Package com.linkedin.venice.authorization

Interface AuthorizerService

    • Method Summary

      All Methods Instance Methods Abstract Methods Default Methods 
      Modifier and Type Method Description
      void addAce​(Resource resource, AceEntry aceEntry)
      This will add a single AceEntry to the existing AceEntries for a resource.
      boolean canAccess​(Method method, Resource resource, Principal principal)
      Check if the principal has the permission to perform the method on the resource.
      boolean canAccess​(Method method, Resource resource, java.security.cert.X509Certificate accessorCert)
      Check if the principal has the permission to perform the method on the resource.
      void clearAcls​(Resource resource)
      This will clear the existing AceEntries for a resource.
      default void clearResource​(Resource resource)
      This may perform any finalization steps that may be necessary after all ACL's for a resource is deleted and the resource will not be used later.
      AclBinding describeAcls​(Resource resource)
      Return a list of existing AceEntries present for the given resource.
      void removeAce​(Resource resource, AceEntry aceEntry)
      This will remove a single AceEntry from the existing AceEntries for a resource.
      void setAcls​(AclBinding aclBinding)
      This will set the AceEntries in provided AclBinding object to be the current set of ACL's for the resource.
      default void setupResource​(Resource resource)
      This may perform any initialization steps that may be necessary before start provisioning any ACL's for a resource.

    • Method Detail

      • canAccess

        boolean canAccess​(Method method,
                  Resource resource,
                  Principal principal)
        Check if the principal has the permission to perform the method on the resource. Implementation should define how to handle duplicate/conflicting ACE entries present for the resource and also how to handle presence of no AceEntries for a resource.
        Parameters:
        method - what method is being performed.
        resource - what resource the method is being performed
        principal - who is performing the method on the resource.
        Returns:
        true if principal has the permission to perform the method on the resource, otherwise return false.

      • canAccess

        boolean canAccess​(Method method,
                  Resource resource,
                  java.security.cert.X509Certificate accessorCert)
        Check if the principal has the permission to perform the method on the resource. Implementation should define how to handle duplicate/conflicting ACE entries present for the resource and also how to handle presence of no AceEntries for a resource.
        Parameters:
        method - what method is being performed.
        resource - what resource the method is being performed
        accessorCert - who is performing the method on the resource.
        Returns:
        true if principal has the permission to perform the method on the resource, otherwise return false.

      • describeAcls

        AclBinding describeAcls​(Resource resource)
        Return a list of existing AceEntries present for the given resource. Implementations should return an empty AclBinding object when no acl's are present for the resource.
        Parameters:
        resource -
        Returns:
        AclBinding object containg the list of existing aceEntries. The AceEntry list may be empty if there is no existing ACL's provisioned.

      • setAcls

        void setAcls​(AclBinding aclBinding)
        This will set the AceEntries in provided AclBinding object to be the current set of ACL's for the resource. This performs an overwrite operation. An empty AceEntries list will clear all acls and achieve a similar result like clearAcls(Resource).
        Parameters:
        aclBinding - A fully contained object having a list of AceEntries associated with the resource.

      • clearAcls

        void clearAcls​(Resource resource)
        This will clear the existing AceEntries for a resource.
        Parameters:
        resource - the resource for which all ACl's will be cleared.

      • addAce

        void addAce​(Resource resource,
            AceEntry aceEntry)
        This will add a single AceEntry to the existing AceEntries for a resource. Implementation may or may not allow duplicate/conflicting entries. Implementation may throw any necessary error/exception.
        Parameters:
        resource - The resource for which an AceEntry is getting added.
        aceEntry - The AceEntry to be removed.

      • removeAce

        void removeAce​(Resource resource,
               AceEntry aceEntry)
        This will remove a single AceEntry from the existing AceEntries for a resource. Implementation should define how to handle removal in case duplicate AceEntries are allowed. The equivalence check should do exact match of all fields of the AceEntry object. Implementation may throw any necessary error/exception.
        Parameters:
        resource - The resource for which an AceEntry is getting removed.
        aceEntry - The AceEntry to be removed.

      • setupResource

        default void setupResource​(Resource resource)
        This may perform any initialization steps that may be necessary before start provisioning any ACL's for a resource. This may be used to setup/allocate any metadata/context about the resource. This is optional to implement. Implementation should mandate if this needs to be called before start provisioning any ACL's for the resource.
        Parameters:
        resource -

      • clearResource

        default void clearResource​(Resource resource)
        This may perform any finalization steps that may be necessary after all ACL's for a resource is deleted and the resource will not be used later. This may be used to clean up any metadata/context information about the resource that was setup in setupResource(com.linkedin.venice.authorization.Resource). This is optional to implement. Implementation should mandate if this needs to be called after deleting all ACL's for the resource.
        Parameters:
        resource -