"previous: Upgrading from 2.3.0":#v2_3_0
+h3. Role groups are visible to all users by default
+
+The permission model has changed such that all role groups are visible to all active users. This enables users to share objects with groups they don't belong to. To preserve the previous behavior, where role groups are only visible to members and admins, add @RoleGroupsVisibleToAll: false@ to the @Users@ section of your configuration file.
+
h3. Default LSF arguments have changed
If you use LSF and your configuration specifies @Containers.LSF.BsubArgumentsList@, you should update it to include the new arguments (@"-R", "select[mem>=%MMB]", ...@, see "configuration reference":{{site.baseurl}}/admin/config.html). Otherwise, containers that are too big to run on any LSF host will remain in the LSF queue instead of being cancelled.
Thanks,
Your Arvados administrator.
+ # If RoleGroupsVisibleToAll is true, all role groups are visible
+ # to all active users.
+ #
+ # If false, users must be granted permission to role groups in
+ # order to see them. This is more appropriate for a multi-tenant
+ # cluster.
+ RoleGroupsVisibleToAll: true
+
AuditLogs:
# Time to keep audit logs, in seconds. (An audit log is a row added
# to the "logs" table in the PostgreSQL database each time an
"Users.UserNotifierEmailBcc": false,
"Users.UserProfileNotificationAddress": false,
"Users.UserSetupMailText": false,
+ "Users.RoleGroupsVisibleToAll": false,
"Volumes": true,
"Volumes.*": true,
"Volumes.*.*": false,
Thanks,
Your Arvados administrator.
+ # If RoleGroupsVisibleToAll is true, all role groups are visible
+ # to all active users.
+ #
+ # If false, users must be granted permission to role groups in
+ # order to see them. This is more appropriate for a multi-tenant
+ # cluster.
+ RoleGroupsVisibleToAll: true
+
AuditLogs:
# Time to keep audit logs, in seconds. (An audit log is a row added
# to the "logs" table in the PostgreSQL database each time an
UserProfileNotificationAddress string
PreferDomainForUsername string
UserSetupMailText string
+ RoleGroupsVisibleToAll bool
}
StorageClasses map[string]StorageClassConfig
Volumes map[string]Volume
direct_check = " OR " + direct_check
end
+ if Rails.configuration.Users.RoleGroupsVisibleToAll &&
+ sql_table == "groups" &&
+ users_list.select { |u| u.is_active }.any?
+ # All role groups are readable (but we still need the other
+ # direct_check clauses to handle non-role groups).
+ direct_check += " OR #{sql_table}.group_class = 'role'"
+ end
+
links_cond = ""
if sql_table == "links"
# 1) Match permission links incoming or outgoing on the
arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
+arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
arvcfg.declare_config "Login.LoginCluster", String
arvcfg.declare_config "Login.TrustedClients", Hash
arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
class Arvados::V1::GroupsControllerTest < ActionController::TestCase
- test "attempt to delete group without read or write access" do
+ test "attempt to delete group that cannot be seen" do
+ Rails.configuration.Users.RoleGroupsVisibleToAll = false
authorize_with :active
post :destroy, params: {id: groups(:empty_lonely_group).uuid}
assert_response 404
end
+ test "attempt to delete group without read or write access" do
+ authorize_with :active
+ post :destroy, params: {id: groups(:empty_lonely_group).uuid}
+ assert_response 403
+ end
+
test "attempt to delete group without write access" do
authorize_with :active
post :destroy, params: {id: groups(:all_users).uuid}
end
end
+ [
+ [false, :inactive, :private_role, false],
+ [false, :spectator, :private_role, false],
+ [false, :admin, :private_role, true],
+ [true, :inactive, :private_role, false],
+ [true, :spectator, :private_role, true],
+ [true, :admin, :private_role, true],
+ # project (non-role) groups are invisible even when RoleGroupsVisibleToAll is true
+ [true, :inactive, :private, false],
+ [true, :spectator, :private, false],
+ [true, :admin, :private, true],
+ ].each do |visibleToAll, userFixture, groupFixture, visible|
+ test "with RoleGroupsVisibleToAll=#{visibleToAll}, #{groupFixture} group is #{visible ? '' : 'in'}visible to #{userFixture} user" do
+ Rails.configuration.Users.RoleGroupsVisibleToAll = visibleToAll
+ authorize_with userFixture
+ get :show, params: {id: groups(groupFixture).uuid, format: :json}
+ if visible
+ assert_response :success
+ else
+ assert_response 404
+ end
+ end
+ end
+
### trashed project tests ###
#
end
test "list readable groups with salted token" do
+ Rails.configuration.Users.RoleGroupsVisibleToAll = false
salted_token = salt_token(fixture: :active, remote: 'zbbbb')
get '/arvados/v1/groups',
params: {
end
test "manager user gets permission to minions' articles via can_manage link" do
+ Rails.configuration.Users.RoleGroupsVisibleToAll = false
Rails.configuration.Users.ActivatedUsersAreVisibleToOthers = false
manager = create :active_user, first_name: "Manage", last_name: "Er"
minion = create :active_user, first_name: "Min", last_name: "Ion"