Package com.linkedin.venice.acl

Interface DynamicAccessController

  • All Superinterfaces:
    AccessController
    public interface DynamicAccessController
extends AccessController
    A DynamicAccessController is an AccessController with a mutable resource list. The resource list may be changed at runtime.

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      void addAcl​(java.lang.String resource)
      Add a resource to the resource list.
      java.util.Set<java.lang.String> getAccessControlledResources()
      Get a list of currently being access-controlled resources.
      boolean hasAccess​(java.security.cert.X509Certificate clientCert, java.lang.String resource, java.lang.String method)
      Check if client has permission to access a particular resource.
      boolean hasAcl​(java.lang.String resource)
      Check if ACL exists for a particular resource.
      DynamicAccessController init​(java.util.List<java.lang.String> resources)
      Initialize access controller.
      boolean isFailOpen()
      Use this method to determine if clients will be granted access to a resource when the corresponding ACL of the resource is missing.
      void removeAcl​(java.lang.String resource)
      Remove a resource from the resource list.

    • Method Detail

      • init

        DynamicAccessController init​(java.util.List<java.lang.String> resources)
        Initialize access controller.
        Parameters:
        resources - the initial resource list
        Returns:
        the access controller

      • hasAccess

        boolean hasAccess​(java.security.cert.X509Certificate clientCert,
                  java.lang.String resource,
                  java.lang.String method)
           throws AclException
        Check if client has permission to access a particular resource. This method is invoked by every single request, therefore minimized execution time will result the best latency and throughput.
        Specified by:
        hasAccess in interface AccessController
        Parameters:
        clientCert - the X509Certificate submitted by client
        resource - the resource being requested, such as a Venice store
        method - the operation (GET, POST, ...) to perform against the resource
        Returns:
        true if client has permission to access, otherwise false.

        When hasAcl(String) == false, return isFailOpen().

        Throws:
        AclException

      • hasAcl

        boolean hasAcl​(java.lang.String resource)
        throws AclException
        Check if ACL exists for a particular resource.
        Parameters:
        resource - the resource name
        Returns:
        whether an ACL exists for the resource
        Throws:
        AclException

      • addAcl

        void addAcl​(java.lang.String resource)
     throws AclException
        Add a resource to the resource list. Call this method when a new resource gets created.
        Parameters:
        resource - the resource name
        Throws:
        AclException

      • removeAcl

        void removeAcl​(java.lang.String resource)
        throws AclException
        Remove a resource from the resource list. Call this method when a existing resource gets deleted.
        Parameters:
        resource - the resource name
        Throws:
        AclException

      • getAccessControlledResources

        java.util.Set<java.lang.String> getAccessControlledResources()
        Get a list of currently being access-controlled resources. Ideally, this list should be identical the list of existing resources, so that each and every resource (e.g. Venice store) is being access-controlled.
        Returns:
        the set of access-controlled resources

      • isFailOpen

        boolean isFailOpen()
        Use this method to determine if clients will be granted access to a resource when the corresponding ACL of the resource is missing.
        Returns:
        whether the implementation uses a fail-open policy