Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

store: allow users in the rkt group to delete images #2961

Merged
merged 2 commits into from
Jul 29, 2016
Merged

store: allow users in the rkt group to delete images #2961

merged 2 commits into from
Jul 29, 2016

Conversation

@iaguis
Copy link
Member

@iaguis iaguis commented Jul 21, 2016

This makes sense when we think of the cas as a cache. Users in the rkt
group should be able to manage images.

cc @sgotti

Fixes #2477

@iaguis iaguis added this to the v1.12.0 milestone Jul 21, 2016
@iaguis iaguis force-pushed the iaguis/rkt-group-store branch 2 times, most recently from 87d3efd to 2474f08 Compare July 22, 2016 10:08
sgotti
sgotti reviewed Jul 22, 2016
View reviewed changes
store/store.go Outdated

if !userInDirGroup && uid != 0 {
return fmt.Errorf("permission denied on %s, user not in the directory group id (%d). Are you root or in the %q group?", path, dirGid, common.RktGroup)
}
Copy link
Contributor

@sgotti sgotti Jul 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that, if removed, and permissions are correctly setup it should return an error anyway right?
The check is useful just for better error reporting.

Probably this check, if kept, should be used also in WriteACI, ReadStream etc... (or are there upper checks for this?)

Copy link
Member Author

@iaguis iaguis Jul 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, it's just better UX.

I guess there're two possibilities:

  • You are in the rkt group or root: Everything is fine
  • You are not in the rkt group: You'll get errors before this function.

I guess we can remove it then. It was there before because it was depending on the user that fetched the image but now all users on the rkt group can do anything with images.

iaguis added 2 commits July 25, 2016 18:53
@iaguis
store: allow users in the rkt group to delete images
a02915c 
Don't check if we're the owner of the image before removing, all the
users in the rkt group should be able to remove any image.

If the user removing the image is in the rkt group and permissions are
correctly set up (or if they're root), then it's fine, they can remove
images.

If the user is not in the rkt group or permissions are not correctly set
up, they will get errors before this function because they're not
allowed to use the CAS directory.
@iaguis
functional tests: update tests with new rkt group semantics
3e1ac4a 
The members of the rkt group can now manipulate images freely.
@iaguis iaguis force-pushed the iaguis/rkt-group-store branch from 2474f08 to 3e1ac4a Compare July 25, 2016 17:04
@iaguis
Copy link
Member Author

iaguis commented Jul 25, 2016

Updated removing the check altogether.

@lucab
Copy link
Member

lucab commented Jul 26, 2016
edited
Loading

LGTM here, but I'll give @sgotti another chance to re-check before merging.

@sgotti
Copy link
Contributor

sgotti commented Jul 28, 2016

@iaguis LGTM.

Some notes:
rkt image gc does two things. Image store GC (older than n) and treestore GC.

Probably users in rkt group should be able to run image store gc (but not treestore gc). But for this I'll add an additional check to skip the treestore gc (and report that why it has been skipped).

Should we do this as a follow up?

In addition I'd like to let an user choose which kind of gc to run (two different commands or options to image gc to choose which kind of gc) for #2890 (comment) .

@iaguis
Copy link
Member Author

iaguis commented Jul 29, 2016
edited
Loading

I fully agree with #2961 (comment)

And yeah, let's do it on a follow up

@iaguis iaguis merged commit 55393e2 into rkt:master Jul 29, 2016
@lucab lucab unassigned sgotti Apr 5, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

area/security area/usability component/store needs/review priority/P1

Projects

None yet

Milestone

v1.12.0

Development

Successfully merging this pull request may close these issues.

3 participants

@iaguis @lucab @sgotti