Remove permissions from X-Okapi-Token (JWT) - convert module permissions to a permset

Description

Context

Embedding permission names within the JWT token can lead to X-Okapi-Token header that surpass maximum header size limit.

Proposed Approach

Remove permissions from the X-Okapi-Token JWT token and replace them with a pointer to an appropriate permission source:

for user permissions: UUID of the user/permissions object – this is already implemented in MAT

for module permissions: a "hidden" permission set in the form of "SYS#moduleId#pathPattern#methods" that is dereferenced during permission validation

Implementation

We define a Token Permission Key (TPK) as moduleId.method.pathPattern. TPK will be used as a “hidden” permissionSet and it would effectively replace a list of specific module permissions in the X-Okapi-Token.

Okapi will generate the TPK permission set during the call to mod-permission (_tenantPermissions system method).

We modify the X-Okapi-Module-Permissions include a map from the moduleId (no change) to a TPK (rather than a list of permissions).

Environment

None

Potential Workaround

None

Linked issues

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details

Assignee

Hongwei Ji

Reporter

Jakub Skoczen

Labels

platform-backlog

Priority

Story Points

Sprint

None

Development Team

Core: Platform

Fix versions

3.0.0

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created April 22, 2020 at 9:43 AM

Updated May 29, 2020 at 9:38 AM

Resolved May 20, 2020 at 10:09 AM

Configure

TestRail: Cases

TestRail: Runs

Remove permissions from X-Okapi-Token (JWT) - convert module permissions to a permset

Description

Environment

Potential Workaround

Linked issues

blocks

is blocked by

relates to

Checklist

TestRail: Results

Activity

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Fix versions

TestRail: Cases

TestRail: Runs