search

irods / irods_rule_engine_plugin_metadata_guard

BSD 3-Clause "New" or "Revised" License
0 stars 7 forks source link

Seems `irods` namespace has special meaning #43

Open mstfdkmn opened 2 years ago

mstfdkmn commented 2 years ago

We're running iRODS 4.2.10 on CentOS 7. The plugin is 4.2.10.1 Release

A rodsuser cannot modify the guarded metadata if any of the guarded metadata starts with irods as prefix regardless of access level. That is, only rodsadmin has power to modify then.

A rodsuser has at least write access on the zone collection:

-bash-4.2$ ils -A /tempZone
/tempZone:
        ACL - g:public#tempZone:read object   rods#tempZone:own   user1#tempZone:modify object
        Inheritance - Disabled

After the rodsuser guards some metadata starting with irods and other prefixes, he cannot anymore modify any guarded metadata:

[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["rules::"], "admin_only": true}'
[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "admin_only": true}'
[user1@dev-u0137480 ~]$ imeta rm -C /tempZone irods::metadata_guard '{"prefixes": ["rules::"], "admin_only": true}'
remote addresses: 10.0.2.100 ERROR: rcModAVUMetadata failed with error -830000 CAT_INSUFFICIENT_PRIVILEGE_LEVEL

In case he wants to guard metadata not starting with irods, he can modify any:

[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["rules::"], "admin_only": true}'
[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["fruits::"], "admin_only": true}'
[user1@dev-u0137480 ~]$ imeta rm -C /tempZone irods::metadata_guard '{"prefixes": ["rules::"], "admin_only": true}'

The same happens with a single configuration:

[user1@dev-u0137480 ~]$ imeta rm -C /tempZone irods::metadata_guard '{"prefixes": ["rules::", "irods::"], "admin_only": true}'

However this doesnt happen if the rodsuser configure for editors - not admins:

[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "editors": [{"type": "user", "name": "user1"}]}'
[user1@dev-u0137480 ~]$ imeta rm -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "editors": [{"type": "user", "name": "user1"}]}'

Perhaps not a big issue at first glance but took some time to understand it :)

trel commented 2 years ago

Hm, this does seem inconsistent. We'll take a good look...

mstfdkmn commented 2 years ago

rodsadmin has the same issue if not added in the configuration:

[user1@dev-u0137480 ~]$ imeta add -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "editors": [{"type": "user", "name": "user1"}]}'

Once the rodsadmin wants to remove:

-bash-4.2$ imeta rm -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "editors": [{"type": "user", "name": "user1"}]}'
remote addresses: 10.0.2.100 ERROR: rcModAVUMetadata failed with error -830000 CAT_INSUFFICIENT_PRIVILEGE_LEVEL