cloud-pipeline icon indicating copy to clipboard operation
cloud-pipeline copied to clipboard

Published 20 hours ago verified publisher icon epam

Allow to grant user/group permissions on storage paths

Open ekazachkova opened this issue 8 months ago • 0 comments

Background At the moment, Cloud Pipeline does not allow to grant permissions directly on storage path and it would be nice to support it.

Approach

API part

  1. a new flag pathPermissionsEnabled shall added for storage object. This flag indicates that path permissions management available for specified storage. This flag shall be available to apply only on storage creation.
  2. a new method to update all permissions for specific user or group shall be implemented: POST /datastorage/<storageID>/paths/permissions?sidName=<user/group>&principal=<true/false>
# Request Body
[{
    # to grant permissions on file
    "fileName": "file.txt",
    "mask": 1,
    "folderPath": "path/to/folder"
  },
  {
    # to grant permissions on folder
    "mask": 5,
    "folderPath": "path/to/folder"
  }, ...
]

This method shall be available for admins and storage owners. If pathPermissionsEnabled flag is switched off for specified storage an error shall be occurred. This method shall be used when owner/admin desired to grant path permissions for specific user or group. All already existing permissions for specified user/group will be overwrited.

  1. a new method to fetch all path permissions for current user on specified storage shall be implemented: GET /datastorage/<storageID>/paths/permissions
# Response Body
[{
    # if permissions granted on file
    "fileName": "file.txt",
    "mask": 1,
    "folderPath": "path/to/folder"
  },
  {
    # if permissions granted on folder
    "mask": 5,
    "folderPath": "path/to/folder"
  }, ...
]

This method shall be available for users with at least READ permissions on storage. If pathPermissionsEnabled flag is switched off for specified storage an error shall be occurred. This method shall be useful for pipe storage CLI operations.

  1. all currently implemented API methods for storage files/folders management shall respect permissions on paths:

    • if write permissions are not granted to file/folder deletion shall not be available
    • if permissions are only granted for some of the folders or files in the requested directory folders or files without permissions shall not be listed
    • and so on ...

  2. when storage deletion requested all path permissions shall be removed as well.

  3. a new API method to load users or groups that have path permissions for specified storage: GET /datastorage/<storageID>/paths/permissions/sids

[{
    "name": "USER",
    "principal": true 
},
{
    "name": "GROUP",
    "principal": false 
},
]

This method shall be available for admins and storage owners.

  1. a new API method to delete storage path permissions for specified users or groups by storage ID. DELETE /datastorage/<storageID>/paths/permissions
# Request Body
[
{
    "name": "USER",
    "principal": true 
},
{
    "name": "GROUP",
    "principal": false 
},
]

If no request body provided all storage path permissions shall be removed. This method shall be available for admins and storage owners.

  1. a new API methods for admins/owners management shall be implemented.
  • update permissions for specified paths: PUT datastorage/{id}/paths/permissions
Request Body
[{
    "path": "/path/from/storage/root/folder/",
    "type": "Folder",
    "permissions": [{
        "principal": true,
        "name": "USER_NAME",
        "mask": 1 
    }, {
        "principal": false,
        "name": "GROUP_NAME",
        "mask": 5
    }]
}, 
{
    "path": "/path/from/storage/root/file.txt",
    "type": "File"
    # If permissions field was not provided all granted permissions for specified path shall be removed  
}]
  • load permissions by path: GET /datastorage/<storageID>/paths/permissions/sids (from point 6) with request parameters:
    • path - full path to storage object
    • type - indicates file or folder Response body shall include masks.
# Request Body
[
{
    "name": "USER",
    "principal": true,
    "mask": 1
},
{
    "name": "GROUP",
    "principal": false,
    "mask": 5
},
]
  1. Data storage listing methods POST /datastorage/<ID>/list/page and POST /datastorage/<ID>/list/filter response shall include masks (if enabled path permissions for storage).
{
    "parentFolderMask": 5,
    "results": [
      {
        "name": "Folder Name",
        "path": "Folder Name",
        "type": "Folder",
        "mask": 5
      }, ..
}
  1. Temporary credentials generation method shall respect path for storages with enabled path permissions:
  • a new fields itemPath and itemType shall be added to permission entity.
  • listing shall be restricted by path if itemPath specified
  • permissions shall be granted for specified item only

Pipe CLI part

  1. pipe storage mount shall respect granted paths permissions. This permissions shall be refreshable.
  2. For now, other pipe storage methods shall be disabled for plain users and enabled path permissions for storages

ekazachkova avatar Feb 18 '25 12:02 ekazachkova