Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ocis driver: enforce permissions #1213

Merged
merged 11 commits into from
Oct 6, 2020
Merged

ocis driver: enforce permissions #1213

merged 11 commits into from
Oct 6, 2020

Conversation

butonic
Copy link
Contributor

@butonic butonic commented Oct 1, 2020
edited
Loading

We now check the owner and grants on nodes in the tree to determine the actual permissions.

  • check up and downloads
  • revisions can use the original node
  • only allow owner of a storage to manage trash? or determine the permissions based on the original parent?
  • changelog
  • some trash permission checks are unclear to me ... for now I only allow the owner to do some trash operations, as it is hard to determine if the current user is allowed to restore a certain trash item ... or if he can list all items ... because that is a permission not on the file but the storage afaict. @labkode how does eos handle the permission? it seems the cs3 grant permissions regarding trash need some thought ... for versions we can check the actual file ...
  • make AsResourceInfo() contain all permissions
    • which means that for requests that list or stat a node we need to read all grants to calculate the effective permissions

@butonic butonic requested a review from labkode as a code owner October 1, 2020 15:10
@butonic butonic self-assigned this Oct 1, 2020
@butonic butonic marked this pull request as draft October 1, 2020 15:11
@butonic butonic marked this pull request as ready for review October 2, 2020 15:02
@butonic butonic changed the title [WIP] ocis driver: enforce permissions ocis driver: enforce permissions Oct 2, 2020
@butonic butonic mentioned this pull request Oct 2, 2020
Closed
@butonic
clarify ocfs path vars and wrap functions
1756121 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
think through permissions checks
28ed27a 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
add changelog
af60f48 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
newline
72beeec 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
refactor pathwrappor to lookup, extract options
078907f 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
check metadata permissions
660f856 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
permission checks for uploads, revisions and trash, refactoring
6082a72 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
make linter happy
40072e9 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
Revert "update expected failures"
7417d81 
This reverts commit afb2eea.
@butonic
make linter even more happy
71b66dc 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
changelog, not found fixes
987330b 
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
@butonic
Copy link
Contributor Author

butonic commented Oct 6, 2020
edited
Loading

can be merged for now, rest will be fixed in subsequent PRs

@butonic butonic requested a review from refs October 6, 2020 06:14
@butonic butonic added the feature New feature label Oct 6, 2020
@labkode labkode merged commit 4a9be34 into cs3org:master Oct 6, 2020
@butonic butonic deleted the ocis-enforce-permissions branch October 6, 2020 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labkode labkode labkode approved these changes

@refs refs Awaiting requested review from refs

Assignees

@butonic butonic

Labels
feature New feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@butonic @labkode