Following on this thread after a quick chat with Rodric to discuss the fine grained approach in more details ( credits go to Rodric ).
For the fine grained permissions OpenWhisk could support unix style permissions: "rwx" when defining actions and packages. For example: wsk package create my-package --shared yes -a permissions x This would make actions inside the shared package to be "eXecutable", and w/o the "r", other developers won't be able to read the code, nor the default parameters. These permissions could be applied at a more granular level to the actions inside a package, in the same way directories and files in unix can have different permissions ( in this context, directory = package, and file = action). I think this idea alone would solve the need to share actions with others, while keeping the code private. IIUC it should also fix the issue references bellow in the thread. There are some aspects that result from it: 1. In Unix, permissions reflect 3 scopes or classes: permissions for the owner/user, for the group, and for others. What do these mean in the OW context ? Do we see benefits from differentiating between these 3 ? Assuming the "owner" always has "rwx", there's no "group" concept at the moment in OW (we could assume that the "group is the namespace ?), and "others" is what we care about when it comes to permissions. 2. Implications for displaying activation results. Right now the caller of the shared action sees the activation results, including its logs. If the permission restricts to "x" only, should it have an implication on the activation result ? 3. Code vs default parameters. Should permissions differentiate the code from the default params or they should apply to both ? This idea can be extended later to support groups, if OpenWhisk extends the namespace:user relation so that a namespace can be accessed by multiple users. At that point, a package, or an action, can be shared with specific developers belonging to a group, including specific permissions. Right now a package is either private, either shared with everybody. WDYT ? @Rodric<mailto:rod...@gmail.com>, feel free to add to what I missed. Thanks, dragos ________________________________ From: Dragos Dascalita Haut <ddas...@adobe.com.INVALID> Sent: Wednesday, February 14, 2018 6:58 PM To: dev@openwhisk.apache.org Subject: Re: How to share an action but not its code, nor parameters "... pursuing the fine grained rights approach. ..." I was also re-reading your email and I was thinking... it would actually be v nice to have this in openwhisk. In this way developers can fully control what they want to do with the action. Another use-case I once had was to share an action that exposes a key-value store; in that case the action would have the credentials to talk to the key-value store which I didn't want to share with others. Having an option to hide default params from a shared actions would have been handy. So a fine-grained control would help other use-cases too. dragos ________________________________ From: Rodric Rabbah <rod...@gmail.com> Sent: Wednesday, February 14, 2018 6:39:04 PM To: dev@openwhisk.apache.org Subject: Re: How to share an action but not its code, nor parameters It’s worth mentioning that going through the web action path limits the compositions to those that can complete is 60s. So there are other benefits to pursuing the fine grained rights approach. -r
