[ARVADOS] updated: 2.1.0-901-gd7fb2ac79
Git user
git at public.arvados.org
Thu Jun 17 19:49:31 UTC 2021
Summary of changes:
...restricting-upload-download.html.textile.liquid | 51 ++++++++-----
lib/config/config.default.yml | 15 ++--
lib/config/generated_config.go | 15 ++--
sdk/go/arvados/config.go | 3 +-
sdk/go/arvadostest/fixtures.go | 2 +
services/keep-web/handler.go | 85 +++++++++++++---------
services/keep-web/handler_test.go | 77 ++++++++++++++++----
services/keep-web/s3.go | 8 +-
8 files changed, 175 insertions(+), 81 deletions(-)
via d7fb2ac79d28575f074626b92fb91d7b9fdc0ca2 (commit)
via 0184f9ea54273a7ad60aedeb7ddf823db0b9f83d (commit)
via 32b7adff99dd2308c37cf00f4d83f55a216e8a4a (commit)
from e4dea1aaa8afad47dc805095009aca44a630b921 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit d7fb2ac79d28575f074626b92fb91d7b9fdc0ca2
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Jun 17 15:49:04 2021 -0400
17464: Add tests for paths by /users/ and by PDH
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/sdk/go/arvadostest/fixtures.go b/sdk/go/arvadostest/fixtures.go
index 7829f0cf4..1089b4f8b 100644
--- a/sdk/go/arvadostest/fixtures.go
+++ b/sdk/go/arvadostest/fixtures.go
@@ -31,6 +31,8 @@ const (
UserAgreementPDH = "b519d9cb706a29fc7ea24dbea2f05851+93"
HelloWorldPdh = "55713e6a34081eb03609e7ad5fcad129+62"
+ MultilevelCollection1 = "zzzzz-4zz18-pyw8yp9g3pr7irn"
+
AProjectUUID = "zzzzz-j7d0g-v955i6s2oi1cbso"
ASubprojectUUID = "zzzzz-j7d0g-axqo7eu9pwvna1x"
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index bac6089f3..cc38caab1 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -1212,7 +1212,8 @@ func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, h *handler, re
c.Check(logbuf.String(), check.Matches, `(?ms).*msg="File `+direction+`".*`)
c.Check(logbuf.String(), check.Not(check.Matches), `(?ms).*level=error.*`)
- for nextLogId == lastLogId {
+ count := 0
+ for ; nextLogId == lastLogId && count < 20; count++ {
time.Sleep(50 * time.Millisecond)
err = client.RequestAndDecode(&logentries, "GET", "arvados/v1/logs", nil,
arvados.ResourceListParams{
@@ -1225,7 +1226,7 @@ func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, h *handler, re
nextLogId = logentries.Items[0].ID
}
}
-
+ c.Check(count, check.Not(check.Equals), 20)
c.Check(logentries.Items[0].ObjectUUID, check.Equals, userUuid)
c.Check(logentries.Items[0].Properties["collection_uuid"], check.Equals, collectionUuid)
c.Check(logentries.Items[0].Properties["collection_file_path"], check.Equals, filepath)
@@ -1240,6 +1241,8 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
h := handler{Config: config}
u := mustParseURL("http://" + arvadostest.FooCollection + ".keep-web.example/foo")
+ config.cluster.Collections.TrustAllContent = true
+
for _, adminperm := range []bool{true, false} {
for _, userperm := range []bool{true, false} {
config.cluster.Collections.WebDAVPermission.Admin.Download = adminperm
@@ -1272,6 +1275,38 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
arvadostest.ActiveUserUUID, arvadostest.FooCollection, "foo")
}
}
+
+ config.cluster.Collections.WebDAVPermission.User.Download = true
+
+ for _, tryurl := range []string{"http://" + arvadostest.MultilevelCollection1 + ".keep-web.example/dir1/subdir/file1",
+ "http://keep-web/users/active/multilevel_collection_1/dir1/subdir/file1"} {
+
+ u = mustParseURL(tryurl)
+ req := &http.Request{
+ Method: "GET",
+ Host: u.Host,
+ URL: u,
+ RequestURI: u.RequestURI(),
+ Header: http.Header{
+ "Authorization": {"Bearer " + arvadostest.ActiveToken},
+ },
+ }
+ s.checkUploadDownloadRequest(c, &h, req, http.StatusOK, "download", true,
+ arvadostest.ActiveUserUUID, arvadostest.MultilevelCollection1, "dir1/subdir/file1")
+ }
+
+ u = mustParseURL("http://" + strings.Replace(arvadostest.FooCollectionPDH, "+", "-", 1) + ".keep-web.example/foo")
+ req := &http.Request{
+ Method: "GET",
+ Host: u.Host,
+ URL: u,
+ RequestURI: u.RequestURI(),
+ Header: http.Header{
+ "Authorization": {"Bearer " + arvadostest.ActiveToken},
+ },
+ }
+ s.checkUploadDownloadRequest(c, &h, req, http.StatusOK, "download", true,
+ arvadostest.ActiveUserUUID, arvadostest.FooCollection, "foo")
}
func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
commit 0184f9ea54273a7ad60aedeb7ddf823db0b9f83d
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Jun 17 14:48:33 2021 -0400
17464: Clean up tests
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 43ce57904..6d0b7669e 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -487,11 +487,11 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
// Check configured permission
_, sess, err := h.Config.Cache.GetSession(arv.ApiToken)
tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken)
- if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) {
+ if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
http.Error(w, "Not permitted", http.StatusForbidden)
return
}
- h.LogUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+ h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
if webdavMethod[r.Method] {
if writeMethod[r.Method] {
@@ -619,11 +619,11 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s
}
tokenUser, err := h.Config.Cache.GetTokenUser(tokens[0])
- if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) {
+ if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
http.Error(w, "Not permitted", http.StatusForbidden)
return
}
- h.LogUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser)
+ h.logUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser)
if r.Method == "GET" {
_, basename := filepath.Split(r.URL.Path)
@@ -856,18 +856,18 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
io.WriteString(w, `">Continue</A>`)
}
-func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
+func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
if tokenUser == nil {
return false
}
var permitDownload bool
var permitUpload bool
if tokenUser.IsAdmin {
- permitUpload = h.Config.cluster.Collections.KeepWebPermission.Admin.Upload
- permitDownload = h.Config.cluster.Collections.KeepWebPermission.Admin.Download
+ permitUpload = h.Config.cluster.Collections.WebDAVPermission.Admin.Upload
+ permitDownload = h.Config.cluster.Collections.WebDAVPermission.Admin.Download
} else {
- permitUpload = h.Config.cluster.Collections.KeepWebPermission.User.Upload
- permitDownload = h.Config.cluster.Collections.KeepWebPermission.User.Download
+ permitUpload = h.Config.cluster.Collections.WebDAVPermission.User.Upload
+ permitDownload = h.Config.cluster.Collections.WebDAVPermission.User.Download
}
if (method == "PUT" || method == "POST") && !permitUpload {
// Disallow operations that upload new files.
@@ -882,7 +882,7 @@ func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arva
return true
}
-func (h *handler) LogUploadOrDownload(
+func (h *handler) logUploadOrDownload(
r *http.Request,
client *arvadosclient.ArvadosClient,
fs arvados.CustomFileSystem,
@@ -898,7 +898,7 @@ func (h *handler) LogUploadOrDownload(
WithField("user_full_name", user.FullName)
}
if collection == nil && fs != nil {
- collection, filepath = h.DetermineCollection(fs, filepath)
+ collection, filepath = h.determineCollection(fs, filepath)
}
if collection != nil {
log = log.WithField("collection_uuid", collection.UUID).
@@ -908,46 +908,63 @@ func (h *handler) LogUploadOrDownload(
}
if r.Method == "PUT" || r.Method == "POST" {
log.Info("File upload")
- go func() {
- lr := arvadosclient.Dict{"log": arvadosclient.Dict{
- "object_uuid": user.UUID,
- "event_type": "file_upload",
- "properties": props}}
- client.Create("logs", lr, nil)
- }()
+ if h.Config.cluster.Collections.WebDAVLogEvents {
+ go func() {
+ lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+ "object_uuid": user.UUID,
+ "event_type": "file_upload",
+ "properties": props}}
+ err := client.Create("logs", lr, nil)
+ if err != nil {
+ log.WithError(err).Error("Failed to create upload log event on API server")
+ }
+ }()
+ }
} else if r.Method == "GET" {
if collection != nil && collection.PortableDataHash != "" {
log = log.WithField("portable_data_hash", collection.PortableDataHash)
props["portable_data_hash"] = collection.PortableDataHash
}
log.Info("File download")
- go func() {
- lr := arvadosclient.Dict{"log": arvadosclient.Dict{
- "object_uuid": user.UUID,
- "event_type": "file_download",
- "properties": props}}
- client.Create("logs", lr, nil)
- }()
+ if h.Config.cluster.Collections.WebDAVLogEvents {
+ go func() {
+ lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+ "object_uuid": user.UUID,
+ "event_type": "file_download",
+ "properties": props}}
+ err := client.Create("logs", lr, nil)
+ if err != nil {
+ log.WithError(err).Error("Failed to create download log event on API server")
+ }
+ }()
+ }
}
}
-func (h *handler) DetermineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
+func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
segments := strings.Split(path, "/")
var i int
- for i = len(segments) - 1; i >= 0; i-- {
+ for i = 0; i < len(segments); i++ {
dir := append([]string{}, segments[0:i]...)
dir = append(dir, ".arvados#collection")
f, err := fs.OpenFile(strings.Join(dir, "/"), os.O_RDONLY, 0)
- if err == nil {
- decoder := json.NewDecoder(f)
- var collection arvados.Collection
- err = decoder.Decode(&collection)
- if err != nil {
+ if f != nil {
+ defer f.Close()
+ }
+ if err != nil {
+ if !os.IsNotExist(err) {
return nil, ""
}
- return &collection, strings.Join(segments[i:], "/")
+ continue
+ }
+ // err is nil so we found it.
+ decoder := json.NewDecoder(f)
+ var collection arvados.Collection
+ err = decoder.Decode(&collection)
+ if err != nil {
+ return nil, ""
}
- f.Close()
+ return &collection, strings.Join(segments[i:], "/")
}
return nil, ""
}
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 31724dd5d..bac6089f3 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -1242,8 +1242,8 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
for _, adminperm := range []bool{true, false} {
for _, userperm := range []bool{true, false} {
- config.cluster.Collections.KeepWebPermission.Admin.Download = adminperm
- config.cluster.Collections.KeepWebPermission.User.Download = userperm
+ config.cluster.Collections.WebDAVPermission.Admin.Download = adminperm
+ config.cluster.Collections.WebDAVPermission.User.Download = userperm
// Test admin permission
req := &http.Request{
@@ -1275,20 +1275,32 @@ func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
}
func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
- defer func() {
- client := s.testServer.Config.Client
- client.AuthToken = arvadostest.AdminToken
- client.RequestAndDecode(nil, "POST", "database/reset", nil, nil)
- }()
-
config := newConfig(s.ArvConfig)
h := handler{Config: config}
- u := mustParseURL("http://" + arvadostest.FooCollection + ".keep-web.example/bar")
for _, adminperm := range []bool{true, false} {
for _, userperm := range []bool{true, false} {
- config.cluster.Collections.KeepWebPermission.Admin.Upload = adminperm
- config.cluster.Collections.KeepWebPermission.User.Upload = userperm
+
+ arv := s.testServer.Config.Client
+ arv.AuthToken = arvadostest.ActiveToken
+
+ var coll arvados.Collection
+ err := arv.RequestAndDecode(&coll,
+ "POST",
+ "/arvados/v1/collections",
+ nil,
+ map[string]interface{}{
+ "ensure_unique_name": true,
+ "collection": map[string]interface{}{
+ "name": "test collection",
+ },
+ })
+ c.Assert(err, check.Equals, nil)
+
+ u := mustParseURL("http://" + coll.UUID + ".keep-web.example/bar")
+
+ config.cluster.Collections.WebDAVPermission.Admin.Upload = adminperm
+ config.cluster.Collections.WebDAVPermission.User.Upload = userperm
// Test admin permission
req := &http.Request{
@@ -1302,7 +1314,7 @@ func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
}
s.checkUploadDownloadRequest(c, &h, req, http.StatusCreated, "upload", adminperm,
- arvadostest.AdminUserUUID, arvadostest.FooCollection, "bar")
+ arvadostest.AdminUserUUID, coll.UUID, "bar")
// Test user permission
req = &http.Request{
@@ -1316,7 +1328,7 @@ func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
}
s.checkUploadDownloadRequest(c, &h, req, http.StatusCreated, "upload", userperm,
- arvadostest.ActiveUserUUID, arvadostest.FooCollection, "bar")
+ arvadostest.ActiveUserUUID, coll.UUID, "bar")
}
}
}
diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index 447c37cbc..df70f6f8a 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -382,11 +382,11 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
}
tokenUser, err := h.Config.Cache.GetTokenUser(token)
- if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) {
+ if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
http.Error(w, "Not permitted", http.StatusForbidden)
return true
}
- h.LogUploadOrDownload(r, arvclient, fs, fspath, nil, tokenUser)
+ h.logUploadOrDownload(r, arvclient, fs, fspath, nil, tokenUser)
// shallow copy r, and change URL path
r := *r
@@ -473,11 +473,11 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
defer f.Close()
tokenUser, err := h.Config.Cache.GetTokenUser(token)
- if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) {
+ if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
http.Error(w, "Not permitted", http.StatusForbidden)
return true
}
- h.LogUploadOrDownload(r, arvclient, fs, fspath, nil, tokenUser)
+ h.logUploadOrDownload(r, arvclient, fs, fspath, nil, tokenUser)
_, err = io.Copy(f, r.Body)
if err != nil {
commit 32b7adff99dd2308c37cf00f4d83f55a216e8a4a
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Jun 17 12:27:19 2021 -0400
17464: Update config variables & docs from feedback
Change KeepWebPermission -> WebDAVPermission
Add WebDAVLogEvents
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/restricting-upload-download.html.textile.liquid b/doc/admin/restricting-upload-download.html.textile.liquid
index 602cdfd61..45bcd8a07 100644
--- a/doc/admin/restricting-upload-download.html.textile.liquid
+++ b/doc/admin/restricting-upload-download.html.textile.liquid
@@ -14,56 +14,70 @@ For some use cases, you may want to limit the ability of users to upload or down
This feature exists in addition to the existing Arvados permission system. Users can only download from collections they have @read@ access to, and can only upload to projects and collections they have @write@ access to.
-h2. Keep-web and Keepproxy Permissions
-
There are two services involved in accessing data from outside the cluster.
- at keeproxy@ makes it possible to use @arv-put@ and @arv-get at . It works in terms of individual 64 MiB keep blocks. It prints a log each time a user uploads or downloads an individual block.
-
- at keep-web@ makes it possible to use Workbench, WebDAV and S3 API. It works in terms of individual files. It prints a log each time a user uploads or downloads a file, and also adds an entry into the API server @logs@ table.
-
-This distinction is important for auditing, the @keep-web@ records 'upload' and 'download' events on the API server that are included in the "User Activity Report":user-activity.html , whereas @keepprox@ only logs upload and download of individual blocks, which require a reverse lookup to determine the collection(s) and file(s) a block is associated with.
+h2. Keepproxy Permissions
-You can set permissions for @keep-web@ and @keepproxy@, with separate policies for regular users and admin users.
-
-If the user attempts to upload or download from a service without permission, they will receive a @403 Forbidden@ response. This only applies to file content. Users can still see collection listings.
+Permitting @keeproxy@ makes it possible to use @arv-put@ and @arv-get@, and upload from Workbench 1. It works in terms of individual 64 MiB keep blocks. It prints a log each time a user uploads or downloads an individual block.
The default policy allows anyone to upload or download.
<pre>
Collections:
- KeepWebPermisison:
+ KeepproxyPermission:
User:
Download: true
Upload: true
Admin:
Download: true
Upload: true
+</pre>
- KeepproxyPermission:
+h2. WebDAV and S3 API Permissions
+
+Permitting @WebDAV@ makes it possible to use WebDAV, S3 API, download from Workbench 1, and upload/download with Workbench 2. It works in terms of individual files. It prints a log each time a user uploads or downloads a file. When @WebDAVLogEvents@ (default true) is enabled, it also adds an entry into the API server @logs@ table.
+
+When a user attempts to upload or download from a service without permission, they will receive a @403 Forbidden@ response. This only applies to file content.
+
+Denying download permission does not deny access to access to XML file listings with PROPFIND. As a side effect it does deny auto-generated HTML documents that have file listings.
+
+Denying upload permission does not deny other operations that modify collections without directly accessing file content, such as MOVE and COPY.
+
+The default policy allows anyone to upload or download.
+
+<pre>
+ Collections:
+ WebDAVPermisison:
User:
Download: true
Upload: true
Admin:
Download: true
Upload: true
+ WebDAVLogEvents: true
</pre>
h2. Shell node and container permissions
-Be aware that even when upload and download from outside the network is not allowed, a user who has access to a shell node or runs a container still has internal access to Keep. (This is necessary to be able to run workflows). From the shell node or container, a user could send data outside the network by some other method, although this requires more intent than accidentally clicking on a link and downloading a file. It is possible to set up a firewall to prevent shell and compute nodes from making connections to hosts outside the private network. Exactly how to configure this is out of scope for this page, as it depends on the specific network infrastructure of your cluster.
+Be aware that even when upload and download from outside the network is not allowed, a user who has access to a shell node or runs a container still has internal access to Keep. (This is necessary to be able to run workflows). From the shell node or container, a user could send data outside the network by some other method, although this requires more intent than accidentally clicking on a link and downloading a file. It is possible to set up a firewall to prevent shell and compute nodes from making connections to hosts outside the private network. Exactly how to configure firewalls is out of scope for this page, as it depends on the specific network infrastructure of your cluster.
h2. Choosing a policy
+This distinction between WebDAV and Keepproxy is important for auditing. WebDAV records 'upload' and 'download' events on the API server that are included in the "User Activity Report":user-activity.html , whereas @keepproxy@ only logs upload and download of individual blocks, which require a reverse lookup to determine the collection(s) and file(s) a block is associated with.
+
+You set separate permissions for @WebDAV@ and @Keepproxy@, with separate policies for regular users and admin users.
+
These policies apply to only access from outside the cluster, using Workbench or Arvados CLI tools.
+The @WebDAVLogEvents@ option should be enabled if you intend to the run the "User Activity Report":user-activity.html . If you don't need audits, or you are running a site that is mostly serving public data to anonymous downloaders, you can disable in to avoid the extra API server request.
+
h3. Audited downloads
-For ease of access auditing, this policy prevents downloads using @arv-get at . Downloads through @keep-web@ are permitted, but logged. Uploads with @arv-put@ are allowed.
+For ease of access auditing, this policy prevents downloads using @arv-get at . Downloads through WebDAV and S3 API are permitted, but logged. Uploads are allowed.
<pre>
Collections:
- KeepWebPermisison:
+ WebDAVPermisison:
User:
Download: true
Upload: true
@@ -78,6 +92,7 @@ For ease of access auditing, this policy prevents downloads using @arv-get at . Do
Admin:
Download: false
Upload: true
+ WebDAVLogEvents: true
</pre>
h3. Disallow downloads by regular users
@@ -86,7 +101,7 @@ This policy prevents regular users (non-admin) from downloading data. Uploading
<pre>
Collections:
- KeepWebPermisison:
+ WebDAVPermisison:
User:
Download: false
Upload: true
@@ -101,6 +116,7 @@ This policy prevents regular users (non-admin) from downloading data. Uploading
Admin:
Download: true
Upload: true
+ WebDAVLogEvents: true
</pre>
h3. Disallow uploads by regular users
@@ -109,7 +125,7 @@ This policy is suitable for an installation where data is being shared with a gr
<pre>
Collections:
- KeepWebPermisison:
+ WebDAVPermisison:
User:
Download: true
Upload: false
@@ -124,4 +140,5 @@ This policy is suitable for an installation where data is being shared with a gr
Admin:
Download: true
Upload: true
+ WebDAVLogEvents: true
</pre>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 13761bf76..fbb27b793 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -555,11 +555,10 @@ Clusters:
# Persistent sessions.
MaxSessions: 100
- # Selectively set permissions for regular users and admins to be
- # able to download or upload data files using the
- # upload/download features for Workbench, WebDAV and S3 API
- # support.
- KeepWebPermission:
+ # Selectively set permissions for regular users and admins to
+ # download or upload data files using the upload/download
+ # features for Workbench, WebDAV and S3 API support.
+ WebDAVPermission:
User:
Download: true
Upload: true
@@ -578,6 +577,12 @@ Clusters:
Download: true
Upload: true
+ # Post upload / download events to the API server logs table, so
+ # that they can be included in the arv-user-activity report.
+ # You can disable this if you find that it is creating excess
+ # load on the API server and you don't need it.
+ WebDAVLogEvents: true
+
Login:
# One of the following mechanisms (SSO, Google, PAM, LDAP, or
# LoginCluster) should be enabled; see
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 49d6e5ed2..2f914b9a7 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -561,11 +561,10 @@ Clusters:
# Persistent sessions.
MaxSessions: 100
- # Selectively set permissions for regular users and admins to be
- # able to download or upload data files using the
- # upload/download features for Workbench, WebDAV and S3 API
- # support.
- KeepWebPermission:
+ # Selectively set permissions for regular users and admins to
+ # download or upload data files using the upload/download
+ # features for Workbench, WebDAV and S3 API support.
+ WebDAVPermission:
User:
Download: true
Upload: true
@@ -584,6 +583,12 @@ Clusters:
Download: true
Upload: true
+ # Post upload / download events to the API server logs table, so
+ # that they can be included in the arv-user-activity report.
+ # You can disable this if you find that it is creating excess
+ # load on the API server and you don't need it.
+ WebDAVLogEvents: true
+
Login:
# One of the following mechanisms (SSO, Google, PAM, LDAP, or
# LoginCluster) should be enabled; see
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 83a670832..13fe989ca 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -142,7 +142,8 @@ type Cluster struct {
WebDAVCache WebDAVCacheConfig
KeepproxyPermission UploadDownloadRolePermissions
- KeepWebPermission UploadDownloadRolePermissions
+ WebDAVPermission UploadDownloadRolePermissions
+ WebDAVLogEvents bool
}
Git struct {
GitCommand string
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list