Glossary

Access Permission

Required Group membership to obtain sufficient privileges in order to be permitted the execution of a given request. Requests under different scopes require variable access levels depending on context.

ACL

Access Control List.

Set of User and Group scopes, provided session Authentication elements, that either grants or denies access to the applicable User to the targeted HTTP request.

Allowed Permissions

Set of applicable Permission values onto an element. See Allowed Permissions section.

Applied Permissions

An active Permission for a given User or Group depending on context. See also Applied Permissions details.

Authentication

Process of identifying one-self using credentials in order to login into Magpie, or retrieving connected session User during an HTTP request using supported methods.

Authorization

Process of allowing or denying access to a Resource or Service according to Logged User identified through Authentication methods. This process typically falls into the hands of a Proxy application.

Context User

Specific User that is being targeted by a request from specified value for the {user_name} request path variable. The contextual User of the request could correspond to the Logged User if the reference resolves to itself, but this is not necessarily the case. See further details and examples provided in section Route Access.

Cookies

Set of Authentication identifiers primarily employed by Magpie HTTP requests to determine the Logged User.

Direct Permissions

Describes a Permission that is given to a User explicitly, rather than one of its Group memberships. See also Direct Permissions details.

Discoverable Group

Group that has property discoverable=True, making it publicly viewable to any-level user. Otherwise, groups can be listed or accessed only by administrators.

Effective Permissions

A Permission that has been completely resolved according to all applicable contexts, that indicates the final granted or denied result. See also Effective Permissions section.

External Providers

Set of all known user-identity Provider defined externally to Magpie. Each of these Provider require specific connection methodologies, as configured in magpie.security. See also Authentication Providers section for details.

Group

Entity on which Permission over a Service or Resource can be applied. Any User can be set as a member of any number of Group, making it inherit all applicable set of Permission.

Immediate Permissions

Describes a Permission that originates directly and only from a Service. This is referenced in only a few use-cases, notably for Finding User Permissions.

Inherited Permissions

Describes a Permission that includes both User and Group contexts simultaneously. See Inherited Permissions details.

Internal Providers

Represents all the Provider that are known for local (instead of external) Authentication to the referenced Magpie instance. The credentials for login as locally searched fo rather than dispatched to an external user-identity. For the moment, this consists uniquely of magpie.constants.MAGPIE_DEFAULT_PROVIDER constant.

Logged User

More specific use-case of Request User that simultaneously corresponds to the active request session User as well at the referenced Context User from the path variable. This User can be automatically retrieved in applicable requests using in the request path the special constant value defined by magpie.constants.MAGPIE_LOGGED_USER, or using its literal User name. When not logged in, this User is considered to be equivalent to explicitly requesting magpie.constants.MAGPIE_ANONYMOUS_USER. Otherwise, it is whoever the Authentication mechanism identifies with token extracted from request Cookies.

Permission

Element that defines which rules are applicable for a given combination of User and/or Group against one or many Service and/or Resource, depending of the many contexts for which they can apply. Applicable values are generally defined by enum magpie.permissions.Permission.

Note

See permissions chapter for more exhaustive details, including contextual comparisons for all other Permission-related terms presented here.

Provider

Corresponds to the reference user-identity to employ in order to attempt Authentication. See also Internal Providers, External Providers and section Authentication Providers.

Proxy

Sibling service (typically Twitcher) that employs Magpie as access management of User, Group, Service and Resource to obtain applicable sets of Permission. Provided these, it acts as policy enforcement point (PEP).

Public

Refers to a Permission applied on a Service or Resource to special elements in order to make them available to anyone including even unauthenticated sessions. See also Public Access section for implementation details to achieve this result.

Request User

Active request session User that can be retrieved by calling request.user with resolution of Authentication headers within the request (User is None if unauthenticated, i.e.: magpie.constants.MAGPIE_ANONYMOUS_USER). This is not the same as the Context User extracted from {user_name} path variable, except for the special case covered by Logged User’s definition. The request User could send request that work on another Context User than itself if sufficient Access Permission is granted. See also Route Access for further details.

Resource

Entity on which User and Group can be associated to applicable Permission respectively for the contextual Service under which it resides. This element can represent relatively anything. The interpretation of each Resource depends on the context of the Service they relate to. Implemented by sub-classes of magpie.models.Resource.

Service

Top-level specialized Resource that defines which children Resource elements are applicable to it (if any), how its hierarchy of Resource should behave against incoming HTTP request details, and how to parse any set of Permission applied on them against respective request elements. Also defines URL connexion details pointing to the actual service on which access control are applicable. Each type of Service defines different combination of functionalities. Implemented by sub-classes of magpie.models.ServiceInterface.

User

Unitary entity containing details about the user allowing it to log into Magpie and that can have other relationships applied to it such as Permission and Group that extend his specific access rights to Service and Resource elements. Implemented by magpie.models.User.