Blueapi Authorization #1383
Description
AuthZ in blueapi for tiled insertion
After careful deliberation on token exchange, The decision has been made that we will use service account with write_access for a specific beamline for insertion of documents from blueapi to tiled. More explanation in the above PR.
The main issue in token exchange was that the a authorised task could only insert documents into tiled for a max of 10 hrs after which the session would expire.
From token exchange docs
Token exchange never creates a new user session.
To make sure that the plan is authorised and valid to run we will need to have authZ checks in blueapi. This check will happen when the users submits a task.
There are no other authZ checks implemented apart from this in blueapi (as of now), which will have the following implications:-
- Any user can run a authorised task
- Any user can delete a authorised task.
This checks can be implemented after the metadata about the user has been added in Add User to Run Metadata #1380