|
| 1 | +0008: Compatibility scheme with the current system |
| 2 | +################################################### |
| 3 | + |
| 4 | +Status |
| 5 | +****** |
| 6 | + |
| 7 | +**Draft** *2025-09-29* |
| 8 | + |
| 9 | +Context |
| 10 | +******* |
| 11 | + |
| 12 | +Open edX has its authorization system described in the `OEP-66`_, but due to its limitations, the community wanted to explore a more appropriate option for managing authorization on the platform. To mitigate the possible risk associated with completely overhauling a core system like authorization, our primary strategy is to implement a staging or phased migration plan. This approach enables us to limit the blast radius to test components in a controlled environment, apply lessons learned, and ensure business continuity, thereby giving users time to adapt. |
| 13 | + |
| 14 | +Decision |
| 15 | +******** |
| 16 | + |
| 17 | +* The new authorization will coexist with the previous one until we migrate the entire system. |
| 18 | +* We will start migrating the current library permissions and roles to the new authorization system. |
| 19 | + * For the MVP, we will maintain the current functionality using the new architecture. |
| 20 | + |
| 21 | +Consequences |
| 22 | +************ |
| 23 | + |
| 24 | +Migration Strategy for Libraries |
| 25 | +================================= |
| 26 | + |
| 27 | +* Develop a migration script to transform the existing explicit role assignments to the new authorization model, without modifying the previous table. |
| 28 | +* We will modify the enforcement points related to library permissions in the new system and verify other enforcement points, which will be updated with the latest set of `Roles and Permissions for Libraries`_. |
| 29 | +* We will use the authorization API system for the libraries' endpoints related to authorization. Example: Obtaining the list of users who have permissions over a scope. |
| 30 | +* Create a deprecation ticket to let the community know how the library roles and permissions will work. |
| 31 | +* Update the `OEP-66`_ doc regarding the library's new authorization system. |
| 32 | + |
| 33 | +For more information regarding the API and communication, see the `Enforcement mechanisms ADR`_. |
| 34 | + |
| 35 | +For more information on how the existing roles and permissions of libraries will be translated, see the `Libraries Roles and Permissions Migration Plan`_ document. |
| 36 | + |
| 37 | +Rejected Alternatives |
| 38 | +********************* |
| 39 | + |
| 40 | +* Change the authorization system completely at once. |
| 41 | +* Utilize the existing tables and mechanisms to enforce permissions within the new system. |
| 42 | +* Use library-specific API endpoints regarding authorization. |
| 43 | + |
| 44 | +References |
| 45 | +********** |
| 46 | + |
| 47 | +* `OEP-66`_ |
| 48 | +* `Roles and Permissions for Libraries`_ |
| 49 | +* `Enforcement mechanisms ADR`_ |
| 50 | +* `Libraries Roles and Permissions Migration Plan`_ |
| 51 | + |
| 52 | +.. _OEP-66: https://docs.openedx.org/projects/openedx-proposals/en/latest/best-practices/oep-0066-bp-authorization.html |
| 53 | + |
| 54 | +.. _Roles and Permissions for Libraries: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/4840095745/Library+Roles+and+Permissions |
| 55 | + |
| 56 | +.. _Enforcement mechanisms ADR: https://github.com/openedx/openedx-authz/blob/main/docs/decisions/0007-enforcement-mechanisms-mfe.rst |
| 57 | + |
| 58 | +.. _Libraries Roles and Permissions Migration Plan: https://openedx.atlassian.net/wiki/spaces/OEPM/pages/5252317270/Libraries+Roles+and+Permissions+Migration+Plan |
0 commit comments