root/super_root permissions

stfc / rucio

Rucio - Scientific Data Management

http://rucio.cern.ch

Apache License 2.0

0 stars 0 forks source link

root/super_root permissions #20

Closed elichad closed 4 years ago

elichad commented 4 years ago

[x] super_root only features (add VO, add root user, edit VO)
[x] root only features (make sure super_root is excluded from all existing root permissions which make changes within the VO)
[ ] root and super_root features (to be discussed, maybe functions like listing of scopes etc. which do not make changes to the VO)

patrick-austin commented 4 years ago

Current handling of permissions has no overlap between root and super_root, and the super_root functions are tested to make sure they are inaccessible to root. Don't currently have a test case for making sure super_root is denied access to the more "mundane" functions. Don't have any shared functions (yet?)

patrick-austin commented 4 years ago

Given that super_root is based at VO 'def', it cannot authenticate for actions at other VOs (root or otherwise. Have also tested that creating an account named super_root at a new VO has neither root nor super_root permissions. Currently super_root can perform actions at VO 'def' associated with a normal (non root) user, such as adding a scope for its own account.