Job access

In production environment where multiple users may run jobs, it may be desirable that jobs can be accessed only by those who executed them.

Note

This has not be confused with access control to execution of processes which is handled by access policies.

Limiting access to jobs may be enforced by using realm token associated to jobs.

When a job is created a token (a realm) may be associated to with it: this token will be required used in subsequent requests for accessing job’s status and results or executing dismiss opération.

This feature is optional and is activated with the job_realm configuration setting.

Using realm token

By default, when a job is created, a realm token is created and associated to the job.

This token is either defined implicitly by creating a unique uuid and returning the value in the X-Job-Realm header of the execution response or set explicitly using the same header in the request.

This token may then be inspected by the client and used in subsequent requests for accessing job’s status and results or executing dismiss opération.

Typical usage is to have a middleware proxy that sets the X-Job-Realm header together with specified authentification procedure.

Administrative realms

When enabling realm, administrator tokens may be defined. Requesting job’s control using an admin token will give full access to job control.

Admin tokens are defined with the job_realm.admin_tokens configuration setting.