Package com.linkedin.venice.acl

Interface AccessController

All Known Subinterfaces:
DynamicAccessController, StaticAccessController
All Known Implementing Classes:
NoOpDynamicAccessController
public interface AccessController
An AccessController allows a request to be checked against an Access Control List (ACL).

  • Method Details

    • hasAccess

      boolean hasAccess(X509Certificate clientCert, String resource, String method) throws AclException
      Check if client has permission to access a particular resource. This method is invoked by every single request, therefore minimized execution time will result the best latency and throughput.
      Parameters:
      clientCert - the X509Certificate submitted by client
      resource - the resource being requested
      method - the operation (GET, POST, ...) to perform against the resource
      Returns:
      true if client has permission to access, otherwise false.
      Throws:
      AclException

    • hasAccessToTopic

      boolean hasAccessToTopic(X509Certificate clientCert, String resource, String method) throws AclException
      Check if client has permission to access a particular topic resource.
      Parameters:
      clientCert - the X509Certificate submitted by client
      resource - the resource being requested
      method - the operation (Read, Write, ...) to perform against the topic resource
      Returns:
      true if client has permission to access, otherwise false.
      Throws:
      AclException

    • hasAccessToAdminOperation

      boolean hasAccessToAdminOperation(X509Certificate clientCert, String operation) throws AclException
      Check if client has permission to execute a particular admin operation.
      Parameters:
      clientCert - the X509Certificate submitted by client
      operation - the operation being performed
      Returns:
      true if client has permission to access, otherwise false.
      Throws:
      AclException

    • isAllowlistUsers

      boolean isAllowlistUsers(X509Certificate clientCert, String resource, String method)
      Check whether the client is the allowlist admin users.
      Parameters:
      clientCert - the X509Certificate submitted by client
      resource - the resource being requested;
      method - the operation (GET, POST, ...) to perform against the resource
      Returns:
      true if the client is admin

    • getPrincipalId

      String getPrincipalId(X509Certificate clientCert)
      Get principal Id from client certificate.
      Parameters:
      clientCert - the X509Certificate submitted by client
      Returns:
      principal Id. (headless account name, service name, LDAP id or group id)