Fate flow permission management
Multi-party cooperation rights management¶
1. Description¶
-
fateflow permission authentication supports both flow's own authentication and third-party authentication
-
Authentication configuration:
$FATE_BASE/conf/service_conf.yaml.
hook_module:
permission: fate_flow.hook.flow.permission
hook_server_name:
permission:
switch: false
component: false
dataset: false
2. Permission authentication¶
2.1 flow permission authentication¶
2.1.1 Authentication scheme¶
- The flow permission authentication scheme uses the casbin permission control framework and supports both component and dataset permissions.
- The configuration is as follows.
hook_module: permission: fate_flow.hook.flow.permission permission: switch: true component: true dataset: true
2.1.2 Authorization¶
Add privileges
flow privilege grant -c fateflow/examples/permission/grant.json
Options
| parameter name | required | type | description |
|---|---|---|---|
| party_id | yes | string | site id |
| component | no | string | component name, can be split by "," for multiple components, "*" for all components |
| dataset | no | object | list of datasets |
sample
{
"party_id": 10000,
"component": "reader,dataio",
"dataset": [
{
"namespace": "experiment",
"name": "breast_hetero_guest"
},
{
"namespace": "experiment",
"name": "breast_hetero_host"
}
]
}
return
| parameter name | type | description |
|---|---|---|
| retcode | int | return code |
| retmsg | string | return message |
Sample
{
"retcode": 0,
"retmsg": "success"
}
2.1.3 Revoke privileges¶
Delete permissions
flow privilege delete -c fateflow/examples/permission/delete.json
| parameter name | required | type | description |
|---|---|---|---|
| party_id | yes | string | site_id |
| component | no | string | component name, can be split by "," for multiple components, "*" for all components |
| dataset | no | object | list of datasets, "*" is all datasets |
sample
{
"party_id": 10000,
"component": "reader,dataio",
"dataset": [
{
"namespace": "experiment",
"name": "breast_hetero_guest"
},
{
"namespace": "experiment",
"name": "breast_hetero_host"
}
]
}
return
| parameter name | type | description |
|---|---|---|
| retcode | int | return code |
| retmsg | string | return message |
Sample
{
"retcode": 0,
"retmsg": "success"
}
2.1.4 Permission query¶
Query permissions
flow privilege query -p 10000
Options
| parameters | short-format | long-format | required | type | description |
|---|---|---|---|---|---|
| party_id | -p |
--party-id |
yes | string | site id |
returns
| parameter name | type | description |
|---|---|---|
| retcode | int | return-code |
| retmsg | string | Return information |
| data | object | return data |
Sample
{
"data": {
"component": [
"reader",
"dataio"
],
"dataset": [
{
"name": "breast_hetero_guest",
"namespace": "experiment"
},
{
"name": "breast_hetero_host",
"namespace": "experiment"
}
]
},
"retcode": 0,
"retmsg": "success"
}
2.2 Third-party interface privilege authentication¶
- Third party services need to authenticate to the flow privilege interface, refer to privilege authentication service registration
- If the authentication fails, flow will directly return the authentication failure to the partner.