X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/65e39827a56cab30d7c9fe526c5cfc23e5e930e8..eb7935aa925cee116bdc93a01eec499ed2457da7:/doc/api/permission-model.html.textile.liquid diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid index f6878c0c92..a44d2eefa1 100644 --- a/doc/api/permission-model.html.textile.liquid +++ b/doc/api/permission-model.html.textile.liquid @@ -26,7 +26,7 @@ There are four levels of permission: *none*, *can_read*, *can_write*, and *can_m h2. Ownership -All Arvados objects have an @owner_uuid@ field. Valid uuid types for @owner_uuid@ are "User" and "Group". For Group, the @group_class@ must be a "project". +All Arvados objects have an @owner_uuid@ field. Valid uuid types for @owner_uuid@ are "User" and "Group". In the case of a Group, the @group_class@ must be "project". The User or Group specified by @owner_uuid@ has *can_manage* permission on the object. This permission is one way: an object that is owned does not get any special permissions on the User or Group that owns it. @@ -38,7 +38,7 @@ A permission link is a link object with: * @owner_uuid@ of the system user. * @link_class@ "permission" -* @name@ one of *can_read*, *can_write* or *can_manage* +* @name@ one of *can_read*, *can_write*, *can_manage* or *can_login* * @head_uuid@ of some Arvados object * @tail_uuid@ of a User or Group. For Group, the @group_class@ must be a "role". @@ -46,6 +46,8 @@ This grants the permission in @name@ for @tail_uuid@ accessing @head_uuid@. If a User has *can_manage* permission on some object, the user has the ability to read, create, update and delete permission links with @head_uuid@ of the managed object. In other words, the user has the ability to modify the permission grants on the object. +The *can_login* @name@ is only meaningful on a permission link with with @tail_uuid@ a user UUID and @head_uuid@ a Virtual Machine UUID. A permission link of this type gives the user UUID permission to log into the Virtual Machine UUID. The username for the VM is specified in the @properties@ field. Group membership can be specified that way as well, optionally. See the "VM login section on the 'User management at the CLI' page":{{ site.baseurl }}/admin/user-management-cli.html#vm-login for an example. + h3. Transitive permissions Permissions can be obtained indirectly through nested ownership (*can_manage*) or by following multiple permission links. @@ -61,9 +63,15 @@ h2. Projects and Roles A "project" is a subtype of Group that is displayed as a "Project" in Workbench, and as a directory by @arv-mount@. * A project can own things (appear in @owner_uuid@) * A project can be owned by a user or another project. -* The name of a project is unique only among projects with the same owner_uuid. +* The name of a project is unique only among projects and filters with the same owner_uuid. * Projects can be targets (@head_uuid@) of permission links, but not origins (@tail_uuid@). Putting a project in a @tail_uuid@ field is an error. +A "filter" is a subtype of Group that is displayed as a "Project" in Workbench, and as a directory by @arv-mount@. See "the groups API documentation":{{ site.baseurl }}/api/methods/groups.html for more information. +* A filter group cannot own things (cannot appear in @owner_uuid@). Putting a filter group in an @owner_uuid@ field is an error. +* A filter group can be owned by a user or a project. +* The name of a filter is unique only among projects and filters with the same owner_uuid. +* Filters can be targets (@head_uuid@) of permission links, but not origins (@tail_uuid@). Putting a filter in a @tail_uuid@ field is an error. + A "role" is a subtype of Group that is treated in Workbench as a group of users who have permissions in common (typically an organizational group). * A role cannot own things (cannot appear in @owner_uuid@). Putting a role in an @owner_uuid@ field is an error. * All roles are owned by the system user. @@ -100,7 +108,9 @@ A privileged user account exists for the use by internal Arvados components. Th h2. Anoymous user and group -An Arvados site may be configured to allow users to browse resources without requiring a login. In this case, permissions for non-logged-in users are associated with the "anonymous" user. To make objects visible to the public, they can be shared with the "anonymous" role. The anonymous user uuid is @{siteprefix}-tpzed-anonymouspublic@. The anonymous group uuid is @{siteprefix}-j7d0g-anonymouspublic@. +An Arvados site may be configured to allow users to browse resources without requiring a login. In this case, permissions for non-logged-in users are associated with the "anonymous" user. To make objects visible to anyone (both logged-in and non-logged-in users), they can be shared with the "anonymous" role. Note that objects shared with the "anonymous" user will only be visible to non-logged-in users! + +The anonymous user uuid is @{siteprefix}-tpzed-anonymouspublic@. The anonymous group uuid is @{siteprefix}-j7d0g-anonymouspublic@. h2. Example