Documentation ¶
Overview ¶
Package acl provides functionality to control access to data and operations on them in FrostFS containers.
Type Basic represents basic ACL of the FrostFS container which specifies the general order of data access. Basic provides interface of rule composition. Package acl also exports some frequently used settings like private or public.
Index ¶
- Constants
- type Basic
- func (x *Basic) AllowBearerRules(op Op)
- func (x *Basic) AllowOp(op Op, role Role)
- func (x Basic) AllowedBearerRules(op Op) bool
- func (x Basic) Bits() uint32
- func (x *Basic) DecodeString(s string) (e error)
- func (x *Basic) DisableExtension()
- func (x Basic) EncodeToString() string
- func (x Basic) Extendable() bool
- func (x *Basic) FromBits(bits uint32)
- func (x Basic) IsOpAllowed(op Op, role Role) bool
- func (x *Basic) MakeSticky()
- func (x Basic) Sticky() bool
- type Op
- type Role
Constants ¶
const ( NamePrivate = "private" NamePrivateExtended = "eacl-private" NamePublicRO = "public-read" NamePublicROExtended = "eacl-public-read" NamePublicRW = "public-read-write" NamePublicRWExtended = "eacl-public-read-write" NamePublicAppend = "public-append" NamePublicAppendExtended = "eacl-public-append" )
Names of the frequently used Basic values.
const ( Private = Basic(0x1C8C8CCC) // private PrivateExtended = Basic(0x0C8C8CCC) // eacl-private PublicRO = Basic(0x1FBF8CFF) // public-read PublicROExtended = Basic(0x0FBF8CFF) // eacl-public-read PublicRW = Basic(0x1FBFBFFF) // public-read-write PublicRWExtended = Basic(0x0FBFBFFF) // eacl-public-read-write PublicAppend = Basic(0x1FBF9FFF) // public-append PublicAppendExtended = Basic(0x0FBF9FFF) // eacl-public-append )
Frequently used Basic values. Bitmasks are taken from the FrostFS Specification.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Basic ¶
type Basic uint32
Basic represents basic part of the FrostFS container's ACL. It includes common (pretty simple) access rules for operations inside the container. See FrostFS Specification for details.
One can find some similarities with the traditional Unix permission, such as
division into scopes: user, group, others op-permissions: read, write, etc. sticky bit
However, these similarities should only be used for better understanding, in general these mechanisms are different.
Instances can be created using built-in var declaration, but look carefully at the default values, and how individual permissions are regulated. Some frequently used values are presented in exported variables.
Basic instances are comparable: values can be compared directly using == operator.
Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.
func (*Basic) AllowBearerRules ¶
AllowBearerRules allows bearer to provide extended ACL rules for the given operation. Bearer rules doesn't depend on container ACL extensibility.
See also AllowedBearerRules.
func (*Basic) AllowOp ¶
AllowOp allows the parties with the given role to the given operation. Op MUST be one of the Op enumeration. Role MUST be one of:
RoleOwner RoleContainer RoleOthers
and if role is RoleContainer, op MUST NOT be:
OpObjectGet OpObjectHead OpObjectPut OpObjectSearch OpObjectHash
See also IsOpAllowed.
func (Basic) AllowedBearerRules ¶
AllowedBearerRules checks if bearer rules are allowed using AllowBearerRules. Op MUST be one of the Op enumeration.
Zero Basic disallows bearer rules for any op.
func (*Basic) DecodeString ¶
DecodeString decodes string calculated using EncodeToString. Also supports human-readable names (Name* constants).
func (*Basic) DisableExtension ¶
func (x *Basic) DisableExtension()
DisableExtension makes Basic FINAL. FINAL indicates the ACL non-extendability in the related container.
See also Extendable.
func (Basic) EncodeToString ¶
EncodeToString encodes Basic into hexadecimal string.
See also DecodeString.
func (Basic) Extendable ¶
Extendable checks if Basic is NOT made FINAL using DisableExtension.
Zero Basic is extendable.
func (Basic) IsOpAllowed ¶
IsOpAllowed checks if parties with the given role are allowed to the given op according to the Basic rules. Op MUST be one of the Op enumeration. Role MUST be one of the Role enumeration.
Members with RoleContainer role have exclusive default access to the operations of the data replication mechanism:
OpObjectGet OpObjectHead OpObjectPut OpObjectSearch OpObjectHash
RoleInnerRing members are allowed to data audit ops only:
OpObjectGet OpObjectHead OpObjectHash OpObjectSearch
Zero Basic prevents any role from accessing any operation in the absence of default rights.
See also AllowOp.
func (*Basic) MakeSticky ¶
func (x *Basic) MakeSticky()
MakeSticky makes Basic STICKY. STICKY indicates that only the owner of any particular object is allowed to operate on it.
See also Sticky.
type Op ¶
type Op uint32
Op enumerates operations under access control inside container. Non-positive values are reserved and depend on context (e.g. unsupported op).
Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.
const ( OpObjectGet Op // Object.Get rpc OpObjectHead // Object.Head rpc OpObjectPut // Object.Put rpc OpObjectDelete // Object.Delete rpc OpObjectSearch // Object.Search rpc OpObjectRange // Object.GetRange rpc OpObjectHash // Object.GetRangeHash rpc )
nolint: unused
type Role ¶
type Role uint32
Role enumerates roles covered by container ACL. Each role represents some party which can be authenticated during container op execution. Non-positive values are reserved and depend on context (e.g. unsupported role).
Note that type conversion from- and to numerical types is not recommended, use corresponding constants and/or methods instead.
const ( RoleOwner Role // container owner RoleContainer // nodes of the related container RoleInnerRing // Inner Ring nodes RoleOthers // all others )
nolint: unused