Project

General

Profile

Groups Projects Ownership and Permissions Specification » History » Version 11

Tom Clegg, 08/07/2014 09:39 AM

1 1 Peter Amstutz
h1. Groups, Projects, Ownership and Permissions Specification
2
3 3 Peter Amstutz
h2. Permissions
4
5 6 Peter Amstutz
* There are four levels of permission, *none*, *can_read*, *can_write*, and *can_manage*.
6 9 Peter Amstutz
** *none* is the default state when there are no other permission grants
7
*** the object is not returned by any list query
8
*** direct queries of the object by uuid return 404 Not Found.
9 6 Peter Amstutz
*** Link objects require valid identifiers in @head_uuid@ or @tail_uuid@, so an attempt to create a Link that references an unreadable object will return an error indicating the object is not found
10
** *can_read* grants read-only access to the record.  Attempting to update the record returns an error.
11 1 Peter Amstutz
** *can_write* permits changes to content (but not metadata) fields of the record.  *can_write* also implies *can_read*
12
** *can_manage* permits the user to create permission links with @head_uuid@ set to this object.  *can_manage* also implies *can_write* and *can_read*
13
14 6 Peter Amstutz
h3. Questions
15
16
What level of permission is required to delete an Object?
17 4 Peter Amstutz
18 1 Peter Amstutz
h2. Ownership
19 3 Peter Amstutz
20 1 Peter Amstutz
* All Arvados objects have an @owner_uuid@ field.  Valid uuid types for @owner_uuid@ are "User" or "Group".
21 9 Peter Amstutz
* The User or Group specified by @owner_uuid@ has *can_manage* permission on the object.
22
** This permission is one way; if the owned object is also a User or Group, this does not confer any permission for the User or Group to access its @owner_uuid@
23
* In the UI, objects should be displayed as being contained within the @owner_uuid@ User or Group.
24
** A "Project" is a subtype of Group that indicates the group should be displayed in the "Projects" section of Workbench.
25 3 Peter Amstutz
26 5 Peter Amstutz
h3. Questions
27
28
Moving an object from Group A to Group B implies changing the @owner_uuid@ field from Group A to Group B.
29
30 11 Tom Clegg
* What permission is required on the object itself to change the @owner_uuid@ field? → can_write
31
* What permission is required on Group A to change the object @owner_uuid@ field so it no longer points to Group A?  This logically removes the object from Group A. → can_write
32
* What permission is required on Group B to set the object @owner_uuid@ field to Group B?  This logically adds the object to Group B. → can_write
33 5 Peter Amstutz
34 1 Peter Amstutz
h2. Permission links
35 3 Peter Amstutz
36 4 Peter Amstutz
A link object with
37 1 Peter Amstutz
38 4 Peter Amstutz
* @link_class@ "permission"
39
* @name@ one of *can_read*, *can_write* or *can_manage*
40 1 Peter Amstutz
* @head_uuid@ of some Arvados object
41 4 Peter Amstutz
* @tail_uuid@ of an User or Group
42
43
grants the @name@ permission for @tail_uuid@ accessing @head_uuid@
44
45 7 Peter Amstutz
h3. Question
46
47 9 Peter Amstutz
* Permission links, like any other Arvados object, have a @owner_uuid@ of the user that created them, so the user retains the ability to modify the permission link.
48 10 Peter Amstutz
* If another user has *can_manage* on some object, does this imply the ability to modify or delete permission links where the @head_uuid@ is the object?
49 7 Peter Amstutz
50 1 Peter Amstutz
h2. Transitive permissions
51 3 Peter Amstutz
52
* If a User *can_read* Group A, and Group A *can_read* group B, then User *can_read* Group B.
53 4 Peter Amstutz
* Permissions are narrowed to the least powerful permission on the path.
54 3 Peter Amstutz
** If User *can_write* Group A, and Group A *can_read* Group B, then User *can_read* Group B.
55 1 Peter Amstutz
** If User *can_read* Group A, and Group A *can_write* Group B, then User *can_read* Group B.
56 10 Peter Amstutz
57
h2. Special cases
58
59
* Log table objects are additionally readable based on whether the User has *can_read* permission on @object_uuid@ (User can access log history about objects it can read).  To retain the integrity of the log, *can_write* and *can_manage* should be denied to all users, including administrators.
60
* Permission links where @tail_uuid@ is a User permit @can_read@ on the link by that user.  (User can discover her own permission grants.)