ningyougang commented on a change in pull request #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r504412314
##########
File path:
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction]
with WhiskEntityQueries[
val execFieldName = "exec"
val requireWhiskAuthHeader = "x-require-whisk-auth"
+ // annotation permission key name
+ val permissionsFieldName = "permissions"
+
+ val defaultPermissions = "rwxr-x"
+
+ // notes on users, just have 2 type users,
+ // 1. the action's owner
+ // 2. the user (not the owner) who used the shared action directly(e.g. get,
invoke), we call it "the shared user"
+ //
+ // Notes on permission control
+ // 1. the owner has read(or download) permission on any situation, but for
the shared user,
+ // in spite of has read permission on any situation, but can set it
undownloadable or downloadable
+ // 2. the shared user can't update/delete the action on any situation.
+ // 3. the owner's permission can affect the shared user's permission, e.g
+ // if the owner is not given execute permission, the shared user can't
have execute permission as well.
+ //
+ // Notes on permission values, include below permission value
+ // 1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes), this is default
+ // 2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(yes)
+ // 4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(yes)/write(no)/execute(no)
+ // 7. permission code:rwx--x: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 8. permission code:rwx---: owner:read(yes)/write(yes)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 9. permission code:r-x--x: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(yes)
+ // 10. permission code:r-x---: owner:read(yes)/write(no)/execute(yes)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 11. permission code:r-----: owner:read(yes)/write(no)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ // 12. permission code:rw----: owner:read(yes)/write(yes)/execute(no)|the
shared action's user:download(no)/write(no)/execute(no)
+ val permissionList = List(
+ defaultPermissions,
+ "rwxr--",
+ "r-xr-x",
+ "r-xr--",
+ "r--r--",
Review comment:
Yes, there has an case that the owner doesn't have permission to update
or execute the action, e. g. the annotation of permission for that action is:
`r--r--`
in this case, if the owner wants to update the action codes, need to modify
the action's permissions annotation to executeable, e.g. `wsk -i action update
$action --annotation permissions rw-r--`, then, user can update their action
now.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
