Thank you, that is helpful indeed. I have some additional questions but I'll put them in another thread.
On Wed, 16 Sep 2020 at 21:22, Abhay Kulkarni <ab...@apache.org> wrote: > Hello, > > 'mandatory' should be set to 'true' for all resources. It is used in some > validations, however, in general, its semantics has changed over time and > is not consistently enforced. This is how resources are specified in all > existing service-definitions. > > If 'isValidLeaf' is set to true (default is false) for a resource which > has children (that is, there is some resource whose 'parent' value points > to it), then it defines a valid resource hierarchy with this resource being > the leaf. > > If A->B->C is a resource structure, where A is B's parent and B is C's > parent, and B is marked with 'isValidLeaf' set to true, then [A, B] also > defines a valid and complete resource hierarchy (in addition to resource > hierarchy [A,B,C]). > > For a leaf resource, you may specify an attribute 'accessTypeRestrictions' > whose value is typically a subset of accessTypes which are valid for it. > > Hope this helps! > > -Abhay > > On Wed, Sep 16, 2020 at 11:32 AM Elliot West <tea...@gmail.com> wrote: > >> Hello, >> >> I'm trying to figure out how to implement a service configuration for a >> complex custom resource hierarchy and have been peeking into the definition >> for Hive for inspiration as this has a similar hierarchy >> (database/table/column). I'm curious to know how the 'mandatory' and >> 'isValidLeaf' attributes are interpreted in the policy engine. >> >> My first assumption was that 'mandatory' might be used for resource types >> that may not always be present in particular classes of access request. In >> Hive for example, if I wish to drop a table, I would not expect the access >> request to describe a column name. However, I see this is not how the Hive >> service is implemented - column is mandatory. >> >> I'm also guessing that isValidLeaf=false would be used to denote a >> resource attribute that does not in and of itself point to resource, but is >> merely a coordinate to such a resource? >> >> Can anyone provide any insights as I fear I'm likely on the wrong track. >> >> Many thanks, >> >> Elliot. >> >
