You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After careful deliberation on token exchange, The decision has been made that we will use service account with write_access for a specific beamline for insertion of documents from blueapi to tiled. More explanation in the above PR.
The main issue in token exchange was that the a authorised task could only insert documents into tiled for a max of 10 hrs after which the session would expire.
To make sure that the plan is authorised and valid to run we will need to have authZ checks in blueapi. This check will happen when the users submits a task.
There are no other authZ checks implemented apart from this in blueapi (as of now), which will have the following implications:-
Any user can run a authorised task
Any user can delete a authorised task.
This checks can be implemented after the metadata about the user has been added in Add User to Run Metadata #1380
AuthZ in blueapi for tiled insertion
After careful deliberation on token exchange, The decision has been made that we will use service account with write_access for a specific beamline for insertion of documents from blueapi to tiled. More explanation in the above PR.
The main issue in token exchange was that the a authorised task could only insert documents into tiled for a max of 10 hrs after which the session would expire.
From token exchange docs
To make sure that the plan is authorised and valid to run we will need to have authZ checks in blueapi. This check will happen when the users submits a task.
There are no other authZ checks implemented apart from this in blueapi (as of now), which will have the following implications:-
This checks can be implemented after the metadata about the user has been added in Add User to Run Metadata #1380