107 lines
4.3 KiB
Markdown
107 lines
4.3 KiB
Markdown
# GovOPlaN Access
|
|
|
|
`govoplan-access` is the platform module for GovOPlaN identity,
|
|
authentication, sessions, API keys, RBAC, groups, users, and access
|
|
administration.
|
|
|
|
The repository contains the extracted access seed implementation under
|
|
`src/govoplan_access/backend`. Session, API-key, and password helper services,
|
|
interactive auth routes, and administration routers are owned here. The public
|
|
FastAPI request dependency API is exported from `govoplan_access.auth`; modules
|
|
must not import the backend dependency module directly. Access-side admin
|
|
service helpers remain
|
|
here for users, groups, roles, system accounts, sessions, API keys, tenant
|
|
access enforcement, admin/audit lookup capabilities, tenant owner
|
|
provisioning, and governance-template materialization into access-owned groups
|
|
and roles. Governance-template metadata CRUD lives in `govoplan-admin`. The
|
|
transitional administration WebUI route shell and
|
|
access-owned panels live under `webui/src` as `@govoplan/access-webui`. Generic
|
|
system administration panels are contributed by `@govoplan/admin-webui` through
|
|
core's `admin.sections` UI capability. Live access ORM models are defined here
|
|
with `access_*` table names; tenant records live in `govoplan-tenancy`,
|
|
governance templates in `govoplan-admin`, audit logs in `govoplan-audit`, and
|
|
system settings in `govoplan-core`. The current access boundary is documented
|
|
in:
|
|
|
|
- `/mnt/DATA/git/govoplan-core/docs/ACCESS_RBAC_MODEL.md`
|
|
- `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`
|
|
- `docs/ACCESS_MODULE_BOUNDARY.md`
|
|
- `docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md`
|
|
- `docs/OPENDESK_IDENTITY_BOUNDARY.md`
|
|
|
|
## Initial Ownership
|
|
|
|
This module will own:
|
|
|
|
- accounts and login identity
|
|
- authentication routes and session lifecycle
|
|
- API keys
|
|
- legacy administration route contribution during the transition
|
|
- tenant-local users
|
|
- identity-to-account projection for explainable access decisions
|
|
- organization-bound functions and function assignments
|
|
- explicit delegation and acting-in-place facts
|
|
- groups and memberships
|
|
- roles and role assignments
|
|
- principal resolution
|
|
- permission evaluation
|
|
- access administration backend routes
|
|
- access administration WebUI route contributions
|
|
- published FastAPI auth dependency API at `govoplan_access.auth`
|
|
- access administration, tenant provisioning, and governance materializer
|
|
capabilities
|
|
- access-owned migrations
|
|
|
|
The governance-template routes under `/admin/system/governance-templates` are
|
|
contributed by `govoplan-admin`; access must not register those routes.
|
|
|
|
`govoplan-access` depends on `govoplan-tenancy`; the registry loads tenancy
|
|
before access for authenticated platform composition.
|
|
|
|
## Principal Context
|
|
|
|
The stable principal DTO is `govoplan_core.core.access.PrincipalRef`. Access
|
|
resolves sessions, API keys, and future service accounts into that DTO and
|
|
serializes it as `principal` in auth API responses. Feature modules should use
|
|
that DTO, primitive IDs, or the published `govoplan_access.auth` dependency API
|
|
instead of importing access ORM models or backend dependency internals.
|
|
|
|
The detailed module boundary and serialization fields are documented in
|
|
[docs/ACCESS_MODULE_BOUNDARY.md](docs/ACCESS_MODULE_BOUNDARY.md).
|
|
|
|
## WebUI Package
|
|
|
|
The repository root and `webui/` directory both expose the package
|
|
`@govoplan/access-webui`. The package contributes the `/admin` route and admin
|
|
nav item through core's module WebUI contract. The route shell consumes
|
|
module-owned `admin.sections` contributions from installed platform modules and
|
|
continues to render access-owned tenant/user/group/role panels locally. Core
|
|
supplies shared admin components, route rendering, and icon resolution.
|
|
|
|
The kernel remains responsible for module discovery, route aggregation,
|
|
database/session lifecycle, migration orchestration, capability registry, and
|
|
stable contracts.
|
|
|
|
## Gitea Workflow
|
|
|
|
This repository uses the shared GovOPlaN Gitea issue workflow. Issue templates
|
|
are installed under `.gitea/`, and the shared label taxonomy is copied to
|
|
`docs/gitea-labels.json`.
|
|
|
|
From the core checkout, labels can be synced once a local `GITEA_TOKEN` is
|
|
available:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan-core
|
|
./scripts/gitea-sync-labels.py --root /mnt/DATA/git/govoplan-access --apply
|
|
```
|
|
|
|
## Development Install
|
|
|
|
From the core checkout:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan-core
|
|
./.venv/bin/python -m pip install -e ../govoplan-access
|
|
```
|