Merge and simplify auth / accounts #530
Description
The auth and accounts services need to be merged (they are heavily dependent on each other), and their interfaces simplified.
Below is a brief account of the intended Precog security model resulting from this ticket.
Users have grants. Grants are the analogue of operations in an ACL security model.
All grants are bound to a particular file or directory; they confer permissions with respect to that resource.
- Read -- Read contents of file / read children of directory
- Append -- Append new contents to file / append new child in directory
- Update -- Change contents of file / rename children
- Execute -- Execute script / execute default script associated with directory
- Delete -- Delete file / delete directory
- Mount -- Mount a data source to the file / mount a data source in the directory
- Unmount -- Unmount a data source to the file / unmount a data source in the directory
Unlike the POSIX file security model, grants are hierarchical. Currently, they are always and only hierarchical.
Grants can be used to create additional grants that have the same or reduced permissions.
This ticket will be considered complete when the auth and accounts service have been unified into a single service, the internal logic simplified and refactored to match the above, and a clean, robust, and well-documented REST API exposed (the existing API is not unified, is inconsistent in places, is not robust, and is poorly documented).
Minimal API
GET, POST /access/users/
GET, PUT /access/users/'userId
GET /access/users/'userId/grants/
GET /access/users/'userId/grants/'grantId
GET, POST, DELETE /access/users/'userId/shares/_byusers/'user
GET, POST, DELETE /access/users/'userId/shares/_bypaths/'path
GET, POST, DELETE /access/users/'userId/shares/_byperms/'perm