[arvados] created: 2.1.0-3079-g2eb88069e

git repository hosting git at public.arvados.org
Wed Nov 23 19:42:50 UTC 2022 

        at  2eb88069ea1a778e2a748e4d05244d31912398fa (commit)


commit 2eb88069ea1a778e2a748e4d05244d31912398fa
Author: Tom Clegg <tom at curii.com>
Date:   Wed Nov 23 14:42:23 2022 -0500

    19513: Add Users.CreateRoleGroups config option.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
index 0ec0098f0..d84995d5b 100644
--- a/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
+++ b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
@@ -65,6 +65,8 @@ Users can be identified by their email address or username: the tool will check
 
 Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
 
+When using @arvados-sync-groups@, consider setting @Users.CreateRoleGroups: false@ in your "cluster configuration":{{site.baseurl}}/admin/config.html to prevent users from creating additional groups.
+
 h2. Options
 
 The following command line options are supported:
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 0246cb88d..1a0191797 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -373,6 +373,12 @@ Clusters:
       # cluster.
       RoleGroupsVisibleToAll: true
 
+      # If CreateRoleGroups is true, regular (non-admin) users can
+      # create new role groups.
+      #
+      # If false, only admins can create new role groups.
+      CreateRoleGroups: true
+
       # During each period, a log entry with event_type="activity"
       # will be recorded for each user who is active during that
       # period. The object_uuid attribute will indicate the user's
diff --git a/lib/config/export.go b/lib/config/export.go
index 6352406e9..14139e850 100644
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -236,6 +236,7 @@ var whitelist = map[string]bool{
 	"Users.AutoSetupNewUsersWithRepository":               false,
 	"Users.AutoSetupNewUsersWithVmUUID":                   false,
 	"Users.AutoSetupUsernameBlacklist":                    false,
+	"Users.CreateRoleGroups":                              true,
 	"Users.EmailSubjectPrefix":                            false,
 	"Users.NewInactiveUserNotificationRecipients":         false,
 	"Users.NewUserNotificationRecipients":                 false,
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 2871356e9..1257d7a83 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -249,6 +249,7 @@ type Cluster struct {
 		PreferDomainForUsername               string
 		UserSetupMailText                     string
 		RoleGroupsVisibleToAll                bool
+		CreateRoleGroups                      bool
 		ActivityLoggingPeriod                 Duration
 	}
 	StorageClasses map[string]StorageClassConfig
diff --git a/services/api/app/models/group.rb b/services/api/app/models/group.rb
index e44e605b1..81161e24d 100644
--- a/services/api/app/models/group.rb
+++ b/services/api/app/models/group.rb
@@ -268,6 +268,18 @@ class Group < ArvadosModel
     end
   end
 
+  def permission_to_create
+    if !super
+      return false
+    elsif group_class == "role" &&
+       !Rails.configuration.Users.CreateRoleGroups &&
+       !current_user.andand.is_admin
+      raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
+    else
+      return true
+    end
+  end
+
   def permission_to_update
     if !super
       return false
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index c0f7ee174..a7abf819c 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -106,6 +106,7 @@ arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_emai
 arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
+arvcfg.declare_config "Users.CreateRoleGroups", Boolean
 arvcfg.declare_config "Users.RoleGroupsVisibleToAll", Boolean
 arvcfg.declare_config "Login.LoginCluster", String
 arvcfg.declare_config "Login.TrustedClients", Hash
diff --git a/services/api/test/unit/group_test.rb b/services/api/test/unit/group_test.rb
index a3bcd4e35..33ad0ecdf 100644
--- a/services/api/test/unit/group_test.rb
+++ b/services/api/test/unit/group_test.rb
@@ -532,4 +532,24 @@ update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
     end
   end
+
+  [
+    [false, :admin, true],
+    [false, :active, false],
+    [true, :admin, true],
+    [true, :active, true],
+  ].each do |conf, user, allowed|
+    test "config.Users.CreateRoleGroups conf=#{conf}, user=#{user}" do
+      Rails.configuration.Users.CreateRoleGroups = conf
+      act_as_user users(user) do
+        if allowed
+          Group.create!(name: 'admin-created', group_class: 'role')
+        else
+          assert_raises(ArvadosModel::PermissionDeniedError) do
+            Group.create!(name: 'user-created', group_class: 'role')
+          end
+        end
+      end
+    end
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list