CODEWITHSUNDEEP
intake
TMS
TMS

Reputation: 21

dataset view and access control in yaml file

I am new to intake and I am trying to understand how I can control the visibility and access rights for catalog entries. For example I would like to find out how a catalog yaml file looks like for the following case, suppose I have two csv files to which I provide access through a catalog yaml file together with two users. How can I make only one csv visible to one user while the other user can see both files? Or how would I need to change the yml file below to accomplish this?

metadata:
        version: 1
        description: "lattice data catalog"

sources:
        sample1:
            driver: csv
            args:
                 urlpath: test1.csv
        testcsv:
            driver: csv
            args:
                 urlpath: test2.csv

Upvotes: 1

Views: 377

Answers (1)

mdurant
mdurant

Reputation: 28684

Firstly, let's specify that this is in the context of the Intake server. You could build a YAML catalog driver which could only present some entries to a user based on some environment variable or other information, but we'll not consider that here.

The general outline for creating an auth plugin for the server is given in the docs. In that case, a header string is compared to a single static secret. In your case, the key information will be passed by your authenticating proxy. You could compare the user to some explicit input drawn from an external source:

def allow_access(self, header, source, catalog):
    user = header.get("X-user-from-nginx", None)
    source_name = source.describe()['name']
    if source_name == "sample1":
        return user in ['user1', 'user2']
    if source_name == "sample2":
        return user in ['user2']
    return False

or you could embed the permissions into the catalog (which will only make sense when read via your server with the given auth)

sources:
  sample1:
    driver: csv
    args:
      urlpath: test1.csv
    metadata:
      allow_users: ["user1"]

with auth plugin

def allow_access(self, header, source, catalog):
    user = header.get("X-user-from-nginx", None)
    allowed = source.describe().get("metadata", {}).get('allow_users', [])
    return user in allowed

Upvotes: 0

Related Questions