Skip to content

Security and access control improvements to enable multi-tenancy within Orthanc

Rob Oakes requested to merge roakes/nsync-hpop into master

New features:

  • Access control
    • Group and user models for managing secure access control (ACL) to resources
      • User models for patient, study, and series to allow for access to be mediated through association with a user account.
      • Group models for patient, study, and series to allow for access to be mediated through group ownership.
    • Orthanc Internal API endpoints to create, update, and manage policies
      • /patients/{ patient-uid }/acl/user: management endpoint for user/patient ACL
      • /patients/{ patient-uid }/acl/user/{ policy-uid }: REST endpoint for user/patient ACL
      • /patients/{ patient-uid }/acl/group: management endpoint for group/patient ACL
      • /patients/{ patient-uid }/acl/group/{ policy-uid }: REST endpoint for user/patient ACL
      • /studies/{ study-uid }/acl/user: management endpoint for user/study ACL
      • /studies/{ study-uid }/acl/user/{ policy-uid }: REST endpoint for user/study ACL
      • /studies/{ study-uid }/acl/group: management endpoint for group/study ACL
      • /studies/{ study-uid }/acl/group/{ policy-uid }: REST endpoint for user/study ACL
      • /series/{ series-uid }/acl/user: management endpoint for user/series ACL
      • /series/{ series-uid }/acl/user/{ policy-uid }: REST endpoint for user/series ACL
      • /series/{ study-uid }/acl/group: management endpoint for group/series ACL
      • /series/{ study-uid }/acl/group/{ policy-uid }: REST endpoint for user/series ACL
    • DICOMweb API endpoints: provides a mirror of Orthanc Internal API, but under the DICOMweb root for the server and with URL parameters which utilize the DICOM uid structure.
      • /dicom-web/studies/{ study-dcm-uid }/acl/user: management endpoint for user/study ACL
      • /dicom-web/studies/{ study-dcm-uid }/acl/user/{ policy-uid }: REST endpoint for user/study ACL
      • /dicom-web/studies/{ study-dcm-uid }/acl/group: management endpoint for group/study ACL
      • /dicom-web/studies/{ study-dcm-uid }/acl/group/{ policy-uid }: REST endpoint for user/study ACL
      • /dicom-web/series/{ series-dcm-uid }/acl/user: management endpoint for user/series ACL
      • /dicom-web/series/{ series-dcm-uid }/acl/user/{ policy-uid }: REST endpoint for user/series ACL
      • /dicom-web/series/{ study-dcm-uid }/acl/group: management endpoint for group/series ACL
      • /dicom-web/series/{ study-dcm-uid }/acl/group/{ policy-uid }: REST endpoint for user/series ACL
  • Worklists: lists (associated with a group) to allow for the queuing of studies for review. Based on unified procedure step (UPS): https://www.dicomstandard.org/using/dicomweb/workflow-ups-rs.
    • Models: model linked to cache resources (patient, study, series)
    • Orthanc Internal API endpoints for management and retrieving the filtered list
      • /studies/{ study-uid }/worklists: management API for study reviewer worklists
      • /studies/{ study-uid }/worklists/{ worklist-uid }: REST endpoint for study reviewer worklists
    • DICOMweb endpoint: mirror of Orthanc Internal API
      • /dicom-web/studies/{ study-uid }/worklists: management API endpoint
      • /dicom-web/studies/{ study-uid }/worklists/{ worklist-uid }: REST API endpoint
  • Tags: codes (associated with a group) that can be used to tag images (via DICOM-SR)
    • Model
    • Orthanc Internal API endpoints
      • /groups/{ group-uid }/tags: management endpoint
      • /groups/{ group-uid }/tags/{ tag-id }: REST endpoint
  • Study and series comments: add text and semi-structured (JSON) data to a resource
    • Models
    • Orthanc Internal API endpoints
      • /studies/{ study-uid }/comments: management endpoint for study comments
      • /studies/{ study-uid }/comments/{ series-uid }: management endpoint for study comments
      • /series/{ series-uid }/comments: management endpoint for series comments
      • /series/{ series-uid }/comments/{ series-uid }: management endpoint for series comments
  • Refactor extension (ext) views to provide a consistent interface
    • "resource child" API view base classes (management and REST): provides methods for working with child objects that are owned by a resource type
    • "object" API view base classes (management and REST): provide methods for working with standalone objects
  • Kafka data export endpoints
    • Orthanc Internal API endpoints which can be used to trigger export of Kafka resource data
      • GET: retrieve Kafka message structure
      • POST: trigger push of the message structure to the Kafka instance associated with the image server. A user defined payload can be sent in the request body as JSON, which will be attached to the message.
      • /patients/{ patient-uid }/kafka
      • /studies/{ study-uid }/kafka
      • /series/{ series-uid }/kafka
      • /instances/{ instance-uid }/kafka
  • Added logic to parse DICOM-SR documents and create a JSON version of the structure, which is then added to linked series as a comment.

Minor changes:

  • Added check for ModalitiesInStudy to enable query cache endpoints to be compatible with Orthanc Explorer 2
  • Refactor Kafka code to a stand-alone module, move producer interface to a class and associate with it the Sonador server manager to better centralize message export.

Project Tracking

OP#41 OP#49 OP#42 OP#48

Edited by Rob Oakes

Merge request reports