cloud-pipeline icon indicating copy to clipboard operation
cloud-pipeline copied to clipboard

Published 20 hours ago verified publisher icon epam

Add support for storage path permissions in API

Open tcibinan opened this issue 4 years ago • 0 comments

Relates to #2132.

The pull request brings support for data storage path acl-like permissions. From now on permission masks can be set for any file or directory in a data storage for any user or group which will affect data storage operations performed via API and GUI.

Storage path permissions act almost the same way as Cloud Pipeline tree permissions do. This means that:

  • child paths inherit parent path permissions
  • child paths override parent path permissions
  • parent paths gain synthetic read permissions in case child paths have read permissions

Notice that this pull request brings permissions support only to API module. Support in pipe cli and pipe fuse shall be introduced in separate pull requests.

Configuration

The following application property can be used to configure storage path permissions:

  • data.storage.path.permissions.enabled enables storage path permissions. It can be used to temporary disable storage path permissions f.e. for performance testing. Can be also configured via CP_DATA_STORAGE_PATH_PERMISSIONS_ENABLED property in kubernetes config map.

Performance

The following testing scenarios were performed in Cloud Pipeline GUI in order to check if overall visual responsibility is tolerable:

  • listing a folder with 1k effective immediate permissions
  • listing a folder with 25k non effective immediate permissions
  • traversing through a data storage with 100k non effective permissions

Effective permission are whose which affect current user i.e. permissions set directly for a user or for any group that the user is a part of. In all the scenarios above the overall visual experience was fine. It seems that non effective permissions don't have any visible affect on the listing performance and effective permissions seem to work without any visible affect up to at least 1k effective permissions in a current folder.

API

The following API methods can be used to:

  • Add storage path permissions
PUT /storage/permission/batch/upsert
{
  "id": 1,
  "type": "DATA_STORAGE",
  "requests": [
    {
      "path": "string",
      "type": "FILE/FOLDER",
      "sid": {
        "name": "string",
        "type": "USER/GROUP"
      },
      "mask": 0
    }
  ]
}
  • Delete storage path permissions
DELETE /storage/permission/batch/delete
{
  "id": 1,
  "type": "DATA_STORAGE",
  "requests": [
    {
      "path": "string",
      "type": "FILE/FOLDER",
      "sid": {
        "name": "string",
        "type": "USER/GROUP"
      }
    }
  ]
}
  • Load storage path permissions
POST /storage/permission/batch/load
{
  "id": 1,
  "type": "DATA_STORAGE",
  "requests": [
    {
      "path": "string",
      "type": "FILE/FOLDER"
    }
  ]
}

RESPONSE
{
  "payload": [
    {
      "path": "string",
      "type": "FILE/FOLDER",
      "sid": {
        "name": "string",
        "type": "USER/GROUP"
      },
      "mask": 0,
      "created": "2021-08-16 13:00:48.597"
    }
  ],
  "status": "OK"
}
  • List data storage items with permissions mask
GET datastorage/{id}/list/page?path={path}

RESPONSE
{
  "payload": {
    "nextPageMarker": "string",
    "mask": 0,
    "results": [
      {
        "name": "string",
        "path": "string",
        "type": "File/Folder",
        "mask": 0
      }
    ]
  },
  "status": "OK"
}

tcibinan avatar Aug 16 '21 18:08 tcibinan