GlossaryΒΆ

Access Permission

Required Group membership to obtain sufficient privileges in order to be permitted the execution of a given request. Requests under different scopes require variable access levels depending on context.

ACL

Access Control List.

Set of User and Group scopes, provided session Authentication elements, that either grants or denies access to the applicable User to the targeted HTTP request.

Allowed Permissions

Set of applicable Permission values onto an element. See Allowed Permissions section.

Applied Permissions

An active Permission for a given User or Group depending on context. See also Applied Permissions details.

Authentication

Process of identifying one-self using credentials in order to login into Magpie, or retrieving connected session User during an HTTP request using supported methods.

Authorization

Process of allowing or denying access to a Resource or Service according to Logged User identified through Authentication methods. This process typically falls into the hands of a Proxy application.

Cookies

Set of Authentication identifiers primarily employed by Magpie HTTP requests to determine the Logged User.

Direct Permissions

Describes a Permission that is given to a User explicitly, rather than one of its Group memberships. See also Direct Permissions details.

Discoverable Group

Group that has property discoverable=True, making it publicly viewable to any-level user. Otherwise, groups can be listed or accessed only by administrators.

Effective Permissions

A Permission that has been completely resolved according to all applicable contexts, that indicates the final granted or denied result. See also Effective Permissions section.

External Providers

Set of all known user-identity Provider defined externally to Magpie. Each of these Provider require specific connection methodologies, as configured in magpie.security. See also Authentication Providers section for details.

Group

Entity on which Permission over a Service or Resource can be applied. Any User can be set as a member of any number of Group, making it inherit all applicable set of Permission.

Immediate Permissions

Describes a Permission that originates directly and only from a Service. This is referenced in only a few use-cases, notably for Finding User Permissions.

Inherited Permissions

Describes a Permission that includes both User and Group contexts simultaneously. See Inherited Permissions details.

Internal Providers

Represents all the Provider that are known for local (instead of external) Authentication to the referenced Magpie instance. The credentials for login as locally searched fo rather than dispatched to an external user-identity. For the moment, this consists uniquely of magpie.constants.MAGPIE_DEFAULT_PROVIDER constant.

Logged User

Specific User that corresponds to the active request session. This User can automatically be referenced to (instead of usual {user_name} path variable) in applicable requests using special value configured with magpie.constants.MAGPIE_LOGGED_USER. When not logged in, this User is considered to be magpie.constants.MAGPIE_ANONYMOUS_USER. Otherwise, it is whoever the Authentication mechanism identifies.

Permission

Element that defines which rules are applicable for a given combination of User and/or Group against one or many Service and/or Resource, depending of the many contexts for which they can apply. Applicable values are generally defined by enum magpie.permissions.Permission.

Note

See permissions chapter for more exhaustive details, including contextual comparisons for all other Permission-related terms presented here.

Provider

Corresponds to the reference user-identity to employ in order to attempt Authentication. See also Internal Providers, External Providers and section Authentication Providers.

Proxy

Sibling service (typically Twitcher) that employs Magpie as access management of User, Group, Service and Resource to obtain applicable sets of Permission. Provided these, it acts as policy enforcement point (PEP).

Public

Refers to a Permission applied on a Service or Resource to special elements in order to make them available to anyone including even unauthenticated sessions. See also Public Access section for implementation details to achieve this result.

Resource

Entity on which User and Group can be associated to applicable Permission respectively for the contextual Service under which it resides. This element can represent relatively anything. The interpretation of each Resource depends on the context of the Service they relate to. Implemented by sub-classes of magpie.models.Resource.

Service

Top-level specialized Resource that defines which children Resource elements are applicable to it (if any), how its hierarchy of Resource should behave against incoming HTTP request details, and how to parse any set of Permission applied on them against respective request elements. Also defines URL connexion details pointing to the actual service on which access control are applicable. Each type of Service defines different combination of functionalities. Implemented by sub-classes of magpie.models.ServiceInterface.

User

Unitary entity containing details about the user allowing it to log into Magpie and that can have other relationships applied to it such as Permission and Group that extend his specific access rights to Service and Resource elements. Implemented by magpie.models.User.