TBR: syncbased: when creating initial db, add the blessing in the db id to the acl
Change-Id: I6189ae031ac23d394e396575b870e1635d05fef7
diff --git a/services/syncbase/server/service.go b/services/syncbase/server/service.go
index 4f7328a..b25d1bd 100644
--- a/services/syncbase/server/service.go
+++ b/services/syncbase/server/service.go
@@ -205,6 +205,8 @@
// for a fully initialized service. Fix this with a separate marker.
ctx.Infof("Creating initial database: %v", opts.InitialDB)
dbPerms := pubutil.FilterTags(sd.GetPerms(), wire.AllDatabaseTags...)
+ allButAdmin := []access.Tag{access.Read, access.Write, access.Resolve}
+ dbPerms.Add(security.BlessingPattern(opts.InitialDB.Blessing), access.TagStrings(allButAdmin...)...)
if err := s.createDatabase(ctx, nil, opts.InitialDB, dbPerms, nil); err != nil {
return nil, err
}
diff --git a/services/syncbase/syncbased/doc.go b/services/syncbase/syncbased/doc.go
index 9237fcf..665582c 100644
--- a/services/syncbase/syncbased/doc.go
+++ b/services/syncbase/syncbased/doc.go
@@ -24,8 +24,9 @@
-initial-db=
If specified, a new database with the given id is created when setting up a
brand new storage instance. Permissions for the database will be the service
- permissions. Format must conform to v.io/services/syncbase.Id.String:
- blessing,name
+ permissions; additionally, the blessing specified in the database id will
+ have Read, Write, and Resolve. Format must conform to
+ v.io/services/syncbase.Id.String: blessing,name
-name=
Name to mount at.
-root-dir=
diff --git a/services/syncbase/syncbaselib/opts.go b/services/syncbase/syncbaselib/opts.go
index 1626851..c475d2d 100644
--- a/services/syncbase/syncbaselib/opts.go
+++ b/services/syncbase/syncbaselib/opts.go
@@ -27,5 +27,5 @@
f.BoolVar(&o.SkipPublishInNh, "skip-publish-in-nh", false, "Whether to skip publishing in the neighborhood.")
f.BoolVar(&o.DevMode, "dev", false, "Whether to run in development mode; required for RPCs such as Service.DevModeUpdateVClock.")
f.StringVar(&o.CpuProfile, "cpuprofile", "", "If specified, write the cpu profile to the given filename.")
- f.StringVar(&o.InitialDB, "initial-db", "", "If specified, a new database with the given id is created when setting up a brand new storage instance. Permissions for the database will be the service permissions. Format must conform to v.io/services/syncbase.Id.String: blessing,name")
+ f.StringVar(&o.InitialDB, "initial-db", "", "If specified, a new database with the given id is created when setting up a brand new storage instance. Permissions for the database will be the service permissions; additionally, the blessing specified in the database id will have Read, Write, and Resolve. Format must conform to v.io/services/syncbase.Id.String: blessing,name")
}