[ARVADOS] created: 1.1.4-774-g0ba8a53ba
Git user
git at public.curoverse.com
Thu Aug 16 11:32:01 EDT 2018
at 0ba8a53ba145475153b01dc498f85dbd2f03228b (commit)
commit 0ba8a53ba145475153b01dc498f85dbd2f03228b
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Aug 16 11:31:36 2018 -0400
13146: FUSE tests pass
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/fuse/arvados_fuse/fusedir.py b/services/fuse/arvados_fuse/fusedir.py
index 8af330ad5..90e709172 100644
--- a/services/fuse/arvados_fuse/fusedir.py
+++ b/services/fuse/arvados_fuse/fusedir.py
@@ -925,7 +925,7 @@ class ProjectDirectory(Directory):
with llfuse.lock_released:
if not self._current_user:
self._current_user = self.api.users().current().execute(num_retries=self.num_retries)
- return self._current_user["uuid"] in self.project_object["writable_by"]
+ return self._current_user["uuid"] in self.project_object.get("writable_by", [])
def persisted(self):
return True
@@ -1059,7 +1059,6 @@ class SharedDirectory(Directory):
page = []
while True:
resp = self.api.groups().shared(filters=[['group_class', '=', 'project']]+page,
- select=["uuid", "owner_uuid"],
order="uuid",
limit=10000,
count="none").execute()
commit bb31e272ab27d14a5d7dce7e4270c10b99035f45
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Aug 16 11:04:25 2018 -0400
13146: FUSE uses the "groups.shared" API for shared/ directory.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/fuse/arvados_fuse/fusedir.py b/services/fuse/arvados_fuse/fusedir.py
index 769771e7b..8af330ad5 100644
--- a/services/fuse/arvados_fuse/fusedir.py
+++ b/services/fuse/arvados_fuse/fusedir.py
@@ -1049,35 +1049,55 @@ class SharedDirectory(Directory):
if not self.stale():
return
- all_projects = arvados.util.list_all(
- self.api.groups().list, self.num_retries,
- filters=[['group_class','=','project']],
- select=["uuid", "owner_uuid"])
- objects = {}
- for ob in all_projects:
- objects[ob['uuid']] = ob
-
+ contents = {}
roots = []
root_owners = set()
- current_uuid = self.current_user['uuid']
- for ob in all_projects:
- if ob['owner_uuid'] != current_uuid and ob['owner_uuid'] not in objects:
- roots.append(ob['uuid'])
- root_owners.add(ob['owner_uuid'])
-
- lusers = arvados.util.list_all(
- self.api.users().list, self.num_retries,
- filters=[['uuid','in', list(root_owners)]])
- lgroups = arvados.util.list_all(
- self.api.groups().list, self.num_retries,
- filters=[['uuid','in', list(root_owners)+roots]])
-
- for l in lusers:
- objects[l["uuid"]] = l
- for l in lgroups:
- objects[l["uuid"]] = l
+ objects = {}
+
+ methods = self.api._rootDesc.get('resources')["groups"]['methods']
+ if 'httpMethod' in methods.get('shared', {}):
+ page = []
+ while True:
+ resp = self.api.groups().shared(filters=[['group_class', '=', 'project']]+page,
+ select=["uuid", "owner_uuid"],
+ order="uuid",
+ limit=10000,
+ count="none").execute()
+ if not resp["items"]:
+ break
+ page = [["uuid", ">", resp["items"][len(resp["items"])-1]["uuid"]]]
+ for r in resp["items"]:
+ objects[r["uuid"]] = r
+ roots.append(r["uuid"])
+ for r in resp["include"]:
+ objects[r["uuid"]] = r
+ root_owners.add(r["uuid"])
+ else:
+ all_projects = arvados.util.list_all(
+ self.api.groups().list, self.num_retries,
+ filters=[['group_class','=','project']],
+ select=["uuid", "owner_uuid"])
+ for ob in all_projects:
+ objects[ob['uuid']] = ob
+
+ current_uuid = self.current_user['uuid']
+ for ob in all_projects:
+ if ob['owner_uuid'] != current_uuid and ob['owner_uuid'] not in objects:
+ roots.append(ob['uuid'])
+ root_owners.add(ob['owner_uuid'])
+
+ lusers = arvados.util.list_all(
+ self.api.users().list, self.num_retries,
+ filters=[['uuid','in', list(root_owners)]])
+ lgroups = arvados.util.list_all(
+ self.api.groups().list, self.num_retries,
+ filters=[['uuid','in', list(root_owners)+roots]])
+
+ for l in lusers:
+ objects[l["uuid"]] = l
+ for l in lgroups:
+ objects[l["uuid"]] = l
- contents = {}
for r in root_owners:
if r in objects:
obr = objects[r]
commit 61ad64acbca1b8cc990ecf0e9ca2c54ad9eb8fe6
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Aug 16 10:38:55 2018 -0400
13146: Add tests for shared endpoint.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/test/fixtures/api_client_authorizations.yml b/services/api/test/fixtures/api_client_authorizations.yml
index 92bd7cf87..2073d8b1b 100644
--- a/services/api/test/fixtures/api_client_authorizations.yml
+++ b/services/api/test/fixtures/api_client_authorizations.yml
@@ -275,6 +275,13 @@ user_foo_in_sharing_group:
api_token: 2p1pou8p4ls208mcbedeewlotghppenobcyrmyhq8pyf51xd8u
expires_at: 2038-01-01 00:00:00
+user_bar_in_sharing_group:
+ uuid: zzzzz-gj3su-62hryf5fht531mz
+ api_client: untrusted
+ user: user_bar_in_sharing_group
+ api_token: 5vy55akwq85vghh80wc2cuxl4p8psay73lkpqf5c2cxvp6rmm6
+ expires_at: 2038-01-01 00:00:00
+
user1_with_load:
uuid: zzzzz-gj3su-357z32aux8dg2s1
api_client: untrusted
diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index 3442eda24..885fc6637 100644
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -705,4 +705,61 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
end
end
+
+ test 'get shared owned by another user' do
+ authorize_with :user_bar_in_sharing_group
+
+ act_as_system_user do
+ Link.create!(
+ tail_uuid: users(:user_bar_in_sharing_group).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: groups(:project_owned_by_foo).uuid)
+ end
+
+ get :shared, {filters: [["group_class", "=", "project"]]}
+
+ assert_equal 1, json_response['items'].length
+ assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
+
+ assert_equal 1, json_response['include'].length
+ assert_equal json_response['include'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
+ end
+
+ test 'get shared, owned by unreadable project' do
+ authorize_with :user_bar_in_sharing_group
+
+ act_as_system_user do
+ Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
+ Link.create!(
+ tail_uuid: users(:user_bar_in_sharing_group).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: groups(:project_owned_by_foo).uuid)
+ end
+
+ get :shared, {filters: [["group_class", "=", "project"]]}
+
+ assert_equal 1, json_response['items'].length
+ assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
+
+ assert_equal 0, json_response['include'].length
+ end
+
+ test 'get shared, owned by non-project' do
+ authorize_with :user_bar_in_sharing_group
+
+ act_as_system_user do
+ Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:group_for_sharing_tests).uuid)
+ end
+
+ get :shared, {filters: [["group_class", "=", "project"]]}
+
+ assert_equal 1, json_response['items'].length
+ assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
+
+ assert_equal 1, json_response['include'].length
+ assert_equal json_response['include'][0]["uuid"], groups(:group_for_sharing_tests).uuid
+ end
+
end
commit 4d00ed0a34cae5a5da3992ca9adac46d3682fee1
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Wed Aug 15 14:44:27 2018 -0400
13146: Update comment
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/controllers/arvados/v1/groups_controller.rb b/services/api/app/controllers/arvados/v1/groups_controller.rb
index 582aa1cc1..daa8ad132 100644
--- a/services/api/app/controllers/arvados/v1/groups_controller.rb
+++ b/services/api/app/controllers/arvados/v1/groups_controller.rb
@@ -80,6 +80,10 @@ class Arvados::V1::GroupsController < ApplicationController
# the owner_uuid is a user (but not the current user) OR
# the owner_uuid is not readable by the current user
# the owner_uuid is a group but group_class is not a project
+ #
+ # The intended use of this endpoint is to support clients which
+ # wish to browse those projects which are visible to the user but
+ # are not part of the "home" project.
load_limit_offset_order_params
load_filters_param
commit bc49a7967325c523a7c25d48df30ae718a66aa63
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Wed Aug 15 14:28:13 2018 -0400
13146: Support for query filters, "includes"
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index ba7c07d27..9159afed8 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -78,6 +78,7 @@ class ApplicationController < ActionController::Base
@distinct = nil
@response_resource_name = nil
@attrs = nil
+ @extra_include = nil
end
def default_url_options
@@ -490,7 +491,8 @@ class ApplicationController < ActionController::Base
:self_link => "",
:offset => @offset,
:limit => @limit,
- :items => @objects.as_api_response(nil, {select: @select})
+ :items => @objects.as_api_response(nil, {select: @select}),
+ :include => @extra_include
}
case params[:count]
when nil, '', 'exact'
diff --git a/services/api/app/controllers/arvados/v1/groups_controller.rb b/services/api/app/controllers/arvados/v1/groups_controller.rb
index aafef2de2..582aa1cc1 100644
--- a/services/api/app/controllers/arvados/v1/groups_controller.rb
+++ b/services/api/app/controllers/arvados/v1/groups_controller.rb
@@ -68,10 +68,10 @@ class Arvados::V1::GroupsController < ApplicationController
def shared
# The purpose of this endpoint is to return the toplevel set of
- # projects which are *not* reachable through an ownership chain of
- # projects starting from the user account. In other words,
- # projects which to which access was granted via a permission
- # link, or indirectly through group permissions.
+ # groups which are *not* reachable through a direct ownership
+ # chain of projects starting from the current user account. In
+ # other words, groups which to which access was granted via a
+ # permission link or chain of links.
#
# This also returns (in the "includes" field) the objects that own
# those projects (users or non-project groups).
@@ -79,29 +79,35 @@ class Arvados::V1::GroupsController < ApplicationController
# select groups that are readable by current user AND
# the owner_uuid is a user (but not the current user) OR
# the owner_uuid is not readable by the current user
- # the owner_uuid group_class is not a project
+ # the owner_uuid is a group but group_class is not a project
- if current_user.is_admin
- exists1 = "EXISTS(SELECT 1 from #{PERMISSION_VIEW} WHERE user_uuid=(:user_uuid) AND target_uuid=groups.uuid) AND "
- end
+ load_limit_offset_order_params
+ load_filters_param
- g = Group.where("group_class='project' AND "+
- exists1+
- "(groups.owner_uuid IN (SELECT uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+
- "NOT EXISTS(SELECT 1 FROM materialized_permission_view WHERE user_uuid=(:user_uuid) AND target_uuid=groups.owner_uuid) OR "+
- "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=groups.owner_uuid and gp.group_class != 'project'))",
- user_uuid: current_user.uuid)
+ read_parent_check = if current_user.is_admin
+ ""
+ else
+ "NOT EXISTS(SELECT 1 FROM #{PERMISSION_VIEW} WHERE "+
+ "user_uuid=(:user_uuid) AND target_uuid=groups.owner_uuid AND perm_level >= 1) OR "
+ end
- send_json({
- :kind => "arvados#objectList",
- :etag => "",
- :self_link => "",
- :offset => @offset,
- :limit => @limit,
- :items_available => @items_available,
- :items => g.as_api_response(nil)
- })
+ @objects = Group.readable_by(*@read_users).where("groups.owner_uuid IN (SELECT users.uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+
+ read_parent_check+
+ "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=groups.owner_uuid and gp.group_class != 'project')",
+ user_uuid: current_user.uuid)
+ apply_where_limit_order_params
+
+ owners = @objects.map(&:owner_uuid).to_a
+
+ @extra_include = []
+ @extra_include += Group.readable_by(*@read_users).where(uuid: owners).to_a
+ @extra_include += User.readable_by(*@read_users).where(uuid: owners).to_a
+
+ index
+ end
+ def self._shared_requires_parameters
+ self._index_requires_parameters
end
protected
commit 0befd8da0101dbc7845c8216637c8b621519bc68
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Aug 9 12:44:11 2018 -0400
13146: Shared endpoint wip
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/controllers/arvados/v1/groups_controller.rb b/services/api/app/controllers/arvados/v1/groups_controller.rb
index ec3b69ab0..aafef2de2 100644
--- a/services/api/app/controllers/arvados/v1/groups_controller.rb
+++ b/services/api/app/controllers/arvados/v1/groups_controller.rb
@@ -7,6 +7,9 @@ require "trashable"
class Arvados::V1::GroupsController < ApplicationController
include TrashableController
+ skip_before_filter :find_object_by_uuid, only: :shared
+ skip_before_filter :render_404_if_no_object, only: :shared
+
def self._index_requires_parameters
(super rescue {}).
merge({
@@ -63,6 +66,44 @@ class Arvados::V1::GroupsController < ApplicationController
})
end
+ def shared
+ # The purpose of this endpoint is to return the toplevel set of
+ # projects which are *not* reachable through an ownership chain of
+ # projects starting from the user account. In other words,
+ # projects which to which access was granted via a permission
+ # link, or indirectly through group permissions.
+ #
+ # This also returns (in the "includes" field) the objects that own
+ # those projects (users or non-project groups).
+ #
+ # select groups that are readable by current user AND
+ # the owner_uuid is a user (but not the current user) OR
+ # the owner_uuid is not readable by the current user
+ # the owner_uuid group_class is not a project
+
+ if current_user.is_admin
+ exists1 = "EXISTS(SELECT 1 from #{PERMISSION_VIEW} WHERE user_uuid=(:user_uuid) AND target_uuid=groups.uuid) AND "
+ end
+
+ g = Group.where("group_class='project' AND "+
+ exists1+
+ "(groups.owner_uuid IN (SELECT uuid FROM users WHERE users.uuid != (:user_uuid)) OR "+
+ "NOT EXISTS(SELECT 1 FROM materialized_permission_view WHERE user_uuid=(:user_uuid) AND target_uuid=groups.owner_uuid) OR "+
+ "EXISTS(SELECT 1 FROM groups as gp where gp.uuid=groups.owner_uuid and gp.group_class != 'project'))",
+ user_uuid: current_user.uuid)
+
+ send_json({
+ :kind => "arvados#objectList",
+ :etag => "",
+ :self_link => "",
+ :offset => @offset,
+ :limit => @limit,
+ :items_available => @items_available,
+ :items => g.as_api_response(nil)
+ })
+
+ end
+
protected
def load_searchable_objects
diff --git a/services/api/config/routes.rb b/services/api/config/routes.rb
index b0c09840d..b54c3c5bf 100644
--- a/services/api/config/routes.rb
+++ b/services/api/config/routes.rb
@@ -30,6 +30,7 @@ Server::Application.routes.draw do
resources :groups do
get 'contents', on: :collection
get 'contents', on: :member
+ get 'shared', on: :collection
post 'trash', on: :member
post 'untrash', on: :member
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list