veyron2/security: Simplify the ACL structure and use the glob characters in PrincipalPattern.
ACLs serialized to disk before this commit will not be compatible with
binaries created after this commit.
A couple of ACL related changes:
(1) ACL.In is now just a map from PrincipalPattern to labels.
The "Entries" type is no longer needed.
BEFORE: In: {Principals: {"foo": "RW"}}
AFTER: In: {"foo":"RW"}
The Entries struct was motivated by keeping both "groups" and "blessings"
in the "In"/"NotIn" set. The Groups API is not defined yet, furthermore
there is concerns around using NotIn with groups. My thinking is now
that when group support is added, it is added as a field in the ACL struct
(e.g. ACL.Groups) instead of as a field in ACL.In.Entries.
(2) PrincipalPattern now uses characters consistent with other pattern
matching (e.g., namespace glob, or the query API), where "..." and
not "*" denotes "recursive" matches.
(3) ACL.NotIn is a map from string to LabelSet (instead of PrincipalPattern
to label set) to emphasize that NotIn need not contain "glob" patterns
(i.e., those that end in ...)
While at it, also:
* Updated commentary for labels in security/types.vdl
* Updated commentary for ACLs in security/types.vdl
* Removed NewWhitelistACL: With the simplified ACL structure,
this helper function is no longer needed.
Change-Id: I5be5bccdf1eb949436248c26d27f888e16df8ea0
18 files changed
