Versions Compared

Old Version 68

changes.mady.by.user Prachi Damle

Saved on

compared with

New Version 69

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Lets consider the StartVM API is being called by a user and run through the access control usecase for each default policy.

The StartVMCmd will contain an annotation on the field that needs to be checked for access:

...

  • Find all groups the user belongs too: groupIDs = 2
  • Find all 'Effective' policies the groups are associated to: policies = 2
  • Policy Id 3 and Permission Id 1 allow 'startVirtualMachine' access for ALL VMs .

@ACL annotation changes

  • As illustrated in the above access flow, the access checks get invoked when the resource Ids in the API Cmd are annotated.
  • Thus we will have to edit all existing API Cmds and add the relevant @ACL annotation on the primary resource Ids the command operates on.
  • For any other resources that the command works with, the current access checks placed in the service layer will invoke the SecurityChecker.
  • These current access checks pass the AccessType whereever needed or mostly pass null. Our SecurityChecker will interpret null as a 'Read' access. In the 'acl_permission' schema, all List* APIs will be marked as 'Read' AccessType entries to facilitate this access check.