Document separated connector credentials
@@ -7,7 +7,11 @@ objects:
|
|||||||
WebDAV server, Nextcloud account, Seafile server, or SMB share. Profiles are
|
WebDAV server, Nextcloud account, Seafile server, or SMB share. Profiles are
|
||||||
administered in settings at system or tenant scope, with the same
|
administered in settings at system or tenant scope, with the same
|
||||||
inheritance and limit semantics used by mail-server profiles.
|
inheritance and limit semantics used by mail-server profiles.
|
||||||
2. A linked file space binds one concrete remote folder or library path from an
|
2. A governed credential profile defines reusable authentication material for
|
||||||
|
one provider or for any compatible provider. Credentials are administered
|
||||||
|
separately from connection profiles and can carry their own allow/deny
|
||||||
|
policy.
|
||||||
|
3. A linked file space binds one concrete remote folder or library path from an
|
||||||
allowed profile to a user or group. Linked spaces appear beside "My files"
|
allowed profile to a user or group. Linked spaces appear beside "My files"
|
||||||
and group file spaces in the files module.
|
and group file spaces in the files module.
|
||||||
|
|
||||||
@@ -22,11 +26,19 @@ Connection profile:
|
|||||||
- endpoint URL and optional base path
|
- endpoint URL and optional base path
|
||||||
- scope: `system` or `tenant` for administered profiles; user/group profiles
|
- scope: `system` or `tenant` for administered profiles; user/group profiles
|
||||||
may be allowed later only when policy explicitly permits them
|
may be allowed later only when policy explicitly permits them
|
||||||
- credential mode: anonymous, environment reference, secret reference, or a
|
- optional credential profile id
|
||||||
future encrypted secret store
|
|
||||||
- capabilities: browse, sync, import, optional write when a provider supports it
|
- capabilities: browse, sync, import, optional write when a provider supports it
|
||||||
- profile-local policy for allow/deny rules
|
- profile-local policy for allow/deny rules
|
||||||
|
|
||||||
|
Credential profile:
|
||||||
|
|
||||||
|
- provider: a specific provider or any provider
|
||||||
|
- scope: `system` or `tenant` for administered credentials
|
||||||
|
- credential mode: anonymous, environment reference, secret reference, or
|
||||||
|
encrypted stored password/token
|
||||||
|
- username and redacted secret configuration
|
||||||
|
- credential-local policy for allow/deny rules
|
||||||
|
|
||||||
Connector policy:
|
Connector policy:
|
||||||
|
|
||||||
- system policy is the baseline
|
- system policy is the baseline
|
||||||
@@ -34,7 +46,8 @@ Connector policy:
|
|||||||
lower-level relaxation
|
lower-level relaxation
|
||||||
- future user/group policy may narrow tenant policy for self-service links
|
- future user/group policy may narrow tenant policy for self-service links
|
||||||
- policies can allow or block providers, profile ids, endpoint URLs, external
|
- policies can allow or block providers, profile ids, endpoint URLs, external
|
||||||
path prefixes, credential inheritance, and local linked-space creation
|
path prefixes, credential ids, credential inheritance, and local linked-space
|
||||||
|
creation
|
||||||
|
|
||||||
Linked connector space:
|
Linked connector space:
|
||||||
|
|
||||||
@@ -73,14 +86,17 @@ Implemented:
|
|||||||
|
|
||||||
- provider descriptors for Seafile, Nextcloud, WebDAV, and SMB
|
- provider descriptors for Seafile, Nextcloud, WebDAV, and SMB
|
||||||
- database-backed connector profiles with system and tenant scope
|
- database-backed connector profiles with system and tenant scope
|
||||||
- encrypted stored password/token support for database profiles
|
- database-backed connector credentials with system and tenant scope
|
||||||
|
- encrypted stored password/token support for database credentials
|
||||||
- JSON/environment-defined connector profiles with system, tenant, user, group,
|
- JSON/environment-defined connector profiles with system, tenant, user, group,
|
||||||
and campaign visibility
|
and campaign visibility
|
||||||
- connector allow/deny policy enforcement before browse/import/sync
|
- connector allow/deny policy enforcement before browse/import/sync, including
|
||||||
|
provider, connection profile, credential profile, and path checks
|
||||||
- read-only browse endpoints
|
- read-only browse endpoints
|
||||||
- import and sync into managed files with provenance and revision metadata
|
- import and sync into managed files with provenance and revision metadata
|
||||||
- audit events for connector import, sync, and access
|
- audit events for connector import, sync, and access
|
||||||
- settings/admin UI sections for system and tenant file connections
|
- settings/admin UI sections for system and tenant file connections and
|
||||||
|
credentials
|
||||||
- linked connector-space rows owned by users or groups
|
- linked connector-space rows owned by users or groups
|
||||||
- file-space API responses that include linked connector spaces
|
- file-space API responses that include linked connector spaces
|
||||||
- Files UI entry point to create linked connector spaces from a browsed remote
|
- Files UI entry point to create linked connector spaces from a browsed remote
|
||||||
@@ -101,8 +117,9 @@ Missing:
|
|||||||
|
|
||||||
1. Persist governed connector profiles and policies.
|
1. Persist governed connector profiles and policies.
|
||||||
- `file_connector_profiles` exists for system and tenant profiles.
|
- `file_connector_profiles` exists for system and tenant profiles.
|
||||||
|
- `file_connector_credentials` exists for system and tenant credentials.
|
||||||
- Environment JSON profiles remain bootstrap/compatibility profiles.
|
- Environment JSON profiles remain bootstrap/compatibility profiles.
|
||||||
- Profile CRUD endpoints exist for database-backed profiles.
|
- Profile and credential CRUD endpoints exist for database-backed records.
|
||||||
- Remaining: `file_connector_policies` plus effective policy/explain output.
|
- Remaining: `file_connector_policies` plus effective policy/explain output.
|
||||||
|
|
||||||
2. Add linked connector spaces.
|
2. Add linked connector spaces.
|
||||||
|
|||||||
Reference in New Issue
Block a user