Idea #18390
Updated by Peter Amstutz almost 3 years ago
“Frozen” project state is modeled with a new uuid attribute (database field) of Arvados projects called "frozen_by_uuid”. Users with “can_manage” permission are allowed to set "frozen_by_uuid" (which is set to that user). Once set, "frozen_by_uuid" state cannot be cleared, except by an admin. The "frozen" state applies recursively to everything owned by the project: collections, workflow provenance, etc. Objects owned by the project cannot be independently un-frozen (but they can be copied). To modify an object inside a frozen project, the entire project must first be un-frozen (which can only be done by admins). Objects that are frozen or are owned directly or indirectly by a project in the frozen state are read-only and cannot be modified by users that would normally have write permission, including admins. * Cannot create/move objects within a frozen project (owner_uuid of a create or update operation cannot be a frozen project) * Cannot move objects out of an frozen project (owner_uuid of frozen object cannot be changed) * Cannot update any other field on archived objects, e.g. “name”, “manifest_text” * Cannot delete objects owned by archived project or modify trash_at, delete_at * Cannot freeze a project that contains objects with “trash_at” or “delete_at” set (attempt to set “frozen” will return an error with at least one object uuid which is blocking freezing) * Cannot trash a project that contains frozen objects (attempt to set “trash_at” will return an error) * Users with “can_manage” permission can still control sharing (create and remove permission links for frozen objects) Make it configurable that in order to freeze a project, the description field or some other named properties must be non-empty. In order to freeze a project, update the "frozen_by_uuid" field to the current user. Any other value is rejected. An admin un-freezes a project by setting "frozen_by_uuid" to "" (empty string). "none". * optional parameter "dry_run" or "no_op" on the freeze project call which only checks if a project is valid to freeze, but does not commit the change ** the "dry_run" parameter provides a structured response either indicating the operation would be successful, or a list of reasons it would fail ** Returns a 200 response on success with content just {"uuid": "..."} and a 4xx response if the operation would fail * Trashed items in a frozen project are not returned with "include_trash" (should be explicitly filtered out from the call), from the user's perspective, trashed items in a frozen project are immediately gone, unless the project is un-frozen. The following Workbench 2 features will be implemented by the customer: * Add button to Workbench 2 enabling users to freeze a project (with warning). Workbench 2 will determine if an object or direct/indirect owner is frozen and adds an “Frozen” badge to the display. * Workbench 2 feature to assist in making a project valid to freeze: If items exist with “trash_at” or “delete_at”, prompt user if they want to un-trash all of them, or move them out of the project to be frozen.