Hierarchical permissions and the hasAny check

[email protected] Wed, 10 Jan 2018 04:33:46 -0800

I have a suggestion for improvement of permissions checking for permissions 
with an hierarchical structure.



For purposes of this discussion I will use the WildcardPermission as an example 
but the discussion applies to any hierarchically structured permission.


In some situations, when processing requests for hierarchically structured data 
with matching permissions it would speed up processing to know if there are any 
permissions further down the tree.


Assume a tree structure with large subtrees on nodes A and B off the root.


If the code is producing a list of all leaf nodes the Subject can read it would 
speed up processing significantly if the application code could check to see if 
the user has any access to any node in A.


Currently the WildcardPermission implementation of implies() returns the 
following:


{noformat}
Subj       Checked
Perm       Perm      Result
----------------------------
root       root      true
root       root:*    true
root       root:a    true
root       root:a:*  true
root       root:b    true
root       root:b:*  true

root:*     root      true
root:*     root:*    true
root:*     root:a    true
root:*     root:a:*  true
root:*     root:b    true
root:*     root:b:*  true

root:a     root      false
root:a     root:*    false
root:a     root:a    true
root:a     root:a:*  true
root:a     root:b    false
root:a     root:b:*  false

root:a:*   root      false
root:a:*   root:*    false
root:a:*   root:a    true
root:a:*   root:a:*  true
root:a:*   root:b    false
root:a:*   root:b:*  false

root:b     root      false
root:b     root:*    false
root:b     root:a    false
root:b     root:a:*  false
root:b     root:b    true
root:b     root:b:*  true

root:b:*   root      false
root:b:*   root:*    false
root:b:*   root:a    false
root:b:*   root:a:*  false
root:b:*   root:b    true
root:b:*   root:b:*  true

{noformat}


There is no mechanism by which I can grant a permission to a subject and then 
ask if they have access to anything below a specific point.  As a concrete 
example.  I want to be able to check that the user with permissions "root:a" 
has access to something  below "root".


There is no combination that I can discover where I can set this up.


I am proposing a couple of changes.

  1.  Introduce a HierarchicalPermissions interface to mark such permissions.
  2.  create a method on Subject that takes a permission and determines if the 
user has any permissions at that level or below.


Lets call that method "hasRestriction()" for the rest of this discussion.  
hasRestriction() will return true if there are any explicit permissions noted 
at or below the level


When the subject.hasRestriction() is called the above tables would have the 
following results


{noformat}

Subj       Checked
Perm       Perm      Result
----------------------------
root       root      true
root       root:*    false
root       root:a    false
root       root:a:*  false
root       root:b    false
root       root:b:*  false

root:*     root      true
root:*     root:*    true
root:*     root:a    true
root:*     root:a:*  false
root:*     root:b    true
root:*     root:b:*  false

root:a     root      true
root:a     root:*    true
root:a     root:a    true
root:a     root:a:*  false
root:a     root:b    false
root:a     root:b:*  false

root:a:*   root      true
root:a:*   root:*    true
root:a:*   root:a    true
root:a:*   root:a:*  true
root:a:*   root:b    true
root:a:*   root:b:*  true

root:b     root      true
root:b     root:*    true
root:b     root:a    false
root:b     root:a:*  false
root:b     root:b    true
root:b     root:b:*  false

root:b:*   root      true
root:b:*   root:*    true
root:b:*   root:a    false
root:b:*   root:a:*  false
root:b:*   root:b    true
root:b:*   root:b:*  true


{noformat}


With this method available I can ask the following in the code.


{noformat}


if (subject.isPermitted( perm ))

{

    if (subject.hasRestriction( perm )) {

       // code with deeper checking

    } else {

      // just get the data here as there are no further restrictions.

    }

} else {

    // no access

}


{noformat}


Thoughts?


Claude

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

Hierarchical permissions and the hasAny check

Reply via email to