Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pnfsmanager: allow restricted user with UPLOAD to create parent direc…
…tories Motivation: When creating a macaroon to allow uploading of data, the desired path may not already exist. Without restrictions, WebDAV will auto-create parent directory items that are missing, or the client can create these directory elements explicitly with MKCOL. With restrictions (such as from a macaroon) such directory creation currently requires the MANAGE activity. However, MANAGE activity also allows the user to create unrelated directories, delete directories, rename existing data, move data around, which is undesirable if the user should be allowed only to upload data. Modification: Update restrictions to allow the discovery of whether child paths are restricted. Update permissions test to avoid the MANAGE restriction check if the user is allowed to upload a child element. Result: A user with a macaroon that authorises them to upload data into a particular directory will be able to create parent directories to achieve uploading the data. Note: 1. The user cannot create the target path as a directory, only ancestor directories. The path is intepreted as the path of a single file. If multiple files should be authorised then the path should already exist as a directory. 2. If the macaroon has no path restriction then the user can create directories throughout dCache. This is similar to how such a user is able to upload data anywhere in dCache. 3. There is no distinction between directories created with MKCOL and those created automatically with a PUT request. Target: master Request: 4.2 Request: 4.1 Request: 4.0 Request: 3.2 Ticket: http://rt.dcache.org/Ticket/Display.html?id=9503 Require-notes: yes Require-book: yes
- Loading branch information
1 parent
32a1669
commit ececd78
Showing
9 changed files
with
177 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
87 changes: 87 additions & 0 deletions
87
modules/common/src/test/java/org/dcache/auth/attributes/PrefixRestrictionTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
/* dCache - http://www.dcache.org/ | ||
* | ||
* Copyright (C) 2018 Deutsches Elektronen-Synchrotron | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License as | ||
* published by the Free Software Foundation, either version 3 of the | ||
* License, or (at your option) any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
package org.dcache.auth.attributes; | ||
|
||
import org.junit.Test; | ||
|
||
import diskCacheV111.util.FsPath; | ||
|
||
import static org.dcache.auth.attributes.Activity.LIST; | ||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.hamcrest.Matchers.is; | ||
import static org.junit.Assert.*; | ||
|
||
public class PrefixRestrictionTest | ||
{ | ||
@Test | ||
public void shouldNotHaveUnrestrictedChildFromRootForEmptyPrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.ROOT), is(equalTo(false))); | ||
} | ||
|
||
|
||
@Test | ||
public void shouldNotHaveUnrestrictedChildFromPathForEmptyPrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.create("/foo/bar")), is(equalTo(false))); | ||
} | ||
|
||
@Test | ||
public void shouldHaveUnrestrictedChildFromRootForSinglePrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(FsPath.create("/foo/bar")); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.ROOT), is(equalTo(true))); | ||
} | ||
|
||
@Test | ||
public void shouldHaveUnrestrictedChildFromParentForSinglePrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(FsPath.create("/foo/bar")); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.create("/foo")), is(equalTo(true))); | ||
} | ||
|
||
@Test | ||
public void shouldHaveUnrestrictedChildFromSameDirForSinglePrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(FsPath.create("/foo/bar")); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.create("/foo/bar")), is(equalTo(false))); | ||
} | ||
|
||
@Test | ||
public void shouldHaveUnrestrictedChildFromSiblingDirForSinglePrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(FsPath.create("/foo/bar")); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.create("/foo/baz")), is(equalTo(false))); | ||
} | ||
|
||
@Test | ||
public void shouldHaveUnrestrictedChildFromChildForSinglePrefix() | ||
{ | ||
Restriction r = new PrefixRestriction(FsPath.create("/foo/bar")); | ||
|
||
assertThat(r.hasUnrestrictedChild(LIST, FsPath.create("/foo/bar/baz")), is(equalTo(false))); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ececd78
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I just don't understand it but to me this sounds like a security issue.
If a user has say upload permissions into
/foo/bar/atlas/users/john.doe
but only
/foo/bar/atlas/
exists, it would also create:
/foo/bar/atlas/users/
/foo/bar/atlas/users/john.doe
Who'd be the owner of these? The UID/GID the used is mapped into? That would at least be my assumption.
As further users are crated below
/foo/bar/atlas/users/
john.doe would be the ultimately the owner of all these,.. at least he could probably delete any file below:
/foo/bar/atlas/users/
as he owns the dir.
Or do I miss something? :D
Cheers,
Chris
ececd78
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Chris,
restriction to UPLOAD is not the same as access right to delete.
With option
pnfsmanager.enable.inherit-file-ownership=true
you can force dCache to use uid/gid of tha parent directory when subdirectories are created.