cognitedata/inso-bootstrap-cli

Add shared-access to the read-group as well

gaetan-h opened this issue · 3 comments

gaetan-h commented

Could be done in 2 ways:

  • Either by having an extra section like shared-read
  • Giving read access to the :read groups from the shared-access list

I would tend to go for the second option to limit the expansion of the config yaml, but good to discuss
I think it would be quite beneficial to have this

spex66 commented

By design-descision only :owner groups benefit from the shared-access support atm.

What's possible today is to use :owner groups a bit creative :)
You can create a namespace & nodes in the configuration, let's name them:

    - ns-name: read
      description: Use the created :owner groups to support shared-read access. The additional dataset with owner access, can be ignored
      ns-nodes:
        - node-name: read:001:case1
          description: Description about shared-read requirement
          shared-access:
            read:
              - node-name: src:001:sap
              - node-name: src:002:weather

open to discuss another (smarter, more easier) support later. So let's keep this feature-request open as backlog

spex66 commented

Discussed Cognite internal in the mean time.

By design only an "owner" role can get shared access (shared-owner & shared-read)

  • the idea is not to weaken ...:read groups, and only add complexity to :owner groups

Solution we do in a customer project for the "we need a role with only shared read access" is

  • we have a dedicated namespace for "interfaces" (in hindsight "end-user-role (eur)" could be a better name here)
  • defining our end-user roles using the ...:owner role to define them
  • example:
  - description: 'Namespace for all user-interfaces (aka user roles)'
    ns-name: in
    ns-nodes:
    - description: User Interface 002; end-user access to Supply Plotly-Dash frontend
      node-name: in:002:supply
      shared-access:
        read:
        - node-name: uc:003:supply
        - node-name: src:006:sap

result: with this one we get a cdf:in:002:supply:owner CDF Group

  • which grants read access to two datasets
  • for the "price" of an (unused) in:002:supply:dataset with owner access

I expect for now, that this is a "good enough" solution and would like to close the issue @gaetan-h ?

  • if you're OK an other issue to be created is to add this to README as a "best-practice"?
    (otherwise it is a bit of a redesign what bootstrap-cli can do today)
spex66 commented

The discussion comes up regularly, but there are no plans yet to make shared-access available for :read CDF Groups.