veyron/security: Update documentation for ACL formatting.
Change-Id: Ieffc1d5de0e5176440a62348e1f8067ef77c732e
diff --git a/security/acl_authorizer.go b/security/acl_authorizer.go
index fe9fca5..9db8988 100644
--- a/security/acl_authorizer.go
+++ b/security/acl_authorizer.go
@@ -64,11 +64,14 @@
// The JSON-encoding of a ACL is essentially a JSON object describing a map from
// BlessingPatterns to encoded LabelSets (see LabelSet.MarshalJSON).
// Examples:
-// * `{"..." : "RW"}` encodes an ACL that allows all principals to access all methods with
+// * `{"In": {"..." : "RW"}}` encodes an ACL that allows all principals to access all methods with
// ReadLabel or WriteLabel.
-// * `{"veyron/alice": "RW", "veyron/bob/...": "R"}` encodes an ACL that allows all principals
-// matched by "veyron/alice" to access methods with ReadLabel or WriteLabel, and all
-// principals matched by "veyron/bob/..." to access methods with ReadLabel.
+// * `{"In":{"veyron/alice": "RW", "veyron/bob/...": "R"}}` encodes an ACL that allows all principals
+// matched by "veyron/alice" to access methods with ReadLabel or WriteLabel, and all
+// principals matched by "veyron/bob/..." to access methods with ReadLabel.
+// * `{"In": {"...": "RW"}, "NotIn": {"veyron/alice": "W"}}` encodes an ACL that allows all principals
+// access to all ReadLabel or WriteLabel methods, EXCEPT that methods with a WriteLabel are not
+// accessible to veyron/alice and her delegates.
// (Also see BlessingPattern.MatchedBy)
//
// TODO(ataly, ashankar): Instead of reading the file on each call we should use the "inotify"
diff --git a/security/flag/flag.go b/security/flag/flag.go
index d0820ca..91b54c2 100644
--- a/security/flag/flag.go
+++ b/security/flag/flag.go
@@ -13,7 +13,7 @@
)
var (
- acl = flag.String("acl", "", "acl is an optional JSON-encoded security.ACL that is used to construct a security.Authorizer. Example: \"{\"veyron.io/veyron/veyron/alice\":\"RW\"}\" is a JSON-encoded ACL that allows all principals matching \"veyron.io/veyron/veyron/alice\" to access all methods with ReadLabel or WriteLabel. If this flag is provided then the \"--acl_file\" must be absent.")
+ acl = flag.String("acl", "", `acl is an optional JSON-encoded security.ACL that is used to construct a security.Authorizer. Example: {"In":{"veyron/alice/...":"RW"}} is a JSON-encoded ACL that allows all delegates of "veyron/alice" to access all methods with ReadLabel or WriteLabel. If this flag is provided then the \"--acl_file\" must be absent.`)
aclFile = flag.String("acl_file", "", "acl_file is an optional path to a file containing a JSON-encoded security.ACL that is used to construct a security.Authorizer. If this flag is provided then the \"--acl_file\" flag must be absent.")
)
@@ -33,7 +33,7 @@
}
a, err := vsecurity.LoadACL(bytes.NewBufferString(*acl))
if err != nil {
- return nil
+ panic(err)
}
return vsecurity.NewACLAuthorizer(a)
}
