User authorization framework

[rhiananthony]

Need

The concrete need as expressed in user stories:

• As a DCP developer, I want an authorization API for determining if a given user is permitted to perform a given action on the DCP (such as downloading data), so that I can control which actions that user can perform.

• As a DCP developer, I want python bindings for the DCP's authorization API, so that it is easier to integrate my service with our authorization API.

Definition of done

• Register service account with fusillade.
• use shared library to perform authn/z across components.
• assigned required permissions to each service account.
• components use fusillade to determine a client permissions.
• store all component roles in a central location permissions

Context

As the Data Coordination Platform, we want to be protected, to protect each of our services from each other, and to protect the human subjects data we have. This requires authn and authz on our endpoints and on any access routes.

All components in a secure and federally compliant system need to have four main features: authentication #73 , authorization (also #99 ), audit trails #103 , and encryption #102 in other tickets. Even if hosting public data, a system containing Federal Government data still needs to have these features for all of the administrative and operational components to maintain integrity. This has the added benefit of enabling reuse of components in more settings than the HCA. Even though the first use of the DCP Blue Box (HCA) is an open data store, we need to add authentication to components of the DCP. Some of these will be operations-facing, those that are user-facing will be configurable so that they can be turned off during HCA DCP deployment.

[stahiri]

@Bento007 should this epic have linked subtasks for a Q3 milestone or should this be iceboxed for now?

Removing the GA tag since that's outdated

[Bento007]

#101 is the only task yet to be completed and this should be completed in Q3. These are the related tickets.

• Integrate Fusillade Authz into secondary analysis fusillade#125
• Integrate Fusillade into Ingest fusillade#126
• Integrate Fusillade into query service fusillade#127
• Integrate Fusillade Authz into Orange Box fusillade#128

[mweiden]

@stahiri @Bento007 this seems a bit circular. The Epics #99 and #101 refer to each other and the language is almost the same. Suggestion:

• Close one of these
• Rephrase the user story to be more concrete (it's very vague... what are you authorizing users to do?)
• Write down some clear, concise acceptance criteria based on the refined user story. It should be clear what we have to do to cross the finish line here.

[Bento007]

Relates to HumanCellAtlas/fusillade#232

[stahiri]

Note: Epic #99 is closed