PENG-2159 Expanded permission sets

Remapped permissions to expand from a view/edit paradigm to individual permissions for create/read/update/delete. Updated the API with the permission sets. Updated jobbergate-composed to use the new permission sets.
omnivector-solutions · Apr 5, 2024 · 16b007e · 16b007e
1 parent f9754be
commit 16b007e
Show file tree

Hide file tree

Showing 9 changed files with 290 additions and 174 deletions.
diff --git a/jobbergate-api/CHANGELOG.md b/jobbergate-api/CHANGELOG.md
@@ -4,6 +4,8 @@ This file keeps track of all notable changes to jobbergate-api
 
 ## Unreleased
 
+- Expanded permission sets from view/edit to create/read/update/delete
+
 
 ## 5.0.0a0 -- 2024-03-26
 - Fixed a bug when an empty string is passed as a value for `execution_directory` on job submissions

diff --git a/jobbergate-api/jobbergate_api/apps/job_script_templates/routers.py b/jobbergate-api/jobbergate_api/apps/job_script_templates/routers.py
@@ -39,7 +39,7 @@
 async def job_script_template_create(
     create_request: JobTemplateCreateRequest,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_CREATE, ensure_email=True)
     ),
 ):
     """Create a new job script template."""
@@ -63,7 +63,7 @@ async def job_script_template_create(
 )
 async def job_script_template_get(
     id_or_identifier: int | str = Path(),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_READ, commit=False)),
 ):
     """Get a job script template by id or identifier."""
     logger.info(f"Getting job script template with {id_or_identifier=}")
@@ -80,7 +80,7 @@ async def job_script_template_clone(
     id_or_identifier: int | str = Path(),
     clone_request: JobTemplateCloneRequest | None = None,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_CREATE, ensure_email=True)
     ),
 ):
     """Clone a job script template by id or identifier."""
@@ -123,7 +123,7 @@ async def job_script_template_clone(
 async def job_script_template_get_list(
     list_params: ListParams = Depends(),
     include_null_identifier: bool = Query(False),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_READ, commit=False)),
 ):
     """Get a list of job script templates."""
     logger.debug("Preparing to list job script templates")
@@ -149,7 +149,7 @@ async def job_script_template_update(
     update_request: JobTemplateUpdateRequest,
     id_or_identifier: int | str = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_UPDATE, ensure_email=True)
     ),
 ):
     """Update a job script template by id or identifier."""
@@ -170,7 +170,7 @@ async def job_script_template_update(
 async def job_script_template_delete(
     id_or_identifier: int | str = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_DELETE, ensure_email=True)
     ),
 ):
     """Delete a job script template by id or identifier."""
@@ -189,7 +189,7 @@ async def job_script_template_delete(
 async def job_script_template_get_file(
     id_or_identifier: int | str = Path(),
     file_name: str = Path(),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_READ, commit=False)),
 ):
     """
     Get a job script template file by id or identifier.
@@ -218,7 +218,7 @@ async def job_script_template_upload_file(
     file_type: FileType = Path(),
     upload_file: UploadFile = File(..., description="File to upload"),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_CREATE, ensure_email=True)
     ),
 ):
     """Upload a file to a job script template by id or identifier."""
@@ -250,7 +250,7 @@ async def job_script_template_delete_file(
     id_or_identifier: int | str = Path(),
     file_name: str = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_DELETE, ensure_email=True)
     ),
 ):
     """Delete a file from a job script template by id or identifier."""
@@ -267,7 +267,7 @@ async def job_script_template_delete_file(
 )
 async def job_script_workflow_get_file(
     id_or_identifier: int | str = Path(),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_READ, commit=False)),
 ):
     """
     Get a workflow file by id or identifier.
@@ -298,7 +298,7 @@ async def job_script_workflow_upload_file(
     ),
     upload_file: UploadFile = File(..., description="File to upload"),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_CREATE, ensure_email=True)
     ),
 ):
     """Upload a file to a job script workflow by id or identifier."""
@@ -336,7 +336,7 @@ async def job_script_workflow_upload_file(
 async def job_script_workflow_delete_file(
     id_or_identifier: int | str = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_TEMPLATES_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_TEMPLATES_DELETE, ensure_email=True)
     ),
 ):
     """Delete a workflow file from a job script template by id or identifier."""
@@ -356,7 +356,7 @@ async def job_script_workflow_delete_file(
 )
 async def job_script_template_garbage_collector(
     background_tasks: BackgroundTasks,
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_EDIT)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_TEMPLATES_DELETE)),
 ):
     """Delete all unused files from jobbergate templates on the file storage."""
     logger.info("Starting garbage collection from jobbergate file storage")

diff --git a/jobbergate-api/jobbergate_api/apps/job_scripts/routers.py b/jobbergate-api/jobbergate_api/apps/job_scripts/routers.py
@@ -39,7 +39,7 @@
 )
 def job_script_auto_clean_unused_entries(
     background_tasks: BackgroundTasks,
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_EDIT)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_DELETE)),
 ):
     """Automatically clean unused job scripts depending on a threshold."""
     logger.info("Starting automatically cleanup for unused job scripts")
@@ -55,7 +55,7 @@ def job_script_auto_clean_unused_entries(
 )
 async def job_script_create(
     create_request: JobScriptCreateRequest,
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_EDIT)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_CREATE)),
 ):
     """Create a stand alone job script."""
     logger.info(f"Creating a new job script with {create_request=}")
@@ -82,7 +82,7 @@ async def job_script_clone(
     id: int = Path(),
     clone_request: JobScriptCloneRequest | None = None,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_CREATE, ensure_email=True)
     ),
 ):
     """Clone a job script by its id."""
@@ -116,7 +116,7 @@ async def job_script_create_from_template(
     render_request: RenderFromTemplateRequest,
     id_or_identifier: int | str = Path(...),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_CREATE, ensure_email=True)
     ),
 ):
     """Create a new job script from a job script template."""
@@ -189,7 +189,7 @@ async def job_script_create_from_template(
 )
 async def job_script_get(
     id: int = Path(),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_READ, commit=False)),
 ):
     """Get a job script by id."""
     logger.info(f"Getting job script {id=}")
@@ -207,7 +207,7 @@ async def job_script_get_list(
         None,
         description="Filter job-scripts by the job-script-template-id they were created from.",
     ),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_READ, commit=False)),
 ):
     """Get a list of job scripts."""
     logger.debug("Preparing to list job scripts")
@@ -232,7 +232,7 @@ async def job_script_update(
     update_params: JobScriptUpdateRequest,
     id: int = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_UPDATE, ensure_email=True)
     ),
 ):
     """Update a job script template by id or identifier."""
@@ -251,7 +251,7 @@ async def job_script_update(
 async def job_script_delete(
     id: int = Path(...),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_DELETE, ensure_email=True)
     ),
 ):
     """Delete a job script template by id or identifier."""
@@ -270,7 +270,7 @@ async def job_script_delete(
 async def job_script_get_file(
     id: int = Path(...),
     file_name: str = Path(...),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_READ, commit=False)),
 ):
     """
     Get a job script file.
@@ -297,7 +297,7 @@ async def job_script_upload_file(
     file_type: FileType = Path(...),
     upload_file: UploadFile = File(..., description="File to upload"),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_CREATE, ensure_email=True)
     ),
 ):
     """Upload a file to a job script."""
@@ -330,7 +330,7 @@ async def job_script_delete_file(
     id: int = Path(...),
     file_name: str = Path(...),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SCRIPTS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SCRIPTS_DELETE, ensure_email=True)
     ),
 ):
     """Delete a file from a job script template by id or identifier."""
@@ -349,7 +349,7 @@ async def job_script_delete_file(
 )
 def job_script_garbage_collector(
     background_tasks: BackgroundTasks,
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_EDIT)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SCRIPTS_DELETE)),
 ):
     """Delete all unused files from job scripts on the file storage."""
     logger.info("Starting garbage collection from jobbergate file storage")

diff --git a/jobbergate-api/jobbergate_api/apps/job_submissions/routers.py b/jobbergate-api/jobbergate_api/apps/job_submissions/routers.py
@@ -41,7 +41,7 @@
 async def job_submission_create(
     create_request: JobSubmissionCreateRequest,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_CREATE, ensure_email=True)
     ),
 ):
     """
@@ -94,7 +94,7 @@ async def job_submission_create(
 )
 async def job_submission_get(
     id: int = Path(...),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SUBMISSIONS_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SUBMISSIONS_READ, commit=False)),
 ):
     """Return the job_submission given it's id."""
     logger.debug(f"Getting job submission {id=}")
@@ -120,7 +120,7 @@ async def job_submission_get_list(
         None,
         description="Filter job-submissions by the job-script-id they were created from.",
     ),
-    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SUBMISSIONS_VIEW, commit=False)),
+    secure_services: SecureService = Depends(secure_services(Permissions.JOB_SUBMISSIONS_READ, commit=False)),
 ):
     """List job_submissions for the authenticated user."""
     logger.debug("Fetching job submissions")
@@ -155,7 +155,7 @@ async def job_submission_get_list(
 async def job_submission_delete(
     id: int = Path(..., description="id of the job submission to delete"),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_DELETE, ensure_email=True)
     ),
 ):
     """Delete job_submission given its id."""
@@ -177,7 +177,7 @@ async def job_submission_update(
     update_params: JobSubmissionUpdateRequest,
     id: int = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_email=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_UPDATE, ensure_email=True)
     ),
 ):
     """Update a job_submission given its id."""
@@ -199,7 +199,7 @@ async def job_submission_agent_update(
     update_params: JobSubmissionAgentUpdateRequest,
     id: int = Path(),
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_client_id=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_UPDATE, ensure_client_id=True)
     ),
 ):
     """
@@ -267,7 +267,7 @@ async def job_submission_agent_update(
 async def job_submissions_agent_submitted(
     submitted_request: JobSubmissionAgentSubmittedRequest,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_client_id=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_UPDATE, ensure_client_id=True)
     ),
 ):
     """Update a job_submission to indicate that it was submitted to Slurm."""
@@ -301,7 +301,7 @@ async def job_submissions_agent_submitted(
 async def job_submissions_agent_rejected(
     rejected_request: JobSubmissionAgentRejectedRequest,
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_EDIT, ensure_client_id=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_UPDATE, ensure_client_id=True)
     ),
 ):
     """Update a job_submission to indicate that it was rejected by Slurm."""
@@ -346,7 +346,7 @@ async def job_submissions_agent_rejected(
 )
 async def job_submissions_agent_pending(
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_VIEW, commit=False, ensure_client_id=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_READ, commit=False, ensure_client_id=True)
     ),
 ):
     """Get a list of pending job submissions for the cluster-agent."""
@@ -372,7 +372,7 @@ async def job_submissions_agent_pending(
 )
 async def job_submissions_agent_active(
     secure_services: SecureService = Depends(
-        secure_services(Permissions.JOB_SUBMISSIONS_VIEW, commit=False, ensure_client_id=True)
+        secure_services(Permissions.JOB_SUBMISSIONS_READ, commit=False, ensure_client_id=True)
     ),
 ):
     """Get a list of active job submissions for the cluster-agent."""

diff --git a/jobbergate-api/jobbergate_api/apps/permissions.py b/jobbergate-api/jobbergate_api/apps/permissions.py
@@ -10,9 +10,15 @@ class Permissions(str, Enum):
     Describe the permissions that may be used for protecting Jobbergate routes.
     """
 
-    JOB_TEMPLATES_VIEW = "jobbergate:job-templates:view"
-    JOB_TEMPLATES_EDIT = "jobbergate:job-templates:edit"
-    JOB_SCRIPTS_VIEW = "jobbergate:job-scripts:view"
-    JOB_SCRIPTS_EDIT = "jobbergate:job-scripts:edit"
-    JOB_SUBMISSIONS_VIEW = "jobbergate:job-submissions:view"
-    JOB_SUBMISSIONS_EDIT = "jobbergate:job-submissions:edit"
+    JOB_TEMPLATES_CREATE = "jobbergate:job-templates:create"
+    JOB_TEMPLATES_READ = "jobbergate:job-templates:read"
+    JOB_TEMPLATES_UPDATE = "jobbergate:job-templates:update"
+    JOB_TEMPLATES_DELETE = "jobbergate:job-templates:delete"
+    JOB_SCRIPTS_CREATE = "jobbergate:job-scripts:create"
+    JOB_SCRIPTS_READ = "jobbergate:job-scripts:read"
+    JOB_SCRIPTS_UPDATE = "jobbergate:job-scripts:update"
+    JOB_SCRIPTS_DELETE = "jobbergate:job-scripts:delete"
+    JOB_SUBMISSIONS_CREATE = "jobbergate:job-submissions:create"
+    JOB_SUBMISSIONS_READ = "jobbergate:job-submissions:read"
+    JOB_SUBMISSIONS_UPDATE = "jobbergate:job-submissions:update"
+    JOB_SUBMISSIONS_DELETE = "jobbergate:job-submissions:delete"