Dvc garbage collector permissions for remote SSH

Is there a way to prevent people to run dvc gc with the “–cloud” option ?

To give a bit more context, we would want to put dvc in place in our company with a SSH remote storage but we realized there was no user management in DVC for now. So every people would be able to push to the remote, but also to garbage collect. For data safety purposes, this is not something we want. To the best of our knowledge, there is also no possibility to restrict directly on the SSH storage side beause there is no way to authorize write access but no deletion access.

What we would want is to have only an “admin” user that could run this garbage collection on the remote.

1 Like

Hi @alombard, DVC doesn’t provide any file permission layer on remotes, as each one already has it’s own controls in place. In the case of SSH that would be Linux permissions (rwx) for example.

In this case unfortunately if you give users write permission that implies they can delete their own files too. One idea is to setup some batch process (e.g. a cron) to change the file owner of pushed data, which should prevent others from deleting it if the perms are something like 755 (default).

Another option could be to provide a limited dvc-shell to be invoked via ~/.ssh/authorized_keys like gitolite does. That would be handy for providing a public, read-only ssh backend.