acl

package
v0.0.0-...-0352b5b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 29, 2024 License: Apache-2.0 Imports: 3 Imported by: 9

Documentation

Overview

Package acl provides functionality to control access to data and operations on them in FrostFS containers.

Type Basic represents basic ACL of the FrostFS container which specifies the general order of data access. Basic provides interface of rule composition. Package acl also exports some frequently used settings like private or public.

Index

Constants

View Source
const (
	NamePrivate              = "private"
	NamePrivateExtended      = "eacl-private"
	NamePublicRO             = "public-read"
	NamePublicROExtended     = "eacl-public-read"
	NamePublicRW             = "public-read-write"
	NamePublicRWExtended     = "eacl-public-read-write"
	NamePublicAppend         = "public-append"
	NamePublicAppendExtended = "eacl-public-append"
)

Names of the frequently used Basic values.

View Source
const (
	Private              = Basic(0x1C8C8CCC) // private
	PrivateExtended      = Basic(0x0C8C8CCC) // eacl-private
	PublicRO             = Basic(0x1FBF8CFF) // public-read
	PublicROExtended     = Basic(0x0FBF8CFF) // eacl-public-read
	PublicRW             = Basic(0x1FBFBFFF) // public-read-write
	PublicRWExtended     = Basic(0x0FBFBFFF) // eacl-public-read-write
	PublicAppend         = Basic(0x1FBF9FFF) // public-append
	PublicAppendExtended = Basic(0x0FBF9FFF) // eacl-public-append
)

Frequently used Basic values. Bitmasks are taken from the FrostFS Specification.

Variables

This section is empty.

Functions

This section is empty.

Types

type Basic

type Basic uint32

Basic represents basic part of the FrostFS container's ACL. It includes common (pretty simple) access rules for operations inside the container. See FrostFS Specification for details.

One can find some similarities with the traditional Unix permission, such as

division into scopes: user, group, others
op-permissions: read, write, etc.
sticky bit

However, these similarities should only be used for better understanding, in general these mechanisms are different.

Instances can be created using built-in var declaration, but look carefully at the default values, and how individual permissions are regulated. Some frequently used values are presented in exported variables.

Basic instances are comparable: values can be compared directly using == operator.

Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.

func (*Basic) AllowBearerRules

func (x *Basic) AllowBearerRules(op Op)

AllowBearerRules allows bearer to provide extended ACL rules for the given operation. Bearer rules doesn't depend on container ACL extensibility.

See also AllowedBearerRules.

func (*Basic) AllowOp

func (x *Basic) AllowOp(op Op, role Role)

AllowOp allows the parties with the given role to the given operation. Op MUST be one of the Op enumeration. Role MUST be one of:

RoleOwner
RoleContainer
RoleOthers

and if role is RoleContainer, op MUST NOT be:

OpObjectGet
OpObjectHead
OpObjectPut
OpObjectSearch
OpObjectHash

See also IsOpAllowed.

func (Basic) AllowedBearerRules

func (x Basic) AllowedBearerRules(op Op) bool

AllowedBearerRules checks if bearer rules are allowed using AllowBearerRules. Op MUST be one of the Op enumeration.

Zero Basic disallows bearer rules for any op.

func (Basic) Bits

func (x Basic) Bits() uint32

Bits returns numerical encoding of Basic.

See also FromBits.

func (*Basic) DecodeString

func (x *Basic) DecodeString(s string) (e error)

DecodeString decodes string calculated using EncodeToString. Also supports human-readable names (Name* constants).

func (*Basic) DisableExtension

func (x *Basic) DisableExtension()

DisableExtension makes Basic FINAL. FINAL indicates the ACL non-extendability in the related container.

See also Extendable.

func (Basic) EncodeToString

func (x Basic) EncodeToString() string

EncodeToString encodes Basic into hexadecimal string.

See also DecodeString.

func (Basic) Extendable

func (x Basic) Extendable() bool

Extendable checks if Basic is NOT made FINAL using DisableExtension.

Zero Basic is extendable.

func (*Basic) FromBits

func (x *Basic) FromBits(bits uint32)

FromBits decodes Basic from the numerical representation.

See also Bits.

func (Basic) IsOpAllowed

func (x Basic) IsOpAllowed(op Op, role Role) bool

IsOpAllowed checks if parties with the given role are allowed to the given op according to the Basic rules. Op MUST be one of the Op enumeration. Role MUST be one of the Role enumeration.

Members with RoleContainer role have exclusive default access to the operations of the data replication mechanism:

OpObjectGet
OpObjectHead
OpObjectPut
OpObjectSearch
OpObjectHash

RoleInnerRing members are allowed to data audit ops only:

OpObjectGet
OpObjectHead
OpObjectHash
OpObjectSearch

Zero Basic prevents any role from accessing any operation in the absence of default rights.

See also AllowOp.

func (*Basic) MakeSticky

func (x *Basic) MakeSticky()

MakeSticky makes Basic STICKY. STICKY indicates that only the owner of any particular object is allowed to operate on it.

See also Sticky.

func (Basic) Sticky

func (x Basic) Sticky() bool

Sticky checks if Basic is made STICKY using MakeSticky.

Zero Basic is NOT STICKY.

type Op

type Op uint32

Op enumerates operations under access control inside container. Non-positive values are reserved and depend on context (e.g. unsupported op).

Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.

const (
	OpObjectGet    Op // Object.Get rpc
	OpObjectHead      // Object.Head rpc
	OpObjectPut       // Object.Put rpc
	OpObjectDelete    // Object.Delete rpc
	OpObjectSearch    // Object.Search rpc
	OpObjectRange     // Object.GetRange rpc
	OpObjectHash      // Object.GetRangeHash rpc

)

nolint: unused

func (Op) String

func (x Op) String() string

String implements fmt.Stringer.

type Role

type Role uint32

Role enumerates roles covered by container ACL. Each role represents some party which can be authenticated during container op execution. Non-positive values are reserved and depend on context (e.g. unsupported role).

Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.

const (
	RoleOwner     Role // container owner
	RoleContainer      // nodes of the related container
	RoleInnerRing      // Inner Ring nodes
	RoleOthers         // all others

)

nolint: unused

func (Role) String

func (x Role) String() string

String implements fmt.Stringer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL