Refactor authz resource tree

Author: paulineribeyre

.secrets.baseline

@@ -98,6 +98,10 @@
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
     },
+    {
+      "path": "detect_secrets.filters.gibberish.should_exclude_secret",
+      "limit": 3.7
+    },
     {
       "path": "detect_secrets.filters.heuristic.is_indirect_reference"
     },
@@ -126,88 +130,6 @@
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
   ],
-  "results": {
-    ".github/workflows/ci.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": ".github/workflows/ci.yml",
-        "hashed_secret": "3e26d6750975d678acb8fa35a0f69237881576b0",
-        "is_verified": false,
-        "line_number": 15
-      }
-    ],
-    "alembic.ini": [
-      {
-        "type": "Basic Auth Credentials",
-        "filename": "alembic.ini",
-        "hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684",
-        "is_verified": false,
-        "line_number": 64
-      }
-    ],
-    "docs/local_installation.md": [
-      {
-        "type": "Secret Keyword",
-        "filename": "docs/local_installation.md",
-        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
-        "is_verified": false,
-        "line_number": 90
-      }
-    ],
-    "docs/s3.md": [
-      {
-        "type": "Secret Keyword",
-        "filename": "docs/s3.md",
-        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
-        "is_verified": false,
-        "line_number": 55
-      }
-    ],
-    "migrations/versions/e1886270d9d2_create_system_key_table.py": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "migrations/versions/e1886270d9d2_create_system_key_table.py",
-        "hashed_secret": "1df47988c41b70d5541f29636c48c6127cf593b8",
-        "is_verified": false,
-        "line_number": 16
-      }
-    ],
-    "tests/conftest.py": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "tests/conftest.py",
-        "hashed_secret": "0dd78d9147bb410f0cb0199c5037da36594f77d8",
-        "is_verified": false,
-        "line_number": 195
-      }
-    ],
-    "tests/migrations/test_migration_e1886270d9d2.py": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "tests/migrations/test_migration_e1886270d9d2.py",
-        "hashed_secret": "1df47988c41b70d5541f29636c48c6127cf593b8",
-        "is_verified": false,
-        "line_number": 24
-      }
-    ],
-    "tests/test-gen3workflow-config.yaml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/test-gen3workflow-config.yaml",
-        "hashed_secret": "900a7331f7bf83bff0e1b2c77f471b4a5145da0f",
-        "is_verified": false,
-        "line_number": 5
-      }
-    ],
-    "tests/test_s3_endpoint.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/test_s3_endpoint.py",
-        "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
-        "is_verified": false,
-        "line_number": 75
-      }
-    ]
-  },
-  "generated_at": "2026-02-25T19:02:33Z"
+  "results": {},
+  "generated_at": "2026-02-26T22:44:12Z"
 }

docs/authorization.md

@@ -3,22 +3,47 @@
 The Gen3 Workflow endpoints are protected by Arborist policies.
 
 Contents:
+- [Authorization resources overview](#authorization-resources-overview)
+- [Storage](#storage)
 - [GA4GH TES](#ga4gh-tes)
-  - [Authorization configuration example](#authorization-configuration-example)
+- [Authorization configuration example](#authorization-configuration-example)
+
+## Authorization resources overview
+
+```mermaid
+graph TD;
+    A(services) --> B(workflow);
+    B --> C(gen3-workflow);
+    C --> D(tasks);
+    C --> E(storage);
+    D --> F(_user1_);
+    D --> G(_user2_);
+    E --> M(_user1_);
+    E --> N(_user2_);
+    F --> H(tasks);
+    H --> I(_task1_);
+    H --> J(_task2_);
+    G --> K(tasks);
+    K --> L(_task3_);
+```
 
 ## GA4GH TES
 
 - To create a task, users need `create` access to resource `/services/workflow/gen3-workflow/tasks` on service `gen3-workflow`.
-- To view a task, users need `read` access to resource `/users/<user ID>/gen3-workflow/tasks/<task ID>` on service `gen3-workflow`.
-  - Users are automatically granted access to `/users/<user ID>/gen3-workflow/tasks` so they can view their own tasks.
-  - Admin access (the ability to see _all_ users’ tasks instead of just your own) can be granted to a user by granting them access to the parent resource `/services/workflow/gen3-workflow/tasks`.
-  - This supports sharing tasks with others; for example, "user1" may share "taskA" with "user2" if the system grants "user2" access to `/users/user1/gen3-workflow/tasks/taskA`.
+- To view a task, users need `read` access to resource `/services/workflow/gen3-workflow/tasks/<user ID>/<task ID>` on service `gen3-workflow`.
+- To cancel a task, users need `delete` access to resource `/services/workflow/gen3-workflow/tasks/<user ID>/<task ID>` on service `gen3-workflow`.
+- Admin access (the ability to see _all_ users’ tasks instead of just your own) can be granted to a user by granting them access to the parent resource `/services/workflow/gen3-workflow/tasks`.
+- This supports sharing tasks with others; for example, "user1" may share "taskA" with "user2" if the system grants "user2" access to `/services/workflow/gen3-workflow/tasks/user1/taskA`.
+  - However, sharing task _inputs/outputs_ in the user's S3 bucket is not supported. Currently, users can only access their own S3 bucket.
 
-## Other Gen3-Workflow functionality
-- To download inputs and upload outputs, the Funnel workers need `create` access to resource `/services/workflow/gen3-workflow/tasks` on service `gen3-workflow`, like end-users.
-- To empty or delete their own S3 bucket, a user needs `delete` access to the resource `/services/workflow/gen3-workflow/user-bucket` on the `gen3-workflow` service -- a special privilege useful for automated testing but not intended for the average user.
+## Storage
+- To upload input files, download output files, and in general manage the files in their S3 bucket, users need `create`, `read` or `delete` access to resource `/services/workflow/gen3-workflow/storage/<user ID>` on service `gen3-workflow`.
+- The Funnel workers have access to `/services/workflow/gen3-workflow/storage` so they can manage files in all the user buckets.
+- To empty or delete their own S3 bucket (`/storage/user-bucket` endpoints), users need `delete` access to the resource `/services/workflow/gen3-workflow/storage/<user ID>` on the `gen3-workflow` service.
 
-#### Authorization configuration example
+## Authorization configuration example
+
+Users are automatically granted access to `/services/workflow/gen3-workflow/tasks/<user ID>` and to `/services/workflow/gen3-workflow/storage/<user ID>` so they can view and cancel their own tasks and manage files in their own bucket.
 
 ```yaml
 users:
@@ -29,7 +54,7 @@ users:
 clients:
   funnel-plugin-client:
     policies:
-    - gen3_workflow_user
+    - gen3_workflow_storage_admin
 
 authz:
   resources:
@@ -48,18 +73,18 @@ authz:
     - gen3_workflow_creator
     resource_paths:
     - /services/workflow/gen3-workflow/tasks
-  - id: gen3_workflow_admin
+  - id: gen3_workflow_task_reader_admin
     description: Allows access to view tasks created by all users
     role_ids:
     - gen3_workflow_reader
     resource_paths:
     - /services/workflow/gen3-workflow/tasks
-  - id: workflow_storage_deleter
-    description: Allows delete access to the user's own S3 bucket
+  - id: gen3_workflow_storage_admin
+    description: Allows access to manage all the user buckets
     role_ids:
-    - workflow_storage_deleter
+    - gen3_workflow_admin
     resource_paths:
-    - /services/workflow/gen3-workflow
+    - /services/workflow/gen3-workflow/storage
 
   roles:
   - id: gen3_workflow_reader
@@ -74,10 +99,10 @@ authz:
       action:
         service: gen3-workflow
         method: create
-   - id: workflow_storage_deleter
-      permissions:
-      - id: workflow_storage_deleter
-        action:
-          service: gen3-workflow
-          method: delete
+  - id: gen3_workflow_admin
+    permissions:
+    - id: gen3_workflow_admin_action
+      action:
+        service: gen3-workflow
+        method: *
 ```

docs/helm_chart_architecture.md

@@ -8,7 +8,7 @@ The Gen3 Workflow helm chart is [here](https://github.com/uc-cdis/gen3-helm/tree
 
 ```mermaid
 graph TD;
-    A[Gen3 chart] --> B(Gen3 Workflow chart);
+    A(Gen3 chart) --> B(Gen3 Workflow chart);
     A --> C(Gen3 Funnel chart);
     C --> D(OHSU Funnel chart);
 ```

gen3workflow/auth.py

@@ -123,38 +123,47 @@ async def grant_user_access_to_their_own_tasks(
     ) -> None:
         """
         Ensure the specified user exists in Arborist and has a policy granting them access to their
-        own Gen3Workflow tasks ("read" and "delete" access to resource "/users/<user ID>/gen3-workflow/tasks" for service "gen3-workflow").
+        own Gen3Workflow tasks and bucket storage.
         Args:
             username (str): The user's Gen3 username
             user_id (str): The user's unique Gen3 ID
         """
-        logger.info(f"Ensuring user '{user_id}' has access to their own tasks")
-        resource_path = f"/users/{user_id}/gen3-workflow/tasks"
-        if await self.authorize(method="read", resources=[resource_path], throw=False):
+        logger.info(
+            f"Ensuring user '{user_id}' has access to their own tasks and storage"
+        )
+        resource_path1 = f"/services/workflow/gen3-workflow/tasks/{user_id}"
+        if await self.authorize(method="read", resources=[resource_path1], throw=False):
             # if the user already has access to their own tasks, return early
             return
 
-        logger.debug(f"Attempting to create resource '{resource_path}' in Arborist")
-        parent_path = f"/users/{user_id}/gen3-workflow"
+        parent_path = "/services/workflow/gen3-workflow/tasks"
+        logger.debug(f"Attempting to create resource '{resource_path1}' in Arborist")
         resource = {
-            "name": "tasks",
+            "name": user_id,
             "description": f"Represents workflow tasks owned by user '{username}'",
         }
         await self.arborist_client.create_resource(
             parent_path, resource, create_parents=True
         )
 
-        role_id = "gen3-workflow_task_owner"
+        resource_path2 = f"/services/workflow/gen3-workflow/storage/{user_id}"
+        parent_path = "/services/workflow/gen3-workflow/storage"
+        logger.debug(f"Attempting to create resource '{resource_path2}' in Arborist")
+        resource = {
+            "name": user_id,
+            "description": f"Represents task storage owned by user '{username}'",
+        }
+        await self.arborist_client.create_resource(
+            parent_path, resource, create_parents=True
+        )
+
+        role_id = "gen3_workflow_admin"
         role = {
             "id": role_id,
             "permissions": [
                 {
-                    "id": "gen3-workflow-reader",
-                    "action": {"service": "gen3-workflow", "method": "read"},
-                },
-                {
-                    "id": "gen3-workflow-deleter",
-                    "action": {"service": "gen3-workflow", "method": "delete"},
+                    "id": "gen3_workflow_admin_action",
+                    "action": {"service": "gen3-workflow", "method": "*"},
                 },
             ],
         }
@@ -168,13 +177,13 @@ async def grant_user_access_to_their_own_tasks(
             )
             await self.arborist_client.create_role(role)
 
-        policy_id = f"gen3-workflow_task_owner_sub-{user_id}"
+        policy_id = f"gen3_workflow_user_sub_{user_id}"
         logger.debug(f"Attempting to create policy '{policy_id}' in Arborist")
         policy = {
             "id": policy_id,
             "description": f"policy created by gen3-workflow for user '{username}'",
             "role_ids": [role_id],
-            "resource_paths": [resource_path],
+            "resource_paths": [resource_path1, resource_path2],
         }
         await self.arborist_client.create_policy(policy, skip_if_exists=True)
 

gen3workflow/routes/ga4gh_tes.py

@@ -149,7 +149,10 @@ async def create_task(request: Request, auth=Depends(Auth)) -> dict:
         err_msg = f"Tags {sorted(reserved_tags)} are reserved for internal use only and cannot be used."
         logger.error(err_msg)
         raise HTTPException(HTTP_400_BAD_REQUEST, err_msg)
-    body["tags"]["_AUTHZ"] = f"/users/{user_id}/gen3-workflow/tasks/TASK_ID_PLACEHOLDER"
+    authz_resource = (
+        f"/services/workflow/gen3-workflow/tasks/{user_id}/TASK_ID_PLACEHOLDER"
+    )
+    body["tags"]["_AUTHZ"] = authz_resource
     # TODO: Test running gen3-workflow locally and document this change
     if config["EKS_CLUSTER_NAME"]:
         body["tags"]["_FUNNEL_WORKER_ROLE_ARN"] = (

gen3workflow/routes/s3.py

@@ -171,11 +171,18 @@ async def s3_endpoint(path: str, request: Request):
     if request.method == "GET" and not path:
         return await get_status(request)
 
-    # extract the caller's access token from the request headers, and ensure the caller (user, or
-    # client acting on behalf of the user) has access to run workflows
+    # Extract the caller's access token from the request headers, and ensure the caller (user, or
+    # client acting on behalf of the user) has access to the user's files.
+    # Note: sharing task inputs/output is not supported. Currently, users can only access their own
+    # S3 bucket.
     auth = Auth(api_request=request)
     user_id = await set_access_token_and_get_user_id(auth, request.headers)
-    await auth.authorize("create", ["/services/workflow/gen3-workflow/tasks"])
+    auth_verb = {"GET": "read", "HEAD": "read", "DELETE": "delete"}.get(
+        request.method, "create"
+    )
+    await auth.authorize(
+        auth_verb, [f"/services/workflow/gen3-workflow/tasks/{user_id}"]
+    )
 
     # get the name of the user's bucket and ensure the user is making a call to their own bucket
     logger.info(f"Incoming S3 request from user '{user_id}': '{request.method} {path}'")

gen3workflow/routes/storage.py

@@ -45,10 +45,11 @@ async def delete_user_bucket(request: Request, auth=Depends(Auth)) -> None:
     Amazon S3 processes bucket deletion asynchronously. The bucket may
     remain visible for a short period until deletion fully propagates.
     """
-    await auth.authorize("delete", ["/services/workflow/gen3-workflow/user-bucket"])
-
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
+    await auth.authorize(
+        "delete", [f"/services/workflow/gen3-workflow/tasks/{user_id}"]
+    )
     logger.info(f"User '{user_id}' deleting their storage bucket")
     deleted_bucket_name = aws_utils.cleanup_user_bucket(user_id, delete_bucket=True)
 
@@ -80,10 +81,11 @@ async def empty_user_bucket(request: Request, auth=Depends(Auth)) -> None:
     """
     Deletes all the objects from current user's S3 bucket
     """
-    await auth.authorize("delete", ["/services/workflow/gen3-workflow/user-bucket"])
-
     token_claims = await auth.get_token_claims()
     user_id = token_claims.get("sub")
+    await auth.authorize(
+        "delete", [f"/services/workflow/gen3-workflow/tasks/{user_id}"]
+    )
     logger.info(f"User '{user_id}' emptying their storage bucket")
     deleted_bucket_name = aws_utils.cleanup_user_bucket(user_id)