AAA Security

[evaachim]

No description provided.

[evaachim]

Includes #150 #151 #152 #157

[evaachim]

Look at who does what on the server, access control, adding fields to accommodate.

[evaachim]

Other things to consider:

1. What rules can an authorized user have (and what can he do: view, add, … )
2. The perspective is that of a data center
3. Multiple types of users
4. Restrict users

[evaachim]

List of proposed user types:

• admin
  a. manages user resources -> user workflow
  b. manages other resources
  c. manages lease requests

• super user (suggestion)
  a. acts as a regular user but with some admin "powers" (i.e. manages a group of users that pertain to him/her) OR acts as the link between users and admins (i.e. processes and filters requests and sends them to admin users).

• regular user
  a. manages his/her own resources (views, adds, edits, removes)
  b. manages his own lease requests (places, views, edits, deletes)

• limited user (suggestion)
  a. can only view resources and make requests

[evaachim]

APIs that can be used for this purpose by each user:

• admin (with a focus on managing other users primarily):

1. add
2. delete
3. lease (approve it - might need to add something for this)

• super user:

• regular user (with a focus on managing only those resources that belong to him / her):

1. add
2. delete
3. place lease

• limited user

1. add

[evaachim]

CRUD Operations for:

CRUD for user-type resources: admins

CRUD for all network resources: admins

CRUD for users in their group: super users
CRUD for all network resources in their group: super user

CRUD for their personal resources: regular users

Only VIEW resources: limited users

[evaachim]

CRUD actions allowed for each user - continued -

Admins:

Create: Users and resources, labels (moderate labels)
Read: Users and resources, labels (moderate labels)
Update: users and resources, labels (moderate labels)
Delete: users and resources, labels (moderate labels)

Super Users:

Create: resources
Read: resources, users, labels
Update: resources, (groups of) users
Delete: resources

Regular Users:

Create: (personal) resources
Read: (personal) resources,
Update: (personal) resources,
Delete: (personal) resources,

Limited Users:

Create: no
Read: (personal) resources
Update: (personal) resources - potentially
Delete: (personal) resources - potentially

[chuckluv]

Data Structure Ideas for User Access:
1.

UserAccess map[Resourse UUID]AccessLevels

AccessLevels{
ReadWrite map[User UUID]User
ReadOnly map[User UUID]User
NoAccess map[User UUID]User
}

UserAccess map[User UUID]AccessLevels

AccessLevels{
ReadWrite map[Resourse UUID]Resourse
ReadOnly map[Resourse UUID]Resourse
NoAccess map[Resourse UUID]Resourse
}

[evaachim]

User Labels Ideas for User Group (Resource Type) Access:

resource.group:admin

• and -

resource.group:su

• and -

resource.group:user

• and -

resource.group:limited