[[TOC]] [wiki:DeveloperGuidelinesS3Framework] | S3AAA = S3 Authentication, Authorization and Accounting = '''Authentication''' is the act of establishing or confirming someone's identity.[[BR]] '''Authorization''' is the concept of allowing access to resources only to those permitted to use them.[[BR]] '''Accounting''' refers to the tracking of user actions - an audit trail. == Overview == AAA functions for S3 are implemented in the {{{modules/s3/s3aaa.py}}} module. This module extends the web2py Auth class as AuthS3 (Authentication), and defines additional classes for role management, access control and audit. ||'''Component'''||'''Location'''||'''Function'''|| ||AuthS3||modules/s3/s3aaa.py||Authentication, Login|| ||S3Permission||modules/s3/s3aaa.py||Authorization of Access, ACLs|| ||S3Audit||modules/s3/s3aaa.py||Data access logging, audit trail|| ||S3RoleManager||modules/s3/s3aaa.py||RESTful method to manage roles and ACLs|| ||Admin controllers||controllers/admin.py||User Management, role management|| == Authentication == === Current user === === Interactive Login === === HTTP Basic Authentication === == Roles == Roles are defined in the {{{auth_group}}} table, which is defined by the {{{AuthS3}}} module (in {{{modules/s3/s3aaa.py}}}).[[BR]] Each role as an ID, a unique name and an optional description. Access permissions are granted to roles, while a user gets permissions by assigning roles to him. Role assignment is stored in the {{{auth_membership}}} table, which is defined by the {{{AuthS3}}} class (in {{{modules/s3/s3aaa.py}}}). At the start of every request, the IDs of all roles of the currently logged-in user are stored as list in {{{session.s3.roles}}} (in {{{models/00_utils.py}}}. In cases where the user is logged-in during the request (e.g. by HTTP Basic Auth), a refresh of this list is also triggered by the {{{login_bare()}}} method of {{{AuthS3}}}. Roles can be managed in the {{{S3RoleManager}}} interface (Administration => User Management => Roles). The following roles are pre-defined in S3 and cannot be changed: ||'''ID'''||'''Name'''||'''Description'''|| ||1||Administrator||system administrator|| ||2||Authenticated||all authenticated users|| ||3||Creator||currently unused|| ||4||Editor||data editor|| The first registered user gets the '''Administrator''' role assigned.[[BR]] Users with the Administrator role always have all permissions, and may access all pages in Eden. The Administrator may also manage Users, Roles and ACLs. Users with the '''Editor''' role may access all data with all methods, except they can not manage Users, Roles or ACLs. Every authenticated user gets automatically the '''Authenticated''' role assigned. This role assignment cannot be revoked. == ACLs == Access Control Lists (ACLs) are bit arrays with each bit representing a permissions to access data with a particular method: ||'''Bit'''||'''Value'''||'''Permission'''|| ||auth.permission.CREATE||0x01||may create new records|| ||auth.permission.READ||0x02||may read or list records|| ||auth.permission.UPDATE||0x04||may update existing records|| ||auth.permission.DELETE||0x08||may delete records|| ACLs are combinations of these bits (by logical OR), e.g. an ACL with the value 0x06 defines permissions to read and update records, while no permission to add or to delete any records. ACLs are stored per role and request destination in the {{{s3_permission}}} table, which is defined by the {{{S3Permission}}} class (in {{{modules/s3/s3aaa.py}}}). === Record Ownership === Permissions can be set separately for users owning a record (Owner ACL {{{oacl}}}) and for any other user (User ACL, {{{uacl}}}). Tables can implement a record ownership by adding two meta fields: ||Field name||Type||Description|| ||created_by||integer (reference auth_user)||ID of the user who has created this record|| ||owned_by||integer (reference auth_group)||ID of the group (role) who own the record|| These meta fields are contained in both {{{s3_authorstamp()}}} as well as {{{s3_meta_fields()}}}. A user is considered ''owner'' of a record if he has either created the record (user ID == {{{created_by}}}), or he is a member of the owner group ({{{owned_by}}} in user roles). In tables which do not define either of these meta-fields, ownership rules are not applied. If a user ownes a record, then the most permissive of the User ACL and the Owner ACL gets applied (i.e. setting the Owner permissions more restrictive than the User permissions has no effect). === Controller Restriction === === Resource Restriction === == Implementation of Access Control == === s3_has_permission === === s3_accessible_query === == Data Access Tracking (Audit) == ---- [wiki:DeveloperGuidelinesS3Framework]