= Blueprint for Authentication, Authorization & Accounting = '''Authentication''' is the act of establishing or confirming someone's identity.[[BR]] '''Authorization''' is the concept of allowing access to resources only to those permitted to use them.[[BR]] '''Accounting''' refers to the tracking of user actions - an audit trail. == Authentication == !SahanaPy currently authenticates on email address/password.[[BR]] - this is the method supported by default in Web2Py (Auth class in {{{gluon/tools.py}}}). The default configuration is that Self-Registration is enabled.[[BR]] This can be easily disabled via a single setting in the s3_setting table. The email address is currently not verified.[[BR]] - this should be fixed. Web2Py supports this: {{{if verification}}} Sahana2 supports OpenID (as does Launchpad), so that would be good to support & looks easy: * http://openidenabled.com/python-openid/ == Authorization == We want to be able to provide a simple way of setting the overall security policy - allowing for flexible deployment options. * Anonymous access is granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated * Anonymous access isn't granted for anything - all access requires a user to be Authenticated * Modules able to be restricted by Role membership * Tables able to be restricted by Role membership * C/R/U/D permissions distinct * Records able to be restricted by Role membership * C/R/U/D permissions distinct Sahana2 specifications: * Proposed Trunk: http://wiki.sahana.lk/doku.php?id=dev:new_acl * Current Stable: http://wiki.sahana.lk/doku.php?id=dev:security * Old: http://wiki.sahana.lk/doku.php?id=dev:authorization (NB The Vol module currently uses a separate method) We also want to look at whether we should link the Auth sahana_person table with the [BluePrintPersonRegistry Person Registry]'s person table The admin role is pre-defined during initialisation in {{{_db.py}}} (The first user to register will have this role by default): {{{ table = '%s_group' % app # 1st-run initialisation if not len(db().select(db[table].ALL)): auth.add_group('Administrator',description='System Administrator - can access & make changes to any data') # 1st person created will be System Administrator (can be changed later) auth.add_membership(1,1) }}} Additional roles such as Country/Regional Admin, Organisation/Office/Camp Admin are set within the GIS/OR/CR modules respectively. === Implementation === S3 builds on the default T2 AAA system: * DeveloperGuidelinesAuthenticationAccess Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: {{{t2.logged_in}}} * T2 can extend this by protecting resources with {{{t2.have_membership()}}} (table level security which can be separated for C/R/U/D) & {{{t2.have_access()}}} (record-level security) * we should probably support these by adding hooks into the [wiki:BluePrintREST RESTlike controller] We use {{{t2_group}}} table for Roles & {{{t2_membership}}} to show which roles a user has. * roles initialised in {{{_db.py}}} * 1st user to register gets Administrator role * module writers need to add any required roles there We expose this as s3.roles so that it is accessible to Controllers & Views.[[BR]] e.g. * {{{appadmin.py}}} * {{{layout.html}}} User maintenance can be done via appadmin until we develop our own UI: * ConfigurationGuidelines#Roles === Links === * J2EE: Working with Realms, Users, Groups, and Roles: http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxj.html * Wikipedia: http://en.wikipedia.org/wiki/AAA_protocol * Zope uses: {{{has_permission(permission_name, view_or_controller)}}} and/or {{{user.has_role(custom_role)}}} methods == Accounting == STATUS: Complete apart from needing to get new_values back from the form after processing.[[BR]] The solution hooks the [wiki:BluePrintREST RESTlike controller] so anything which bypasses that is not logged (unless using the T2 fields: {{{created_by}}}, {{{updated_by}}}).[[BR]] To do more would require patching the DAL. Events can be audited at the Global level or the per-Module level. Most auditing wins, so if the Global is True, then all Modules will Log. If Global is False then Modules have control & can selectively enable it. Global settings are defined in {{{s3_settings}}} table.[[BR]] Per-Module settings are defined in {{{module_settings}}} table.[[BR]] Each defines 2 levels of Auditing - Audit just Changes (C/U/D), or also Reads: * {{{audit_read}}} * {{{audit_write}}} These are passed to the session for use in controllers/displays: * {{{session.s3.audit_read}}} * {{{session.s3.audit_write}}} For now this is configured via appadmin, although we should later make a nicer UI which has a single checkbox for 'Enable Auditing'. This then opens up a two checkboxes: * Global * Module-specific If each is ticked, this sets the {{{audit_write}}} & opens up an extra checkbox for 'Enable Auditing of Reads' (sets {{{audit_read}}}). ---- BluePrints