<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:15:54 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1786] SPIKE: evaluate &quot;init&quot;  tokens as a way to trigger system tasks</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1786</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;b&gt;TLDR&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;In FOLIO user accounts are optional to issue API calls, instead FOLIO relies on signed tokens for authentication. User accounts are, however, required to request a signed token in the first place.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;More&lt;/b&gt;  &lt;/p&gt;

&lt;p&gt;In FOLIO authentication is based on passing signed tokens between parties (browser, modules, Okapi). Authorisation is based directly on permissions encoded in the signed token or, indirectly, based on permissions assigned to the user account the token points to, both of which are optional.&lt;/p&gt;

&lt;p&gt;The only way to request a signed token is to authenticate against a login endpoint. After the token has been issued the client may use it to initiate requests with secured FOLIO endpoints.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Problem&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;This approach may be problematic when modules would like to call FOLIO APIs without a context of an authenticated client request. Use cases:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;module makes a request on their own e.g periodically to perform a system task (cron-like behavior)&lt;/li&gt;
	&lt;li&gt;module makes a request during the &quot;init&quot; phase (e.g moduleA needs to bootsrap data in moduleB)&lt;/li&gt;
	&lt;li&gt;module makes a request to another module in response to an unauthenticated request (request made to the unauthentifcated endpoint, example: calls to /login)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;Proposed solution&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;When a module is enabled for a tenant, Okapi issues an &quot;init&quot; call (Tenant API) to the module. Assuming the Okapi installation has been properly secured (this is a requirement for a secured system) the &quot;init&quot; call issued from Okapi originates from a privileged security context (which is required for enabling modules). This privileged context may be downgraded to a less privileged context specific to the module being enabled. This is done by encoding module&apos;s permissions (defined in the modulePermission entry for init) in the token passed to the module. The token passed during init can be then peristed by the module to subsequently trigger system tasks (that are allowed within the init&apos;s modulePermissions) or the module may request &quot;init&quot; permissions to &quot;create users and grant them permissions&quot; and automatically install a &quot;system&quot; user it needs.&lt;/p&gt;</description>
                <environment></environment>
        <key id="79899">FOLIO-1786</key>
            <summary>SPIKE: evaluate &quot;init&quot;  tokens as a way to trigger system tasks</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="10000" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/generic.png" description="(Migrated on 4 Feb 2024 13:41 UTC)">Draft</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d">Jakub Skoczen</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                    </labels>
                <created>Wed, 6 Feb 2019 13:52:11 +0000</created>
                <updated>Mon, 20 Mar 2023 18:55:34 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>10</watches>
                                                                <comments>
                                                            <comment id="190037" author="5ee89462f7aa140abd82d11d" created="Thu, 14 Feb 2019 14:08:05 +0000"  >&lt;p&gt;The solution proposed above handles different levels of permissions. This is like system users for specific tasks but without such system users accounts.&lt;br/&gt;
What about a solution where such system user accounts are actually used? Then we can use the existing ways to deal with permissions, and we have better logging because the specific system user name shows up in the logs.&lt;br/&gt;
Example system users: cron system account for patron notices; init system account of a specific module; login system account that checks the login credentials.&lt;/p&gt;</comment>
                                                            <comment id="190038" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 28 Feb 2019 14:23:52 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; Correct &amp;#8211; you can always use a &quot;system&quot; user, grant him relevant permissions and authenticate API calls. The problem is: when such a user should be created and who should be responsible for creating it? E.g consider a module that would like to periodically trigger some FOLIO API. To trigger this API it requires permissions to do so. The module could &quot;install&quot; a user with a given permission during the &quot;init&quot; phase but to do so it needs to have the permissions to a) create users b) grant them permissions. And, currently, those permissions would have to be granted to... a user that the module should use to authenticate the call to create a user. And so it becomes a chicken-egg problem. We already have a mechanism to grant permissions directly to the module, this proposal only extends this notion to the &quot;init&quot; calls.&lt;/p&gt;

&lt;p&gt;How is used by the module is left to the module to decide: the module could request permissions to create users and grant them permission and install a &quot;system&quot; user it needs with appropriate permissions. Or the module could just request the target permissions for the API it needs to call and the token passed during init could be used for making those calls without having to create a system user.&lt;/p&gt;</comment>
                                                            <comment id="190039" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Mon, 13 May 2019 13:55:46 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; we should verify if the token should be expired&lt;/p&gt;</comment>
                                                            <comment id="190040" author="60acc7a19e21bd0071d9d1a7" created="Mon, 12 Aug 2019 09:00:31 +0000"  >&lt;p&gt;At the moment regular report harvesting (periodical system task, cron-like behaviour) can only be implemented without permissions on the harvester. This could be a security issue.&lt;/p&gt;</comment>
                                                            <comment id="190041" author="63e2a2771b13d42998e4e706" created="Mon, 12 Aug 2019 09:37:54 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=60acc7a19e21bd0071d9d1a7&quot; class=&quot;user-hover&quot; rel=&quot;60acc7a19e21bd0071d9d1a7&quot; data-account-id=&quot;60acc7a19e21bd0071d9d1a7&quot; accountid=&quot;60acc7a19e21bd0071d9d1a7&quot; rel=&quot;noreferrer&quot;&gt;Annika Schr&#246;er&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;At the moment regular report harvesting (periodical system task, cron-like behaviour) can only be implemented without permissions on the harvester. This could be a security issue.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;What is the report harvester? Or are there many, and if so, can you give me an example?&lt;/p&gt;

&lt;p&gt;What do you mean by permissions on the harvester?&lt;/p&gt;</comment>
                                                            <comment id="190042" author="712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259" created="Tue, 13 Aug 2019 07:30:24 +0000"  >&lt;p&gt;I think Annika wanted to comment the issue link to our ticket 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UIEUS-3&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIEUS-3&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Regular harvesting&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIEUS-3
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 and not on this 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;FOLIO-1786&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1786&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;SPIKE: evaluate &amp;quot;init&amp;quot;  tokens as a way to trigger system tasks&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-1786
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Draft&lt;/span&gt;
            &lt;/span&gt;
. Sorry for that!&lt;/p&gt;

&lt;p&gt;The harvester belongs to the eUsage module.&lt;br/&gt;
The report harvester is able to fetch counter reports via the sushi protocol. We plan to automate the harvesting task and let it run periodically.&lt;br/&gt;
In the current design, the harvester calls its own &apos;start harvesting&apos; interface in order to start the task. Thus, the harvester will make a request on its own e.g periodically to perform a system task (cron-like behavior).&lt;/p&gt;</comment>
                                                            <comment id="190043" author="63e2a2771b13d42998e4e706" created="Tue, 13 Aug 2019 10:06:20 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3Adfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; class=&quot;user-hover&quot; rel=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; data-account-id=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; accountid=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; rel=&quot;noreferrer&quot;&gt;Richard Redweik&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;I think Annika wanted to comment the issue link to our ticket 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;UIEUS-3&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/UIEUS-3&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Regular harvesting&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            UIEUS-3
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 and not on this 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;FOLIO-1786&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1786&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;SPIKE: evaluate &amp;quot;init&amp;quot;  tokens as a way to trigger system tasks&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-1786
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Draft&lt;/span&gt;
            &lt;/span&gt;
. Sorry for that!&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;No need to apologise&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;The report harvester is able to fetch counter reports via the sushi protocol. We plan to automate the harvesting task and let it run periodically.&lt;/p&gt;&lt;/blockquote&gt;
&lt;blockquote&gt;&lt;p&gt;In the current design, the harvester calls its own &apos;start harvesting&apos; interface in order to start the task. Thus, the harvester will make a request on its own e.g periodically to perform a system task (cron-like behavior).&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;This sounds like it could be done with the special &lt;tt&gt;_timer interface&lt;/tt&gt; in Okapi using module permissions.&lt;/p&gt;</comment>
                                                            <comment id="190044" author="712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259" created="Wed, 14 Aug 2019 09:08:09 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=63e2a2771b13d42998e4e706&quot; class=&quot;user-hover&quot; rel=&quot;63e2a2771b13d42998e4e706&quot; data-account-id=&quot;63e2a2771b13d42998e4e706&quot; accountid=&quot;63e2a2771b13d42998e4e706&quot; rel=&quot;noreferrer&quot;&gt;Marc Johnson&lt;/a&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;This sounds like it could be done with the special _timer interface in Okapi using module permissions.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;In principle this can be done with the _timer interface. However, we have the following requirement in UIEUS-3:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Each tenant can define:&lt;/p&gt;

&lt;p&gt;download schedule (date+rhythm, e.g. monday/weekly, 1st of month/monthly ...)&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;This is why we thought of a cron-like behavior.&lt;/p&gt;</comment>
                                                            <comment id="190045" author="63e2a2771b13d42998e4e706" created="Wed, 14 Aug 2019 13:27:11 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3Adfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; class=&quot;user-hover&quot; rel=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; data-account-id=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; accountid=&quot;712020:dfe9489f-c7fa-4357-843e-9bd4d09d7259&quot; rel=&quot;noreferrer&quot;&gt;Richard Redweik&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;This is why we thought of a cron-like behavior.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;There have been some discussions about adding more options to the &lt;tt&gt;_timer&lt;/tt&gt; interface&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="69866">UIEUS-3</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="81188">FOLIO-1953</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="81109">FOLIO-1781</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81652">FOLIO-2551</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54106">OKAPI-705</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57037">RMB-320</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx3og:zy</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="994">CP: ready for planning</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 14 Feb 2019 14:08:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>