projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 1: c12cef4)
Merge branch '19513-create-role-admin-only'
authorTom Clegg <tom@curii.com>
Tue, 6 Dec 2022 16:22:46 +0000 (11:22 -0500)
committerTom Clegg <tom@curii.com>
Tue, 6 Dec 2022 16:22:46 +0000 (11:22 -0500)
closes #19513

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

doc/api/permission-model.html.textile.liquid patch | blob | history
doc/user/topics/arvados-sync-external-sources.html.textile.liquid patch | blob | history
lib/config/config.default.yml patch | blob | history
lib/config/export.go patch | blob | history
sdk/go/arvados/config.go patch | blob | history
services/api/app/models/group.rb patch | blob | history
services/api/config/arvados_config.rb patch | blob | history
services/api/test/unit/group_test.rb patch | blob | history

diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid
index 1b3b6bb86984069bd684b4b72032d932c372abfd..2d589e2709e9b2fdd66e1fade52c747cc8752340 100644 (file)
--- a/doc/api/permission-model.html.textile.liquid
+++ b/doc/api/permission-model.html.textile.liquid
@@ -78,6 +78,7 @@ A "role" is a subtype of Group that is treated in Workbench as a group of users
 * The name of a role is unique across a single Arvados cluster.
 * Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links.
 * By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins.
+* By default, any user can create a new role. However, if the configuration entry @Users.CanCreateRoleGroups@ is @false@, only admins can create roles.
 
 h3. Access through Roles
 
diff --git a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
index 0ec0098f053aa0b4d53c5a133bc00c1ed2325f58..53a79ea23eb6e2d4cf032d306702220176170260 100644 (file)
--- a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
+++ b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
@@ -65,6 +65,8 @@ Users can be identified by their email address or username: the tool will check
 
 Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
 
+When using @arvados-sync-groups@, consider setting @Users.CanCreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
+
 h2. Options
 
 The following command line options are supported:
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index f7c2beca3372f294bb16762d6f5366e7e989a84c..71d180b0e7ad09bb0c399fae3d2c8ac1d0b37a99 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -373,6 +373,12 @@ Clusters:
       # cluster.
       RoleGroupsVisibleToAll: true
 
+      # If CanCreateRoleGroups is true, regular (non-admin) users can
+      # create new role groups.
+      #
+      # If false, only admins can create new role groups.
+      CanCreateRoleGroups: true
+
       # During each period, a log entry with event_type="activity"
       # will be recorded for each user who is active during that
       # period. The object_uuid attribute will indicate the user's
diff --git a/lib/config/export.go b/lib/config/export.go
index 814fc6cd9b9dfc6ab0fbea0d9e29715236a906bd..8b7a1749005864a917afd7f2aa6334c6d5c9c6af 100644 (file)
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -237,6 +237,7 @@ var whitelist = map[string]bool{
        "Users.AutoSetupNewUsersWithRepository":               false,
        "Users.AutoSetupNewUsersWithVmUUID":                   false,
        "Users.AutoSetupUsernameBlacklist":                    false,
+       "Users.CanCreateRoleGroups":                           true,
        "Users.EmailSubjectPrefix":                            false,
        "Users.NewInactiveUserNotificationRecipients":         false,
        "Users.NewUserNotificationRecipients":                 false,
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index bc6aab298fdcab19991528c1949b9d7bbac5efaf..bfcc73f6f12886c6549c3e4a865231ed78724fad 100644 (file)
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -249,6 +249,7 @@ type Cluster struct {
                PreferDomainForUsername               string
                UserSetupMailText                     string
                RoleGroupsVisibleToAll                bool
+               CanCreateRoleGroups                   bool
                ActivityLoggingPeriod                 Duration
        }
        StorageClasses map[string]StorageClassConfig
diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb
index e44e605b16b842e1bd5c4fbe61d7820ef62b8cff..85855fda97271a2cbfc855fef5d0862fa2a7122e 100644 (file)
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -268,6 +268,18 @@ class Group < ArvadosModel
     end
   end
 
+  def permission_to_create
+    if !super
+      return false
+    elsif group_class == "role" &&
+       !Rails.configuration.Users.CanCreateRoleGroups &&
+       !current_user.andand.is_admin
+      raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
+    else
+      return true
+    end
+  end
+
   def permission_to_update
     if !super
       return false
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index c0f7ee174fb65f8ef34d8502cc78d26e104f50ef..c47eeb55146221d0c9a06ce7fcfd006e0dcee626 100644 (file)
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -106,6 +106,7 @@ arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_emai
 arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
+arvcfg.declare_config "Users.CanCreateRoleGroups", Boolean
 arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
 arvcfg.declare_config "Login.LoginCluster", String
 arvcfg.declare_config "Login.TrustedClients", Hash
diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index a3bcd4e3568acea466bc52a743cd108b59a8bcc0..a0c375a6f93c431dfe26c27e75a3deeff850cd90 100644 (file)
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -532,4 +532,25 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
     end
   end
+
+  [
+    [false, :admin, true],
+    [false, :active, false],
+    [true, :admin, true],
+    [true, :active, true],
+    [true, :inactive, false],
+  ].each do |conf, user, allowed|
+    test "config.Users.CanCreateRoleGroups conf=#{conf}, user=#{user}" do
+      Rails.configuration.Users.CanCreateRoleGroups = conf
+      act_as_user users(user) do
+        if allowed
+          Group.create!(name: 'admin-created', group_class: 'role')
+        else
+          assert_raises(ArvadosModel::PermissionDeniedError) do
+            Group.create!(name: 'user-created', group_class: 'role')
+          end
+        end
+      end
+    end
+  end
 end