Support additional authentication mechanisms #113
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The simple key-based authentication on the API works fairly well, but more advanced authentication is a good idea for expandability and management within a larger environment, where multiple users and classes of users may require specific permissions.
This feature is twofold:
Implement RBAC into the API, allowing the limiting of different "groups" to different functions. Allow these permissions to be granular and administrator-manageable with some sane defaults. This will likely require a bit of work, but shouldn't require extensive code refactoring and can be built on top of the existing authentication system.
Implement additional mechanisms for authentication, as alternatives to keys. The first one that comes to mind is user + password authentication, but LDAP integration, and potentially some form of OAuth is a good idea too. This is likely the harder, longer part that will involve building an authentication subsystem into the API, of which keys will be only one option.
changed milestone to %4
mentioned in issue #114
At this point I'm leaning towards this being configuration-based, rather than being based in the API, but will have to give this more thought.
Config file
Pros
Cons
Dynamic (API-based, in-database)
Pros
Cons
I think from a backend perspective, the best solution is the simplest solution.
API keys should remain, and we can define at least 3 discrete roles that any given API key can be given.
First thought for discrete roles would be:
From the API perspective this seems like a fairly ideal way of doing things. It keeps management and implementation of the authorization quite simple (a given function would require at most 2 flags) while still providing some good granularity. And any more advanced user control could be implemented in the frontends (specifically, web frontends) using whatever RBAC mechanisms make the most sense.