Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement support for deny ACLs #1798

Closed
wants to merge 56 commits into from
Closed

Implement support for deny ACLs #1798

wants to merge 56 commits into from

Conversation

glpatcern
Copy link
Member

@glpatcern glpatcern commented Jun 16, 2021
edited
Loading

This is still work in progress, but we thought to expose it earlier to gather feedback. Fixes #1792.

The important aspect especially for ownCloud is that now an empty permission set (equivalent to '' in WebDAV terms, and 0 for the integer representation) is considered valid. So the introduced change does not break the existing APIs but does represent a breaking change from a semantic point of view.

EDIT: to avoid breaking any existing assumption, the denial permission gets for now a different bit, PermissionNone. PermissionInvalid is still defined as 0.

@glpatcern glpatcern added the feature New feature label Jun 16, 2021
@glpatcern glpatcern requested a review from labkode as a code owner June 16, 2021 12:45
@update-docs
Copy link

update-docs bot commented Jun 16, 2021

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@glpatcern glpatcern marked this pull request as draft June 16, 2021 12:45
labkode
labkode reviewed Jun 21, 2021
View reviewed changes
pkg/eosclient/eosclient.go Outdated Show resolved Hide resolved
@glpatcern glpatcern force-pushed the denyacl branch 2 times, most recently from cd8764b to 7842ce6 Compare June 23, 2021 08:04
@lgtm-com
Copy link

lgtm-com bot commented Jun 23, 2021

This pull request fixes 20 alerts when merging 532ae59 into b54b159 - view on LGTM.com

fixed alerts:

  • 20 for Uncontrolled data used in path expression

glpatcern and others added 15 commits June 24, 2021 14:11
@glpatcern
Add PermissionNone as a full deny ACL. PermissionInvalid represents…
65877bc 
… an invalid

permission, though its value does correspond to no permissions.
@gmgigi96 @glpatcern
GetACLPerm provide a string of all permission set to deny with a "den…
55406d3 
…y all" ResourcePermissions
@gmgigi96 @glpatcern
Add cmp package
d9056ad
@gmgigi96 @glpatcern
Add methods to manage list of grants
39724c8
@gmgigi96 @glpatcern
Add SetACLs method to add (not) atomically a list of acls
1cb02e6
@gmgigi96 @glpatcern
Modified behaviour of eosfs.AddGrant, to support denial permissions (…
0e060dc 
…not atomically)
@gmgigi96 @glpatcern
Add some tests for denial ACLs
e6303ab
@gmgigi96 @glpatcern
Add dependency for tests
d97fe82
@gmgigi96 @glpatcern
Add directory for tests in homecanary
b585ecc
@gmgigi96 @glpatcern
Add error check for AddGrant method and add user in context in ACLs t…
b412ab9 
…ests
@glpatcern
Added changelog
53c477e
@gmgigi96 @glpatcern
Fix for AddGrant when adding a grant for an existing grantee
2fc45ab
@gmgigi96 @glpatcern
Add Grants tests
2183872
@gmgigi96 @glpatcern
Add deepcopy dependency for test
1608328
@gmgigi96 @glpatcern
Fix eosfs with new changes in Grants
0968c63
glpatcern
glpatcern commented Jul 1, 2021
View reviewed changes
cmd/reva/common.go Outdated Show resolved Hide resolved
@labkode
Copy link
Member

labkode commented Jul 1, 2021
edited
Loading

@glpatcern @gmgigi96 I'm looking for a better alternative for GetOwners.
This new method sets a new dependency with the gateway service that was not there before.
With this change the storage providers needs to know where the gateway service is to query group information.
This means to also add this configuration change to our deployment in every storage provider.
We can do better.

While I'm looking how to add this logic into gateway layer reusing the permission set from the FileInfo and pass it down from the gateway to the storage provider you can replicate this PR against https://github.com/cernbox/reva@qa so we can merge it there and deploy it in our QA infra.

EDIT: just did cernbox#3
I'll merge it, but please do a quick review (nothing changes compared to this one)

labkode and others added 18 commits July 1, 2021 15:51
@labkode
eos: do not hardcode eos binary location
8adb70a
@labkode
eos: revert me later: force eos set attr for acls
f9a2ddd
@SamuAlfageme
CI: fix the path for the reva Dockerfile on .drone.star (cs3org#1843)
e016d78
@SamuAlfageme
CI: use golang:alpine3.13 as builder/base to prevent make errors (cs3…
eb6460e 
…org#1844)
@saw-jan
[tests-only] Bump core commit id for tests (cs3org#1840)
dc58ab6
@dependabot
[Build-deps]: Bump google.golang.org/grpc from 1.38.0 to 1.39.0 (cs3o…
6887833 
…rg#1845)
@jasson99
adjust expectedfailues for remaining closed issues (cs3org#1823)
01e8b2a
@dependabot
[Build-deps]: Bump google.golang.org/protobuf from 1.27.0 to 1.27.1 (c…
68262a3 
…s3org#1839)
@Daniel-WWU-IT
Add API key to Mentix GOCDB connector (cs3org#1834)
924602b
@ishank011
Use golang:alpine3.13 for revad-eos docker image (cs3org#1847)
8a28d0b
@michielbdejong
[docs-only] Some more details about the tests system, fix cs3org#1836 (
8634a12 
…cs3org#1837)
@butonic
LDAP: numeric uid/gid fallback to nobody(99) (cs3org#1848)
79694d1
@dependabot
[Build-deps]: Bump github.com/rs/cors from 1.7.0 to 1.8.0 (cs3org#1851)
cd34c57
@dependabot
[Build-deps]: Bump github.com/minio/minio-go/v7 from 7.0.11 to 7.0.12 (
91e6fcc 
…cs3org#1853)
@gmgigi96
Wrap ref to have full path
0459330
@gmgigi96
Add status check to group response
a8d9d26
@gmgigi96
Fix EOS attr deserialization
37656bf
@glpatcern
Renamed "coowner" to "collaborator". To be reviewed once the role def…
2187419 
…initions are refactored and consolidated in a single place
hound[bot]
hound bot reviewed Jul 6, 2021
View reviewed changes
pkg/storage/utils/decomposedfs/decomposedfs.go
@@ -234,6 +236,10 @@ func (fs *Decomposedfs) GetPathByID(ctx context.Context, id *provider.ResourceId
return fs.lu.Path(ctx, node)
}

func (fs *Decomposedfs) GetOwners(ctx context.Context, ref *provider.Reference) (*grouppb.Group, error) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exported method Decomposedfs.GetOwners should have comment or be unexported

hound[bot]
hound bot reviewed Jul 6, 2021
View reviewed changes
pkg/storage/utils/decomposedfs/decomposedfs.go
@@ -234,6 +236,10 @@ func (fs *Decomposedfs) GetPathByID(ctx context.Context, id *provider.ResourceId
return fs.lu.Path(ctx, node)
}

func (fs *Decomposedfs) GetOwners(ctx context.Context, ref *provider.Reference) (*grouppb.Group, error) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exported method Decomposedfs.GetOwners should have comment or be unexported

@labkode
Copy link
Member

labkode commented Jul 19, 2021

Superseded by #1856

@labkode labkode closed this Jul 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gmgigi96 gmgigi96 gmgigi96 left review comments

@hound hound[bot] hound[bot] left review comments

@labkode labkode labkode left review comments

@diocas diocas Awaiting requested review from diocas diocas will be requested when the pull request is marked ready for review diocas is a code owner

@jessegeens jessegeens Awaiting requested review from jessegeens jessegeens will be requested when the pull request is marked ready for review jessegeens is a code owner

Assignees

@glpatcern glpatcern

@gmgigi96 gmgigi96

Labels
feature New feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support full denial as permission
10 participants
@glpatcern @labkode @gmgigi96 @SamuAlfageme @saw-jan @jasson99 @Daniel-WWU-IT @ishank011 @michielbdejong @butonic