Provide per-user bucket access control permissions

[pnasrat]

Context

via https://2i2c.freshdesk.com/a/tickets/553

Communityhreporter ser can delete data from ‘my’ part of the persistent bucket. I put a zarr store to leap-persistent/jbusecke/testing/another_store.zarr and asked another user to delete it with:

import gcsfs
fs = gcsfs.GCSFileSystem()
fs.rm('leap-persistent/jbusecke/testing/another_store.zarr', recursive=True)

Proposal

I'm not clear if the processes in the singleuser server are setup with the end users Google credentials (I doubt it as I didn't have to grant)

For me as [email protected] using fs = gcsfs.GCSFileSystem(token='browser') fails.

May need to investigate IAM Conditions https://cloud.google.com/iam/docs/conditions-overview

References

https://cloud.google.com/storage/docs/access-control
https://cloud.google.com/storage/docs/access-control/iam
https://cloud.google.com/storage/docs/access-control/iam-gsutil

Updates and actions

No response

[pnasrat]

Possibly related https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#identity_sameness_across_clusters

[pnasrat]

Possible #2406 might address the R/W perms enough for this support ticket - cc @yuvipanda for comment

[yuvipanda]

@pnasrat i don't think it will, unfortunately - as that's still bucket level.

pangeo-data/pangeo-cloud-federation#610 has historical context and origins of the scratch bucket, and security tradeoffs were discussed as well.