Hi Sergei,
Yes, I understand that Che relies on only one user. And that in that solution that user is granted all roles.
But, In real life,
The logic in
hasPermissions() will have to change, right?
Even if I grant my user only one role (workspace/developer), workspace membership needs to be checked as well…
How do I make such extension?
Regards,
Dror
From: che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Sergii Kabashniuk
Sent: Thursday, March 10, 2016 12:02 PM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
The basic idea for VFS permission implementation is to rely on user roles in EnvironmentContext
For Che we didn't much care about that. Since we think that only one local user is working on.
We granted him all possible roles.
In real life. You request authorization filter should put User roles in EnvironmentContext depends on userid ,
workspaceId and his membership status.
On Thu, Mar 10, 2016 at 10:27 AM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi Sergii and Gennady,
We are using the default VFS implementation, without any extension. package che-core-vfs-impl.
To get contents of a file and update it (get/put)
When debugging Che, I'm looking at the method hasPermissions() in FSMountPoint in che-core-vfs-impl.
In this method, access is granted base on the user's "workspace/developer" role, without checking if
that user is a member of that workspace (he is not)
This is not Che single user, I have 2 user' each with his own workspace
Is there an extension for che-core-vfs-impl I need to use?
If you wish, we can have a short online session where I can show the debug flow.
Hope this helps,
Dror
From:
che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Gennady Azarenkov
Sent: Wednesday, March 09, 2016 11:01 AM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
Hi Dror,
Let me refine Sergey's question to make it easier for you to answer.
Are you using default Che bundle to test?
(If so, indeed User is taken as workspace/dev and admin for all the workspace since Che is single user.)
On Wed, Mar 9, 2016 at 10:53 AM, Sergii Kabashniuk <skabashnyuk@xxxxxxxxxxx> wrote:
Hello Dror
On Tue, Mar 8, 2016 at 2:55 PM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi,
Yes, Version 3.14 I believe…
Yes, Exactly right. In debug I see that he is granted by the 'workspace/developer' role, although not
a member of that workspace
Can you elaborate a bit more. Where you can see it?
Dror
From:
che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Gennady Azarenkov
Sent: Tuesday, March 08, 2016 1:30 PM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
I see, Dror
Just in case, we are talking about 3.x version right?
So, you mean UserB is not a WorkspaceA's workspace/developer or admin is able to access files of private WorkspaceA's files with Project API calls correct?
On Tue, Mar 8, 2016 at 12:34 PM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi Gennady,
No, I do not mean to assign them in an application scope.
Very Simply,
It seems that the "workspace\developer" role grants permission to user A to read/write in user B's
workspace.
I could not find any "ownership of workspace" check….
Is this by design?
How can I prevent write access to other user's workspace?
Regards,
Dror
From:
che-dev-bounces@xxxxxxxxxxx [mailto:che-dev-bounces@xxxxxxxxxxx]
On Behalf Of Gennady Azarenkov
Sent: Tuesday, March 08, 2016 11:03 AM
To: che developer discussions <che-dev@xxxxxxxxxxx>
Subject: Re: [che-dev] Question about Uses, Roles and Workspace access
If I understand you correct - You mean you assign those roles as for application scope?
I believe "workspace/admin", "workspace/developer" are not a global roles, they intended to be used in the context of particular workspace.
And so they are physically assigned for workspace member - i.e. "workspace member has a role of ..."
On Mon, Mar 7, 2016 at 4:59 PM, Cohen, Dror <dror.cohen@xxxxxxx> wrote:
Hi,
I would appreciate an explanation on Che Workspace permissions:
I am creating che users with the following roles:
"workspace/admin", "workspace/developer"
Currently,
User A can read and even modify a file in user B's workspace, even if I created the file in a
'visibility=private' project.
When debugging (in
che_core_vfs_impl) , I see that read or write permission is granted based on ACLs, on the user's
"workspace/developer" role,
even though that user is not a member of that workspace…
Could it be that this check is missing?
Or am I doing something wrong here…
I am trying to restrict a user's write access to another workspace.
I appreciate your help
Regards,
Dror
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/che-dev
|