Open paulmillar opened 11 months ago
My take on the answers at this time:
storage.create
, while anything can be renamed with storage.modify
. The rationale is that a file may be uploaded with a temporary name, to be subsequently renamed using the same token, but only if the upload was successful, and to be removed otherwise. The reason for that is to commit to the proper name in the SE namespace only when the corresponding file supposedly is in good shape on that SE. By contrast, a directory can be created, or fail to be created, in a single operation. One could also envisage a use case for temporary directories, though, which would only get renamed once their contents are deemed to be in good shape. I doubt the importance of that use case in practice, though. There is a case for limiting the rename functionality to files only: reducing potential abuse.storage.create
capability. For example, storage.create:/foo/bar
permits a file to be uploaded into /foo/bar/name.txt.1704651392
and subsequently renamed to /foo/bar/name.txt
, but not to /foo/qux/name.txt
, even when the same token is also equipped with storage.create:/foo/qux
as a capability. For the latter use case, a token would need storage.modify:/foo/bar
as well as storage.modify:/foo/qux
to be provided, possibly implicitly e.g. through a single storage.modify:/foo
capability.What do people think?
For comparison, the xroot protocol supports a kXR_POSC
flag: "persist on successful close". This does something rather similar to what you describe: it updates the namespace only if the upload was successful. Therefore, I think I think you are describing a reasonable use-case, as xrootd developers has already baked support for this into their protocol.
More generally, rename is a somewhat awkward operation, as it has two paths: a source path and a destination path, so one way of defining rename might be to define the authorisation necessary on the source path, and again what is needed on the destination path.
Something that might be worth considering is if the client has storage.read
on the source path and storage.create
on the destination path then that client can simply download the data and upload it. This would have much the same effect as renaming the file (the data is available under a new path).
The idea for supporting renaming of files with storage.create
seems reasonable (to support the above use-case), but I haven't given it too much thought. Limiting source and destination to files in the same directory seems a bit arbitrary, but might be OK.
Something that might be worth considering is if the client has storage.read on the source path and storage.create on the destination path then that client can simply download the data and upload it. This would have much the same effect as renaming the file (the data is available under a new path).
I would note that to properly mirror this, you are missing the storage.delete which would be involved in a full rename, as opposed to a copy where you make no changed to the original data.
Agreeing with @norealroots I try to summarize a bit:
operation | source path needed scopes | destination path needed scopes |
---|---|---|
COPY | storage.read | storage.create |
MOVE/RENAME | storage.modify | storage.create |
If the aim of this discussion is to better explain what storage.create
scope allows to do, surely "renaming files" is not enough clear. Renaming/moving/copying are more complex actions that probably can be better explained with examples. I'd propose to change:
This includes renaming files if the destination file does not already exist. This capability includes the creation of directories and subdirectories at the specified path
to:
This capability includes the creation of files, directories and subdirectories at the specified path
and then add a "renaming/moving resources" section dedicated to that kind of operations.
What do you think?
I think it can be defended that for a rename operation not covered by storage.create
, which exists to support data upload, storage.modify
is needed also for the destination, because the file (or directory) is not uploaded.
That said, we will need to spell out the results from the discussion in this issue, probably in a small subsection as suggested, to which the items on storage.create
and storage.modify
would then refer.
On page 12, the
storage.create
description says:Three questions:
$PATH
) in storage scopes? For example, does the token need to grantstorage.create
authorisation to both the source and destination paths?The document should be updated to make the answers to these three questions clear.