A Restriction provides an overlay authorisation layer where some actions of
that a user would normally enjoy are denied; i.e., a Restriction may only
reduce what a user is able to achieve should the user's requests be
considered separately from any Restriction.
The main use-case is to allow delegation with reduced authorisation.
Delegation is where one agent (that is authorised to use dCache) somehow
allows another agent (that is otherwise not allowed to use dCache) to access
dCache according to the first agent's authorisation. This is commonly
referred to as the second agent "acting on behalf of" the first agent.
Delegation is often achieved by the first agent providing some credential to
the second agent. Ideally, the credential passed to the second agent is
limited as much as possible, to reduce misuse should the second agent be
untrustworthy or the credential is stolen. When logging in, the second
agent's delegated credential would attract a Restriction that limits what is
authorised.
Here is a mapping between common operations and the corresponding Restriction
checks:
Change current directory
Requires
Activity.READ_METADATA on the new path.
List contents of a directory
Requires
Activity.LIST on the directory path. Each child
of the directory that does not have
Activity.READ_METADATAis excluded from the list.
Read information about a file or directory
Requires
Activity.READ_METADATA on the path.
Write a new file
Requires
Activity.UPLOAD on the new file's path.
Delete a file or directory
Requires
Activity.DELETE on the path.
Rename or move a file
Requires
Activity.MANAGE on source's and target's parent
directories. If the move would overwrite an existing file then
Activity.DELETE is also needed on the target path.
Create a symbolic link
Requires
Activity.MANAGE on the symbolic link's parent
directory.
Creating an internal copy of a file
Requires
Activity.DOWNLOAD on source file and
Activity.UPLOAD on the target directory.
Restrictions should be written with a "No Islands" rule in mind.
Specifically, all Restrictions should be written such that, if a path has no
restriction for some activity then the parent path has no restriction for
Activity.READ_METADATA. The consequence is that, when checking
permissions, it is safe to check only the longest (or most specific) path
against the user's activity.
Restrictions can form a subsumption hierarchy. A restriction A is said to
subsume a restriction B if a denied operations in A are also denied by B.
Intuitively, B subsumes A if B is at least as strict as A.