qos: add flag to enable/disable role based authorization for transitions

Motivation: in some deployments, when almost all users are allowed to perform QoS transitions a per-user or per-group access control makes no sense anymore and created an addition configuration overhead (for example, when user mapping comes from LDAP) Modification: introduce a global enable/disable switch for role based authorization Result: Admins have a possibility to disable RBAC Fixes: #7498 Acked-by: Target: master, 9.2, 10.0 Require-book: no Require-notes: yes (cherry picked from commit d26b9ae) Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
dCache · Apr 2, 2024 · 4f8f209 · 4f8f209
1 parent 92c2350
commit 4f8f209
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 3 deletions.
diff --git a/...qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java b/...qos/src/main/java/org/dcache/qos/services/engine/provider/ALRPStorageUnitQoSProvider.java
@@ -100,6 +100,7 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 import org.dcache.vehicles.FileAttributes;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Required;
 
 /**
  * Standard provisioning of (fixed) file requirements.  Uses access latency, retention policy, and
@@ -136,6 +137,11 @@ public class ALRPStorageUnitQoSProvider implements QoSRequirementsProvider, Cell
     private CellStub pnfsManager;
     private PoolMonitor poolMonitor;
 
+    /**
+     * Whether users require a QoS role to perform a transition.
+     */
+    private boolean enableRoles;
+
     public synchronized void messageArrived(SerializablePoolMonitor poolMonitor) {
         setPoolMonitor(poolMonitor);
     }
@@ -305,7 +311,7 @@ protected void modifyRequirements(PnfsId pnfsId, FileAttributes currentAttribute
             modifiedAttributes.setRetentionPolicy(REPLICA);
         }
 
-        if (canModifyQos(subject, currentAttributes)) {
+        if (canModifyQos(subject, isEnableRoles(), currentAttributes)) {
             pnfsHandler().setFileAttributes(pnfsId, modifiedAttributes);
         } else {
             throw new PermissionDeniedCacheException("User does not have permissions to set "
@@ -374,4 +380,13 @@ private FileAttributes validateAttributes(FileQoSUpdate update) throws QoSExcept
               attributes.getLocations());
         return attributes;
     }
+
+    public boolean isEnableRoles() {
+        return enableRoles;
+    }
+
+    @Required
+    public void setEnableRoles(boolean enableRoles) {
+        this.enableRoles = enableRoles;
+    }
 }
diff --git a/...che-qos/src/main/java/org/dcache/qos/services/engine/provider/PolicyBasedQoSProvider.java b/...che-qos/src/main/java/org/dcache/qos/services/engine/provider/PolicyBasedQoSProvider.java
@@ -216,7 +216,7 @@ public void handleModifiedRequirements(FileQoSRequirements newRequirements, Subj
             modifiedAttributes.setQosState(newRequirements.getRequiredQoSStateIndex());
         }
 
-        if (canModifyQos(subject, currentAttributes)) {
+        if (canModifyQos(subject, isEnableRoles(), currentAttributes)) {
             pnfsHandler().setFileAttributes(pnfsId, modifiedAttributes);
         } else {
             throw new PermissionDeniedCacheException("User does not have permissions to set "

diff --git a/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java b/modules/dcache-qos/src/main/java/org/dcache/qos/util/QoSPermissionUtils.java
@@ -78,9 +78,11 @@ public class QoSPermissionUtils {
      * do not need checking.
      *
      * @param subject of the message received.
+     * @param useRoles if true, use roles to determine if the user can modify qos.
      * @param attributes with OWNER and OWNER_GROUP defined.
      */
-    public static boolean canModifyQos(Subject subject, FileAttributes attributes) {
+    public static boolean canModifyQos(Subject subject, boolean useRoles, FileAttributes attributes) {
+
         if (subject == null) {
             /*
              * with 9.2, the subject is no longer retrieved from the database.
@@ -89,6 +91,13 @@ public static boolean canModifyQos(Subject subject, FileAttributes attributes) {
             return false;
         }
 
+        if (!useRoles) {
+            /*
+             *  If we are not using roles, then all users can modify QoS.
+             */
+            return true;
+        }
+
         Set<Principal> principals = subject.getPrincipals();
 
         for (Iterator<Principal> i = principals.iterator(); i.hasNext(); ) {

diff --git a/modules/dcache-qos/src/main/resources/org/dcache/qos/qos-engine.xml b/modules/dcache-qos/src/main/resources/org/dcache/qos/qos-engine.xml
@@ -170,6 +170,7 @@
       <property name="pnfsManager" ref="pnfs-manager"/>
       <property name="cache" ref="policy-cache"/>
       <property name="engineDao" ref="engine-dao"/>
+      <property name="enableRoles" value="${qos.require-roles}" />
       <!-- pool monitor is received via message -->
     </bean>
 

diff --git a/skel/share/defaults/qos.properties b/skel/share/defaults/qos.properties
@@ -157,6 +157,12 @@ qos.service.scanner.timeout=1
 qos.service.verification.timeout=1
 (one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS)qos.service.verification.timeout.unit=MINUTES
 
+#
+# Whether users require a QoS role to perform a transition.
+#
+(one-of?true|false)qos.require-roles=true
+
+
 (obsolete)qos.adjuster.cell.consume=use qos-adjuster.cell.consume
 (obsolete)qos.adjuster.cell.name=use qos-adjuster.cell.name
 (obsolete)qos.db.verifier.connections.idle=use qos-verifier.db.connections.idle