airavata-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus Christie (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AIRAVATA-2433) Tighten up authorization for updating gateway requests in super admin portal
Date Fri, 09 Jun 2017 13:09:18 GMT
Marcus Christie created AIRAVATA-2433:
-----------------------------------------

             Summary: Tighten up authorization for updating gateway requests in super admin
portal
                 Key: AIRAVATA-2433
                 URL: https://issues.apache.org/jira/browse/AIRAVATA-2433
             Project: Airavata
          Issue Type: Bug
          Components: Airavata API
            Reporter: Marcus Christie
             Fix For: 0.18


Users with the {{gateway-provider}} role can update any gateway, even delete a gateway.  The
authorization in the backend would allow it. The only thing stopping a user from doing it
is the frontend.

To tighten up security the gateway manipulation methods in the TenantProfileService could
require the role, {{super-admin}}, which only administrators of the super admin portal have.

Alternatively, we could tighten up the list of methods that are allowed by the {{gateway-provider}}
role. I'm not sure that a new role is strictly needed.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message