Include permission attributes for Monty in User JWT token #2598
Description
We will be implementing conditional access to collections on the Monty based on attributes in the user's JWT token being used to access the Monty.
We should include:
superuser:true / false- will indicate if the user is a superuser and should have access to everythingmonty_collections:[<string:collection_id>]- list of collection ids that the user should have access to (apart from the default collections that all users have access to)
We can also use something else other than collection_ids to indicate collection permission, we can be flexible in how we map user metadata -> permissions on a collection.
If we are using something like collection_ids, we will need to figure out how a user gets assigned to collections in the Monty - perhaps will require some UI on GO. Alternatively, we can definitely use a different attribute like for eg. countries which can be an array of country ISO codes and then on the Monty collections, have a country attribute that defines which "country" users need to have permissions on to be able to access. We can discuss what's best. cc @thenav56
So TODO:
- Define schema of how permissions to collections are defined in the user JWT token
- Create UI or other workflow mechanism to assign users to the required permissions
- Ensure this is correctly output in the JWT token for a user
We will use that in custom filters for stac-auth-proxy to filter out collections for users that do not have access: IFRCGo/go-deploy#142