Interface AuthorizerService
- All Known Implementing Classes:
MockVeniceAuthorizer
public interface AuthorizerService
An interface to provide functionality to manage ACL's for a
Resource and provide access permission Permission
to principals Principal when performing Method. The underlying implementation can
choose any mechanism for storing and scanning of the ACL's.
No guarantees are made about canAccess(Method, Resource, X509Certificate) api
when duplicate or conflicting AceEntries are present.
An example of how an application flow may looks like.
setupResource(Resource)
setAcls(AclBinding)
canAccess(Method, Resource, X509Certificate)
addAce(Resource, AceEntry)
canAccess(Method, Resource, X509Certificate)
removeAce(Resource, AceEntry)
canAccess(Method, Resource, X509Certificate)
clearAcls(Resource)
clearResource(Resource)
}-
Method Summary
Modifier and TypeMethodDescriptionvoidThis will add a single AceEntry to the existing AceEntries for a resource.booleanCheck if the principal has the permission to perform the method on the resource.booleancanAccess(Method method, Resource resource, X509Certificate accessorCert) Check if the principal has the permission to perform the method on the resource.voidThis will clear the existing AceEntries for a resource.default voidclearResource(Resource resource) This may perform any finalization steps that may be necessary after all ACL's for a resource is deleted and the resource will not be used later.describeAcls(Resource resource) Return a list of existing AceEntries present for the given resource.voidThis will remove a single AceEntry from the existing AceEntries for a resource.voidsetAcls(AclBinding aclBinding) This will set the AceEntries in provided AclBinding object to be the current set of ACL's for the resource.default voidsetupResource(Resource resource) This may perform any initialization steps that may be necessary before start provisioning any ACL's for a resource.
-
Method Details
-
canAccess
Check if the principal has the permission to perform the method on the resource. Implementation should define how to handle duplicate/conflicting ACE entries present for the resource and also how to handle presence of no AceEntries for a resource.- Parameters:
method- what method is being performed.resource- what resource the method is being performedprincipal- who is performing the method on the resource.- Returns:
trueif principal has the permission to perform the method on the resource, otherwise returnfalse.
-
canAccess
Check if the principal has the permission to perform the method on the resource. Implementation should define how to handle duplicate/conflicting ACE entries present for the resource and also how to handle presence of no AceEntries for a resource.- Parameters:
method- what method is being performed.resource- what resource the method is being performedaccessorCert- who is performing the method on the resource.- Returns:
trueif principal has the permission to perform the method on the resource, otherwise returnfalse.
-
describeAcls
Return a list of existing AceEntries present for the given resource. Implementations should return an empty AclBinding object when no acl's are present for the resource.- Parameters:
resource-- Returns:
AclBindingobject containg the list of existing aceEntries. The AceEntry list may be empty if there is no existing ACL's provisioned.
-
setAcls
This will set the AceEntries in provided AclBinding object to be the current set of ACL's for the resource. This performs an overwrite operation. An empty AceEntries list will clear all acls and achieve a similar result likeclearAcls(Resource).- Parameters:
aclBinding- A fully contained object having a list of AceEntries associated with the resource.
-
clearAcls
This will clear the existing AceEntries for a resource.- Parameters:
resource- the resource for which all ACl's will be cleared.
-
addAce
This will add a single AceEntry to the existing AceEntries for a resource. Implementation may or may not allow duplicate/conflicting entries. Implementation may throw any necessary error/exception.- Parameters:
resource- The resource for which an AceEntry is getting added.aceEntry- The AceEntry to be removed.
-
removeAce
This will remove a single AceEntry from the existing AceEntries for a resource. Implementation should define how to handle removal in case duplicate AceEntries are allowed. The equivalence check should do exact match of all fields of the AceEntry object. Implementation may throw any necessary error/exception.- Parameters:
resource- The resource for which an AceEntry is getting removed.aceEntry- The AceEntry to be removed.
-
setupResource
This may perform any initialization steps that may be necessary before start provisioning any ACL's for a resource. This may be used to setup/allocate any metadata/context about the resource. This is optional to implement. Implementation should mandate if this needs to be called before start provisioning any ACL's for the resource.- Parameters:
resource-
-
clearResource
This may perform any finalization steps that may be necessary after all ACL's for a resource is deleted and the resource will not be used later. This may be used to clean up any metadata/context information about the resource that was setup insetupResource(com.linkedin.venice.authorization.Resource). This is optional to implement. Implementation should mandate if this needs to be called after deleting all ACL's for the resource.- Parameters:
resource-
-