Based**: Servlet filter for automatic processing |
There was a problem hiding this comment.
Javalin has before handlers and a Context object:
With the before handler functionally equivalent to the Filter Based approach.
I suspect a combination of work within an CdaAccessManager, a before handler, and the specific endpoints for any data specific issues will likely be what happens.
e.g. a POST call with no x-cwms-auth-context should fail before it before it even gets to the Time Series Controller.
MikeNeilson
requested review from
DanielTOsborne,
JeremyDKellett,
jbkolze,
katfeingold and
ktarbet
jbkolze
left a comment
jbkolze
left a comment
There was a problem hiding this comment.
Looks good to me -- just had a couple quick questions for clarification.
| **7 User Personas (PWS Exhibit 3):** | ||
|
|
||
| 1. **Anonymous/Public User**: Read-only access to public data after embargo period | ||
| 2. **Dam Operator**: Manual data entry only, 24-hour modification window, shift hours (6am-6pm) |
There was a problem hiding this comment.
For clarification, will the details of these personas (or the users themselves) be configurable? I believe that
- User persona definitions with specific constraints and capabilities
below under Policy Data Management indicates that they will be, but just want to confirm.
Our current operations workflow would require potential modification by dam operators beyond the 24-hr window and outside of set shift hours.
|
|
||
| #### Phase 3: Administration and Optimization | ||
|
|
||
| - React-based admin UI for policy management |
There was a problem hiding this comment.
I assume that direct API access for policy management will be available prior to Phase 3?
### Summary * RFC for the Data Authorization Middleware (cherry picked from commit 6f08480)
### Summary * RFC for the Data Authorization Middleware (cherry picked from commit 6f08480)
3 participants
Summary