Skip to content

Feat/public access: Anonymous read-only access via public roles#306

Open
St4NNi wants to merge 6 commits into
feat/quota-configfrom
feat/public-access
Open

Feat/public access: Anonymous read-only access via public roles#306
St4NNi wants to merge 6 commits into
feat/quota-configfrom
feat/public-access

Conversation

@St4NNi

@St4NNi St4NNi commented Jul 6, 2026

Copy link
Copy Markdown
Member

Adds a public role concept bound to the everyone principal: groups can flag roles as public, permission checks apply public roles to all principals, S3 allows anonymous read-only access through them, and unauthenticated DRS requests resolve as the everyone principal.

Stacked on #305 (feat/quota-config); diff shows only the public-access commits.

Changes

  • Adds a public flag to group roles, encoded as an assignment to the everyone principal (UserId::nil) with Role::is_public helpers.
  • Applies public roles to every principal in permission checks, including anonymous requests.
  • Exposes the public flag on the group role endpoints: settable on role creation and returned in role listings, with the everyone principal surfaced via the flag instead of appearing as a member.
  • Allows anonymous read-only S3 access: unsigned requests resolve to the anonymous principal and succeed only where a public role grants read access; write operations remain rejected.
  • Resolves unauthenticated DRS requests as the everyone principal so public data is reachable without a token.
  • Adds end-to-end anonymous access coverage in aruna/tests/public_access.rs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant