Package com.linkedin.venice.acl
Class NoOpDynamicAccessController
java.lang.Object
com.linkedin.venice.acl.NoOpDynamicAccessController
- All Implemented Interfaces:
AccessController,DynamicAccessController
A no-op implementation of
DynamicAccessController.-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidAdd a resource to the resource list.Get a list of currently being access-controlled resources.getPrincipalId(X509Certificate clientCert) Get principal Id from client certificate.booleanhasAccess(X509Certificate clientCert, String resource, String method) Check if client has permission to access a particular resource.booleanhasAccessToAdminOperation(X509Certificate clientCert, String operation) Check if client has permission to execute a particular admin operation.booleanhasAccessToTopic(X509Certificate clientCert, String resource, String method) Check if client has permission to access a particular topic resource.booleanCheck if ACL exists for a particular resource.Initialize access controller.booleanisAllowlistUsers(X509Certificate clientCert, String resource, String method) Check whether the client is the allowlist admin users.booleanUse this method to determine if clients will be granted access to a resource when the corresponding ACL of the resource is missing.voidRemove a resource from the resource list.
-
Field Details
-
USER_UNKNOWN
- See Also:
-
INSTANCE
-
-
Constructor Details
-
NoOpDynamicAccessController
protected NoOpDynamicAccessController()
-
-
Method Details
-
init
Description copied from interface:DynamicAccessControllerInitialize access controller.- Specified by:
initin interfaceDynamicAccessController- Parameters:
resources- the initial resource list- Returns:
- the access controller
-
hasAccess
public boolean hasAccess(X509Certificate clientCert, String resource, String method) throws AclException Description copied from interface:DynamicAccessControllerCheck if client has permission to access a particular resource. This method is invoked by every single request, therefore minimized execution time will result the best latency and throughput.- Specified by:
hasAccessin interfaceAccessController- Specified by:
hasAccessin interfaceDynamicAccessController- Parameters:
clientCert- the X509Certificate submitted by clientresource- the resource being requested, such as a Venice storemethod- the operation (GET, POST, ...) to perform against the resource- Returns:
trueif client has permission to access, otherwisefalse.When
DynamicAccessController.hasAcl(String)== false, returnDynamicAccessController.isFailOpen().- Throws:
AclException
-
hasAccessToTopic
public boolean hasAccessToTopic(X509Certificate clientCert, String resource, String method) throws AclException Description copied from interface:AccessControllerCheck if client has permission to access a particular topic resource.- Specified by:
hasAccessToTopicin interfaceAccessController- Parameters:
clientCert- the X509Certificate submitted by clientresource- the resource being requestedmethod- the operation (Read, Write, ...) to perform against the topic resource- Returns:
trueif client has permission to access, otherwisefalse.- Throws:
AclException
-
hasAccessToAdminOperation
public boolean hasAccessToAdminOperation(X509Certificate clientCert, String operation) throws AclException Description copied from interface:AccessControllerCheck if client has permission to execute a particular admin operation.- Specified by:
hasAccessToAdminOperationin interfaceAccessController- Parameters:
clientCert- the X509Certificate submitted by clientoperation- the operation being performed- Returns:
trueif client has permission to access, otherwisefalse.- Throws:
AclException
-
isAllowlistUsers
Description copied from interface:AccessControllerCheck whether the client is the allowlist admin users.- Specified by:
isAllowlistUsersin interfaceAccessController- Parameters:
clientCert- the X509Certificate submitted by clientresource- the resource being requested;method- the operation (GET, POST, ...) to perform against the resource- Returns:
- true if the client is admin
-
getPrincipalId
Description copied from interface:AccessControllerGet principal Id from client certificate.- Specified by:
getPrincipalIdin interfaceAccessController- Parameters:
clientCert- the X509Certificate submitted by client- Returns:
- principal Id. (headless account name, service name, LDAP id or group id)
-
hasAcl
Description copied from interface:DynamicAccessControllerCheck if ACL exists for a particular resource.- Specified by:
hasAclin interfaceDynamicAccessController- Parameters:
resource- the resource name- Returns:
- whether an ACL exists for the resource
- Throws:
AclException
-
addAcl
Description copied from interface:DynamicAccessControllerAdd a resource to the resource list. Call this method when a new resource gets created.- Specified by:
addAclin interfaceDynamicAccessController- Parameters:
resource- the resource name- Throws:
AclException
-
removeAcl
Description copied from interface:DynamicAccessControllerRemove a resource from the resource list. Call this method when a existing resource gets deleted.- Specified by:
removeAclin interfaceDynamicAccessController- Parameters:
resource- the resource name- Throws:
AclException
-
getAccessControlledResources
Description copied from interface:DynamicAccessControllerGet a list of currently being access-controlled resources. Ideally, this list should be identical the list of existing resources, so that each and every resource (e.g. Venice store) is being access-controlled.- Specified by:
getAccessControlledResourcesin interfaceDynamicAccessController- Returns:
- the set of access-controlled resources
-
isFailOpen
public boolean isFailOpen()Description copied from interface:DynamicAccessControllerUse this method to determine if clients will be granted access to a resource when the corresponding ACL of the resource is missing.- Specified by:
isFailOpenin interfaceDynamicAccessController- Returns:
- whether the implementation uses a fail-open policy
-