Add shared-access to the read-group as well
gaetan-h opened this issue · 3 comments
Could be done in 2 ways:
- Either by having an extra section like shared-read
- Giving read access to the :read groups from the shared-access list
I would tend to go for the second option to limit the expansion of the config yaml, but good to discuss
I think it would be quite beneficial to have this
By design-descision only :owner
groups benefit from the shared-access
support atm.
What's possible today is to use :owner
groups a bit creative :)
You can create a namespace & nodes in the configuration, let's name them:
- ns-name: read
description: Use the created :owner groups to support shared-read access. The additional dataset with owner access, can be ignored
ns-nodes:
- node-name: read:001:case1
description: Description about shared-read requirement
shared-access:
read:
- node-name: src:001:sap
- node-name: src:002:weather
open to discuss another (smarter, more easier) support later. So let's keep this feature-request open as backlog
Discussed Cognite internal in the mean time.
By design only an "owner" role can get shared access (shared-owner & shared-read)
- the idea is not to weaken
...:read
groups, and only add complexity to:owner
groups
Solution we do in a customer project for the "we need a role with only shared read access" is
- we have a dedicated namespace for "interfaces" (in hindsight "end-user-role (
eur
)" could be a better name here) - defining our end-user roles using the
...:owner
role to define them - example:
- description: 'Namespace for all user-interfaces (aka user roles)'
ns-name: in
ns-nodes:
- description: User Interface 002; end-user access to Supply Plotly-Dash frontend
node-name: in:002:supply
shared-access:
read:
- node-name: uc:003:supply
- node-name: src:006:sap
result: with this one we get a cdf:in:002:supply:owner
CDF Group
- which grants read access to two datasets
- for the "price" of an (unused)
in:002:supply:dataset
with owner access
I expect for now, that this is a "good enough" solution and would like to close the issue @gaetan-h ?
- if you're OK an other issue to be created is to add this to README as a "best-practice"?
(otherwise it is a bit of a redesign what bootstrap-cli can do today)
The discussion comes up regularly, but there are no plans yet to make shared-access available for :read
CDF Groups.