Add admin interface and operation attributes things for Attribute-Based Access Control #2405
Conversation
…ed Access Control
brfrn169
requested review from
komamitsu,
feeblefakie,
Torch3333 and
josh-wong
| ABAC_NOT_ENABLED( | ||
| Category.USER_ERROR, | ||
| "0151", | ||
| "The Attribute-Based Access Control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | ||
| "", | ||
| ""), |
There was a problem hiding this comment.
@josh-wong Could you please take a look at this message? 🙇
There was a problem hiding this comment.
Similar to many of our other features (group commit, encryption, etc.), should we lowercase the naming for this feature as follows?:
| ABAC_NOT_ENABLED( | |
| Category.USER_ERROR, | |
| "0151", | |
| "The Attribute-Based Access Control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | |
| "", | |
| ""), | |
| ABAC_NOT_ENABLED( | |
| Category.USER_ERROR, | |
| "0151", | |
| "The attribute-based access control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | |
| "", | |
| ""), |
There was a problem hiding this comment.
Fixed in 11f38db. Thanks!
| ABAC_NOT_ENABLED( | ||
| Category.USER_ERROR, | ||
| "0151", | ||
| "The Attribute-Based Access Control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | ||
| "", | ||
| ""), |
There was a problem hiding this comment.
Similar to many of our other features (group commit, encryption, etc.), should we lowercase the naming for this feature as follows?:
| ABAC_NOT_ENABLED( | |
| Category.USER_ERROR, | |
| "0151", | |
| "The Attribute-Based Access Control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | |
| "", | |
| ""), | |
| ABAC_NOT_ENABLED( | |
| Category.USER_ERROR, | |
| "0151", | |
| "The attribute-based access control feature is not enabled. To use this feature, you must enable it. Note that this feature is supported only in the ScalarDB Enterprise edition", | |
| "", | |
| ""), |
| * @param policyName the policy name | ||
| * @param username the username | ||
| * @param levelShortName the level short name | ||
| * @param defaultLevelShortName the default level short name. If null, the default is the level |
There was a problem hiding this comment.
If null, the default is the level
What does "the level" exactly mean?
There was a problem hiding this comment.
"the level" refers to the level specified by the argument levelShortName. The sentence might be confusing. 😓 Do you have any ideas for it?
There was a problem hiding this comment.
This parameter is optional actually, and levelShortName is used instead like as a default value if defaultLevelShortName is null. So, I think the prefix of this parameter default is confusing...
If you can't change the parameter name, how about "If null, levelShortName is used instead" ?
There was a problem hiding this comment.
Fixed in 661d076. Thanks.
| * @param username the username | ||
| * @param levelShortName the level short name | ||
| * @param defaultLevelShortName the default level short name. If null, the default is the level | ||
| * @param rowLevelShortName the row level short name. If null, the default is the default level |
There was a problem hiding this comment.
If null, the default is the default level
The first "the default" is different from the second "the default"?
There was a problem hiding this comment.
Correct.
The first "the default" means the default value of the rowLevelShortName. And the second means the default level specified by the argument defaultLevelShortName.
There was a problem hiding this comment.
I think it feels confusing. How about using the actual parameter names like "If null, defaultLevelShortName is used instead" ?
There was a problem hiding this comment.
And the second means the default level specified by the argument defaultLevelShortName.
defaultLevelShortName can be null. If it's null, levelShortName is used?
There was a problem hiding this comment.
Fixed in 661d076. Thanks.
| * | ||
| * @return the level short name | ||
| */ | ||
| String getLevelShortName(); |
There was a problem hiding this comment.
I guess User Tag should have MaxLevel and MinLevel. What do you think?
There was a problem hiding this comment.
In ABAC in ScalarDB, we don’t have MinLevel. We only have MaxLevel, which is referred to simply as level.
core/src/main/java/com/scalar/db/api/AbacOperationAttributes.java
Outdated
Show resolved
Hide resolved
…tributes.java Co-authored-by: Mitsunori Komatsu <[email protected]>
| } | ||
|
|
||
| @Override | ||
| public Buildable writeTag(String policyName, String writeTag) { |
There was a problem hiding this comment.
Just a confirmation. The reason for not having writeTag in InsertBuilder is that insertion uses the default tag?
There was a problem hiding this comment.
Actually, the writeTag is not the rowTag. The writeTag is used for access control on existing records. Since insert operations involve adding new records, the writeTag is not applicable to them. Therefore, the InsertBuilder does not include the writeTag. Thanks.
Co-authored-by: Hiroyuki Yamada <[email protected]>
| * @param tableName the table name | ||
| * @throws ExecutionException if the operation fails | ||
| */ | ||
| default void applyPolicyToTable(String policyName, String namespaceName, String tableName) |
There was a problem hiding this comment.
Renamed this method in 2c387a7.
| * @param namespaceName the namespace name | ||
| * @throws ExecutionException if the operation fails | ||
| */ | ||
| default void applyPolicyToNamespace(String policyName, String namespaceName) |
There was a problem hiding this comment.
Renamed this method in 2c387a7.
Co-authored-by: Vincent Guilpain <[email protected]>
…ed Access Control (#2405)
Description
This PR adds the admin interface and operation attributes things for Attribute-Based Access Control (ABAC).
Related issues and/or PRs
N/A
Changes made
AbacAdminand madeDistributedTransactionAdminextend it.AbacOperationAttributesto manipulate the operation attributes for ABAC.Checklist
Additional notes (optional)
N/A
Release notes
N/A