-
Notifications
You must be signed in to change notification settings - Fork 1
Define a read only api user
For use of the Yana API, you may want to have a user account with read-only access to the system.
For reference on configuring Yana Roles and permissions see Roles and Permissions
You can of course use any user with a role that maps to the 'ROLE_YANA_USER' role, which is the default read-only role for all projects. This user would be able to retrieve all API output for every project.
There are two ways to add read-only access for a particular project: by user, or by role.
By user
- Add a new user to your system, either via the Yana Spring internal mechanism, or via your external authorization system if using container authentication.
- make sure the user account is not a member of any of the Yana Internal roles, all of which grant at least read access to all projects by default.
- If using container authentication, make sure the user is at least a member of the 'yana' or general yana-access role defined in your web.xml file.
Now you have a user account which can log in, but will not have any authorized access to any projects. You can now follow the instructions in Roles and Permissions to grant read permission to the user:
- add a GRANT for 'read' permission to the username for the specific project.
By Role
If you want to add a new role with read-only access to a particular project, you must add a new Role (see Roles and Permissions). If using Container Authentication be sure to add the new role to your mapping definition. The role mapping definition might look like this:
roleMap = [myLDAPRole: 'ROLE_MY_READONLY_ACCESS']
This will map "myLDAPRole" from your authorization system, to an internal Yana role called 'ROLE_MY_READONLY_ACCESS'.
After defining the new Role, the role will not have any access to any projects by default.
Now you have a role which can log in, but will not have any authorized access to any projects. You can now follow the instructions in Roles and Permissions to add the grant permission:
- add a GRANT for 'read' permission to 'ROLE_MY_READONLY_ACCESS' for the specific project.
If you want to use the default 'user' internal role which grants read access to all projects, but want to remove access to certain projects, you can do this by denying 'read' permission for the role or user:
- add a DENY 'read' permission to 'username' for the project
or
- add a DENY 'read' permission to 'ROLE_YANA_USER' for the project, which will affect all users in that role.