Merge pull request #51 from SciCatProject/update-20240408

nitrosx · web-flow · commit 1194738856cc · 2024-04-12T12:07:51.000+02:00
job authorization updates
diff --git a/Development/v4.x/backend/authorization/authorization_jobs.md b/Development/v4.x/backend/authorization/authorization_jobs.md
@@ -10,62 +10,63 @@ The authorization for jobs is consistently different from all the other endpoint
 - JobDelete
 
 ### (Data) Instance Authorization
-- *job_create_configuration*: the job create section of the configuration dictates if the user can create the job 
-- JobCreateAny: users with this privileges can create jobs for any of the users that are defined in the create section of the job configuration 
+- JobCreateConfiguration (The jobs create section of the configuration dictats if the user can create the job)
+- JobCreateOwner (Users with this privileges can create jobs only for themselves)
+- JobCreateAny (Users with this privileges can create jobs for any of the users that are defined in the create section of the job configuration)
 - JobReadAccess
 - JobReadAny
-- *job_satatus_update_configuration*: the job update section in configuration dictates if the user can update the status of the job
-- JobStatusUpdateAny: users with this privileges can update the status of any job.
+- JobStatusUpdateConfiguration (The jobs update section in configuration dictates if the user can update the status of the job)
+- JobStatusUpdateOwner (Users with this privileges can update the status of jobs belonging to themselves)
+- JobStatusUpdateAny (Users with this privileges can update the status of any job)
 - JobDeleteAny
 
 #### Priority
 ```mermaid
 graph LR;
-    JobCreate-->job_create_configuration;
-    job_create_configuration-->JobCreateAny;
+    JobCreate-->JobCreateConfiguration;
+    JobCreateConfiguration-->JobCreateAny;
     JobRead-->JobReadAccess;
     JobReadAccess-->JobReadAny;
-    JobStatusUpdate-->job_status_update_configuration;
-    job_status_update_configuration-->JobStatusUpdateAny;
+    JobStatusUpdate-->JobStatusUpdateConfiguration;
+    JobStatusUpdateConfiguration-->JobStatusUpdateAny;
     JobDelete-->JobDeleteAny;
 ```
 
 #### Authorization table
 | HTTP method | Endpoint | Endpoint Authentication | Anonymous | Authenticated | Create Jobs Groups | Update Jobs Groups | Admin Groups | Delete Groups | Notes |
 | -------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- |
-| POST | Jobs | _please see job create<br>authorization table_ | _please see job create<br>authorization table_ | _please see job create<br>authorization table_ | Any<br>_JobsCreateOwner_ | __no__ | Any<br>_JobsCreateAny_ | __no__ |  |
-| GET | Jobs | _JobRead_ | __no__ | Has Access<br>_JobReadAccess_ | Has Access<br>_JobReadAccess_ |  __no__  | Any<br>_JobReadAny_ | __no__ |  |
-| GET | Jobs/_jid_ | _JobRead_ | __no__ | Has Access<br>_JobReadAccess_ | Has Access<br>_JobReadAccess_ |  __no__  | Any<br>_JobReadAny_ | __no__ |  |
-| POST | Jobs/statusUpdate | _please see job create<br>authorization table_ | __no__ | _please see job update<br>authorization table_ | __no__ | Owner<br>_JobStatusUpdateOwner_ | Any<br>_JobStatusUpdateAny_ | __no__ |  |
+| POST | Jobs | _JobCreate_ | _JobCreateConfiguration_ | _JobCreateConfiguration_ | Any<br>_JobsCreateOwner_ | __no__ | Any<br>_JobsCreateAny_ | __no__ |  |
+| GET | Jobs | _JobReadMany_ | __no__ | Has Access<br>_JobReadAccess_ | Has Access<br>_JobReadAccess_ |  __no__  | Any<br>_JobReadAny_ | __no__ |  |
+| GET | Jobs/_jid_ | _JobReadOne_ | __no__ | Has Access<br>_JobReadAccess_ | Has Access<br>_JobReadAccess_ |  __no__  | Any<br>_JobReadAny_ | __no__ |  |
+| POST | Jobs/statusUpdate | _JobStatusUpdate_ | __no__ | _JobStatusUpdateConfiguration_ | __no__ | Owner<br>_JobStatusUpdateOwner_ | Any<br>_JobStatusUpdateAny_ | __no__ |  |
 | DELETE | Jobs/_jid_ | _JobDelete_ | __no__ | __no__ | __no__ | __no__ | __no__ | _JobDeleteAny_ | | 
 
 #### Job Create Authorization Table
-These authorization permissions are configured directly in the __*create*__ section of the job configuration.  
-They apply to the jobs endpoint POST:Jobs  
+The _JobCreateConfiguration_ authorization permissions are configured directly in the __*create*__ section of the job configuration.  
+Any positive match will results in the user acquiring _JobCreate_ endpoint authorization which apply to the jobs endpoint POST:Jobs  
   
-| Job Create Authorization | Endpoint Authentication | Endpoint Authentication Description | Instance Authentication | Instance Authentication Description |
+| Job Create Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
 | --- | --- | --- | --- | --- |
 | _#all_ | _#all_ | any user can access this endpoint, both anonymous and authenticated | _#all_ | Any user can create this instance of the job |
-| _#admin_ | ADMIN_GROUPS | Only users belonging to any group listed in ADMIN_GROUPS will be able to access the endpoint | ADMIN_GROUPS | Only users belonging to any group listed in ADMIN_GROUPS will be able to create this instance of the job |
-| _#authenticated_ | _#user_ | any valid users can access the endpoint, independently from their groups | _#user_ | any valid users can cretae this instance of the job |
 | _#datasetPublic_ | _#all_ | any user can access this endpoint, both anonymous and and authenticated | _#datasetPublic_ | the job instance will be created only if all the datasets listed are __public__ |
+| _#authenticated_ | _#user_ | any valid users can access the endpoint, independently from their groups | _#user_ | any valid users can cretae this instance of the job |
 | _#datasetAccess_ | _#user_ | any valid user can access this endpoint, independently from their groups | _#datasetAccess_ | the job instance will be created only if the user has access to all the datasets listed |
 | _#datasetOwner_ | _#user_ | any valid user can access this endpoint, independently from their groups | _#datasetOwner_ | the job instance will be created only if the user is part of all the datasets owner group |
-| __*GROUP*__ | __*GROUP*__ | only users that belongs to the specified group can access the endpoint | __*GROUP*__ | the job instance will be created only if all the datasets listed belong to the group specified |
+| __*@GROUP*__ | __*GROUP*__ | only users that belongs to the specified group can access the endpoint | __*GROUP*__ | the job instance will be created only if all the datasets listed belong to the group specified |
 | __*USER*__ | __*USER*__ | only the specified user can access the endpoint | _#datasetOwner_ | the job instance will be created only if all the datasets listed are owned by any of the user's groups |
 
 __IMPORTANT__: use option _#all_ carefully, as it allows anybody to create a new job. It is mostly use for debuging and testing
 
 #### Job Status Update Authorization Table
-These authorization permissions are configured directly in the __*update*__ section of the job configuration.  
-They apply to the jobs endpoint POST:Jobs/statusUpdate  
+The _JobStatusUpdateConfiguration_ authorization permissions are configured directly in the __*update*__ section of the job configuration.  
+Any positive match will results in the user acquiring  _JobStatusUpdate_ endpoint authorization apply to the jobs endpoint POST:Jobs/statusUpdate  
   
-| Job Status Update Authorization | Endpoint Authentication | Endpoint Authentication Description | Instance Authentication | Instance Authentication Description |
+| Job Status Update Authorization | Endpoint Authentication Translation | Endpoint Authentication Description | Instance Authentication Translation | Instance Authentication Description |
 | --- | --- | --- | --- | --- |
 | _#all_ | _#all_ | any user can access this endpoint, both anonymous and authenticated | _#all_ | Any user can update the status of this job instance |
-| _#owner_ | _#user_ | valid user can access the endpoint | _#jobOwner_ | a user that belongs to the group listed as job owner can perform the update |
-| _#admin_ | ADMIN_GROUPS | Only users belonging to any group listed in ADMIN_GROUPS will be able to access the endpoint | ADMIN_GROUPS | Only users belonging to any group listed in ADMIN_GROUPS  are able to update the job status |
-| __*GROUP*__ | __*GROUP*__ | only users that belongs to the specified group can access the endpoint | __*GROUP*__ | the job status can be updated only by users who belong to the group specified |
+| _#jobOwnerUser_ | _#user_ | authenticated user can access the endpoint | _#jobOwnerUser_ | only the user that is listed in field _ownerUser_ can perform the update |
+| _#jobOwnerGroup_ | _#user_ | authenticated user can access the endpoint | _#jobOwnerGroup_ | any user that belongs to the group listed in field _ownerGroup_ can perform the update |
+| __*@GROUP*__ | __*GROUP*__ | only users that belongs to the specified group can access the endpoint | __*GROUP*__ | the job status can be updated only by users who belong to the group specified |
 | __*USER*__ | __*USER*__ | only the specified user can access the endpoint | __*USER*__ | the job status can be updated only by the user indicated |
 
 __IMPORTANT__: use option _#all_ carefully, as it allows anybody to update the status of the job. It is mostly use for debuging and testing
