I like the annotation idea, especially considering that Jared was talking
about adding a @RegisterableFunction annotation as well. maybe something
like @ResourcePermission("Data:READ") or something like that?-Dan On Thu, Aug 17, 2017 at 8:18 AM, Michael William Dodge <mdo...@pivotal.io> wrote: > What about an annotation for read-only functions or a subinterface off > org.apache.geode.cache.execute.Function? > > Sarge > > > On 17 Aug, 2017, at 01:42, Swapnil Bawaskar <sbawas...@pivotal.io> > wrote: > > > > Discuss fix for GEODE-2817 > > <https://issues.apache.org/jira/browse/GEODE-2817> > > > > Currently to execute a function, you will need "data:write" permission, > but > > it really depends on what the function is doing. For example, if a > function > > is just reading data, the function author might want users with DATA:READ > > permissions to execute the function. The two options mentioned in the > > ticket are: > > > > 1) externalize SecurityService so that function author can use it in the > > function.execute code to check authorization. > > 2) add a method to function interface to tell the framework what > permission > > this function needs to execute, so that the framework will check the > > permission before executing the function. > > > > I vote for #2 because, I think, a function author will be able to easily > > discover a method on the Function interface, rather than trying to look > for > > SecurityService. > > > > I propose that we add the following new method to Function: > > > > default public List<ResourcePermission> requiredPermissions() { > > // default DATA:WRITE > > } > > > > In order to preserve existing behavior, the default required permission > > would be DATA:WRITE. > >
