style95 commented on a change in pull request #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r496399630
##########
File path:
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction]
with WhiskEntityQueries[
val execFieldName = "exec"
val requireWhiskAuthHeader = "x-require-whisk-auth"
+ // annotation permission key name
+ val permissionsFieldName = "permissions"
+
+ val defaultPermissions = "rwxr-x"
+
+ // notes on users, just have 2 type users,
+ // 1. the action's owner
+ // 2. the user (not the owner) who used the shared action directly(e.g. get,
invoke), we call it "the shared user"
+ //
+ // Notes on permission control
+ // 1. the owner has read(or download) permission on any situation, but for
the shared user,
+ // in spite of has read permission on any situation, but can set it
undownloadable or downloadable
+ // 2. the shared user can't update/delete the action on any situation.
+ // 3. the owner's permission can affect the shared user's permission, e.g
+ // if the owner is not given execute permission, the shared user can't
have execute permission as well.
+ //
+ // Notes on permission values, include below permission value
+ // 1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes), this is default
+ // 2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes)
+ // 4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 7. permission code:rwx--x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 8. permission code:rwx---: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 9. permission code:r-x--x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 10. permission code:r-x---: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 11. permission code:r-----: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 12. permission code:rw----: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ val permissionList = List(
+ defaultPermissions,
+ "rwxr--",
+ "r-xr-x",
+ "r-xr--",
+ "r--r--",
Review comment:
Is there any case where an owner does not need to either update or
execute the action?
If so, how can the user update the action permission and the action itself?
##########
File path:
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction]
with WhiskEntityQueries[
val execFieldName = "exec"
val requireWhiskAuthHeader = "x-require-whisk-auth"
+ // annotation permission key name
+ val permissionsFieldName = "permissions"
+
+ val defaultPermissions = "rwxr-x"
+
+ // notes on users, just have 2 type users,
+ // 1. the action's owner
+ // 2. the user (not the owner) who used the shared action directly(e.g. get,
invoke), we call it "the shared user"
+ //
+ // Notes on permission control
+ // 1. the owner has read(or download) permission on any situation, but for
the shared user,
+ // in spite of has read permission on any situation, but can set it
undownloadable or downloadable
+ // 2. the shared user can't update/delete the action on any situation.
+ // 3. the owner's permission can affect the shared user's permission, e.g
+ // if the owner is not given execute permission, the shared user can't
have execute permission as well.
+ //
+ // Notes on permission values, include below permission value
+ // 1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes), this is default
+ // 2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes)
+ // 4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 7. permission code:rwx--x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 8. permission code:rwx---: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 9. permission code:r-x--x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 10. permission code:r-x---: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 11. permission code:r-----: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 12. permission code:rw----: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ val permissionList = List(
Review comment:
I'd apply a regex match to confirm the permission value rather than just
checking the existence of the value in a list.
##########
File path:
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction]
with WhiskEntityQueries[
val execFieldName = "exec"
val requireWhiskAuthHeader = "x-require-whisk-auth"
+ // annotation permission key name
+ val permissionsFieldName = "permissions"
Review comment:
I am not quite sure it is a good idea to use annotations for permission
management.
I feel like we need a new protocol.
##########
File path:
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction]
with WhiskEntityQueries[
val execFieldName = "exec"
val requireWhiskAuthHeader = "x-require-whisk-auth"
+ // annotation permission key name
+ val permissionsFieldName = "permissions"
+
+ val defaultPermissions = "rwxr-x"
+
+ // notes on users, just have 2 type users,
Review comment:
I'd rather keep this information in some markdown file and just leave
the link here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
