In order to avoid users to ask for read permissions in addiction to write ones just to check if a resource exists or not (that means granting stat permission), we need to review the 1-to-1 logic behind the storage.* matching with HTTP methods. Currently, each HTTP method requires a specific storage.* scope:
- HEAD, OPTIONS, PROPFIND, GET require storage.read scope
- PATCH, DELETE require storage.modify scope
- PUT, MKCOL require storage.create scope if resource doesn't exist
- PUT, MKCOL require storage.modify scope if resource exists
In practice, removing the read permission for the HEAD method should fix all the problems.
This task can be related to a more detailed review of this logic that must consider also the latency status of the resource (its online/nearline status).
- relates to
-
STOR-1601 Review WLCG scopes matching with HTTP methods logic
-
- Open
-