From: Tom Clegg <tom@curii.com>
Date: Tue, 6 Dec 2022 16:22:46 +0000 (-0500)
Subject: Merge branch '19513-create-role-admin-only'
X-Git-Tag: 2.5.0~19
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/4823a1b88754ef8dc3a4fe3fcb549cb4e6f34246?hp=c12cef4f1f5b7092c0882705e9bb6b3e980d61e4

Merge branch '19513-create-role-admin-only'

closes #19513

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---

diff --git a/doc/api/permission-model.html.textile.liquid b/doc/api/permission-model.html.textile.liquid
index 1b3b6bb869..2d589e2709 100644
--- a/doc/api/permission-model.html.textile.liquid
+++ b/doc/api/permission-model.html.textile.liquid
@@ -78,6 +78,7 @@ A "role" is a subtype of Group that is treated in Workbench as a group of users
 * The name of a role is unique across a single Arvados cluster.
 * Roles can be both targets (@head_uuid@) and origins (@tail_uuid@) of permission links.
 * By default, all roles are visible to all active users. However, if the configuration entry @Users.RoleGroupsVisibleToAll@ is @false@, visibility is determined by normal permission rules, _i.e._, a role is only visible to users who have that role, and to admins.
+* By default, any user can create a new role. However, if the configuration entry @Users.CanCreateRoleGroups@ is @false@, only admins can create roles.
 
 h3. Access through Roles
 
diff --git a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
index 0ec0098f05..53a79ea23e 100644
--- a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
+++ b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
@@ -65,6 +65,8 @@ Users can be identified by their email address or username: the tool will check
 
 Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
 
+When using @arvados-sync-groups@, consider setting @Users.CanCreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
+
 h2. Options
 
 The following command line options are supported:
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index f7c2beca33..71d180b0e7 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -373,6 +373,12 @@ Clusters:
       # cluster.
       RoleGroupsVisibleToAll: true
 
+      # If CanCreateRoleGroups is true, regular (non-admin) users can
+      # create new role groups.
+      #
+      # If false, only admins can create new role groups.
+      CanCreateRoleGroups: true
+
       # During each period, a log entry with event_type="activity"
       # will be recorded for each user who is active during that
       # period. The object_uuid attribute will indicate the user's
diff --git a/lib/config/export.go b/lib/config/export.go
index 814fc6cd9b..8b7a174900 100644
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -237,6 +237,7 @@ var whitelist = map[string]bool{
 	"Users.AutoSetupNewUsersWithRepository":               false,
 	"Users.AutoSetupNewUsersWithVmUUID":                   false,
 	"Users.AutoSetupUsernameBlacklist":                    false,
+	"Users.CanCreateRoleGroups":                           true,
 	"Users.EmailSubjectPrefix":                            false,
 	"Users.NewInactiveUserNotificationRecipients":         false,
 	"Users.NewUserNotificationRecipients":                 false,
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index bc6aab298f..bfcc73f6f1 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -249,6 +249,7 @@ type Cluster struct {
 		PreferDomainForUsername               string
 		UserSetupMailText                     string
 		RoleGroupsVisibleToAll                bool
+		CanCreateRoleGroups                   bool
 		ActivityLoggingPeriod                 Duration
 	}
 	StorageClasses map[string]StorageClassConfig
diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb
index e44e605b16..85855fda97 100644
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -268,6 +268,18 @@ class Group < ArvadosModel
     end
   end
 
+  def permission_to_create
+    if !super
+      return false
+    elsif group_class == "role" &&
+       !Rails.configuration.Users.CanCreateRoleGroups &&
+       !current_user.andand.is_admin
+      raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
+    else
+      return true
+    end
+  end
+
   def permission_to_update
     if !super
       return false
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index c0f7ee174f..c47eeb5514 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -106,6 +106,7 @@ arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_emai
 arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
+arvcfg.declare_config "Users.CanCreateRoleGroups", Boolean
 arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
 arvcfg.declare_config "Login.LoginCluster", String
 arvcfg.declare_config "Login.TrustedClients", Hash
diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index a3bcd4e356..a0c375a6f9 100644
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -532,4 +532,25 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
     end
   end
+
+  [
+    [false, :admin, true],
+    [false, :active, false],
+    [true, :admin, true],
+    [true, :active, true],
+    [true, :inactive, false],
+  ].each do |conf, user, allowed|
+    test "config.Users.CanCreateRoleGroups conf=#{conf}, user=#{user}" do
+      Rails.configuration.Users.CanCreateRoleGroups = conf
+      act_as_user users(user) do
+        if allowed
+          Group.create!(name: 'admin-created', group_class: 'role')
+        else
+          assert_raises(ArvadosModel::PermissionDeniedError) do
+            Group.create!(name: 'user-created', group_class: 'role')
+          end
+        end
+      end
+    end
+  end
 end