Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-837

Remove permissions from X-Okapi-Token (JWT) - convert module permissions to a permset

    XMLWordPrintable

    Details

    • Template:
    • Sprint:
      CP: sprint 87, CP: sprint 88, CP: sprint 89
    • Story Points:
      5
    • Development Team:
      Core: Platform

      Description

      Context

      Embedding permission names within the JWT token can lead to X-Okapi-Token header that surpass maximum header size limit.

      Proposed Approach

      Remove permissions from the X-Okapi-Token JWT token and replace them with a pointer to an appropriate permission source:

      • for user permissions: UUID of the user/permissions object – this is already implemented in MAT
      • for module permissions: a "hidden" permission set in the form of "SYS#moduleId#pathPattern#methods" that is dereferenced during permission validation

      Implementation

      We define a Token Permission Key (TPK) as moduleId.method.pathPattern. TPK will be used as a “hidden” permissionSet and it would effectively replace a list of specific module permissions in the X-Okapi-Token.

      Okapi will generate the TPK permission set during the call to mod-permission (_tenantPermissions system method).

      We modify the X-Okapi-Module-Permissions include a map from the moduleId (no change) to a TPK (rather than a list of permissions).

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                hji Hongwei Ji
                Reporter:
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases