Skip to content

Commit

Permalink
enforce write only access to folder http endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
jlewitt1 committed Aug 6, 2024
1 parent 0d24ea4 commit 1722452
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
4 changes: 4 additions & 0 deletions runhouse/servers/http/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ def clear_cache(self, token: str = None):
async def averify_cluster_access(
cluster_uri: str,
token: str,
write_only_access: bool = False,
) -> bool:
"""Checks whether the user has access to the cluster.
Note: A user with write access to the cluster or a cluster owner will have access to all other resources on
Expand All @@ -94,4 +95,7 @@ async def averify_cluster_access(

cluster_access_level = await obj_store.aresource_access_level(token, cluster_uri)

if write_only_access:
return cluster_access_level == ResourceAccess.WRITE

return cluster_access_level in [ResourceAccess.WRITE, ResourceAccess.READ]
5 changes: 4 additions & 1 deletion runhouse/servers/http/http_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ async def wrapper(*args, **kwargs):
is_coro = inspect.iscoroutinefunction(func)

func_call: bool = func.__name__ in ["post_call", "get_call"]
write_only_access: bool = func.__name__ in ["folder_operation"]
token = get_token_from_request(request)

request_id = request.headers.get("X-Request-ID", str(uuid.uuid4()))
Expand All @@ -90,7 +91,9 @@ async def wrapper(*args, **kwargs):
"provide a valid token in the Authorization header.",
)
cluster_uri = (await obj_store.aget_cluster_config()).get("name")
cluster_access = await averify_cluster_access(cluster_uri, token)
cluster_access = await averify_cluster_access(
cluster_uri, token, write_only_access
)
if not cluster_access:
# Must have cluster access for all the non func calls
# Note: for func calls we handle the auth in the object store
Expand Down

0 comments on commit 1722452

Please sign in to comment.