TBR global: s/acl/perms/g and related cleanups/fixes
I was hoping this would be a quick find-replace CL, but it
turns out that names such as "acl" were being used
incorrectly in many places, and various bits of code still
used old names like "TAM" (presumbly shorthand for "tagged
acl map"), so it ended up being more work than I'd expected.
Change-Id: I7d484ddf5d2392179c5a83b969fd8b620801d101
diff --git a/services/application/application/impl_test.go b/services/application/application/impl_test.go
index 6eeb077..8c8f0fe 100644
--- a/services/application/application/impl_test.go
+++ b/services/application/application/impl_test.go
@@ -94,8 +94,8 @@
return nil
}
-func (s *server) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
- vlog.VI(2).Infof("%v.SetPermissions(%v, %v) was called", acl, version)
+func (s *server) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
+ vlog.VI(2).Infof("%v.SetPermissions(%v, %v) was called", perms, version)
return nil
}
diff --git a/services/application/applicationd/dispatcher.go b/services/application/applicationd/dispatcher.go
index 9d2e65d..a6ad666 100644
--- a/services/application/applicationd/dispatcher.go
+++ b/services/application/applicationd/dispatcher.go
@@ -13,8 +13,8 @@
"v.io/v23/security/access"
"v.io/v23/verror"
- "v.io/x/ref/services/internal/acls"
"v.io/x/ref/services/internal/fs"
+ "v.io/x/ref/services/internal/pathperms"
"v.io/x/ref/services/repository"
)
@@ -40,22 +40,22 @@
return nil, nil, err
}
- auth, err := acls.NewHierarchicalAuthorizer(
+ auth, err := pathperms.NewHierarchicalAuthorizer(
naming.Join("/acls", "data"),
naming.Join("/acls", name, "data"),
- (*applicationAccessListStore)(d.store))
+ (*applicationPermsStore)(d.store))
if err != nil {
return nil, nil, err
}
return repository.ApplicationServer(NewApplicationService(d.store, d.storeRoot, suffix)), auth, nil
}
-type applicationAccessListStore fs.Memstore
+type applicationPermsStore fs.Memstore
-// TAMForPath implements TAMGetter so that applicationd can use the
-// hierarchicalAuthorizer
-func (store *applicationAccessListStore) TAMForPath(path string) (access.Permissions, bool, error) {
- tam, _, err := getAccessList((*fs.Memstore)(store), path)
+// PermsForPath implements PermsGetter so that applicationd can use the
+// hierarchicalAuthorizer.
+func (store *applicationPermsStore) PermsForPath(path string) (access.Permissions, bool, error) {
+ perms, _, err := getPermissions((*fs.Memstore)(store), path)
if verror.ErrorID(err) == verror.ErrNoExist.ID {
return nil, true, nil
@@ -63,5 +63,5 @@
if err != nil {
return nil, false, err
}
- return tam, false, nil
+ return perms, false, nil
}
diff --git a/services/application/applicationd/acl_test.go b/services/application/applicationd/perms_test.go
similarity index 81%
rename from services/application/applicationd/acl_test.go
rename to services/application/applicationd/perms_test.go
index ecca68a..e787080 100644
--- a/services/application/applicationd/acl_test.go
+++ b/services/application/applicationd/perms_test.go
@@ -36,7 +36,7 @@
func appRepository(stdin io.Reader, stdout, stderr io.Writer, env map[string]string, args ...string) error {
if len(args) < 2 {
- vlog.Fatalf("repository expected at least name and store arguments and optionally AccessList flags per PermissionsFromFlag")
+ vlog.Fatalf("repository expected at least name and store arguments and optionally Permissions flags per PermissionsFromFlag")
}
publishName := args[0]
storedir := args[1]
@@ -68,15 +68,14 @@
return nil
}
-func TestApplicationUpdateAccessList(t *testing.T) {
+func TestApplicationUpdatePermissions(t *testing.T) {
ctx, shutdown := test.InitForTest()
defer shutdown()
v23.GetNamespace(ctx).CacheCtl(naming.DisableCache(true))
- // By default, all principals in this test will have blessings
- // generated based on the username/machine running this process. Give
- // them recognizable names ("root/self" etc.), so the AccessLists can be set
- // deterministically.
+ // By default, all principals in this test will have blessings generated based
+ // on the username/machine running this process. Give them recognizable names
+ // ("root/self" etc.), so the Permissions can be set deterministically.
idp := testutil.NewIDProvider("root")
if err := idp.Bless(v23.GetPrincipal(ctx), "self"); err != nil {
t.Fatal(err)
@@ -122,7 +121,7 @@
}
vlog.VI(2).Infof("Accessing the Permission Lists of the root returns a (simulated) list providing default authorization.")
- acl, version, err := repostub.GetPermissions(ctx)
+ perms, version, err := repostub.GetPermissions(ctx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
@@ -145,26 +144,26 @@
"Resolve": access.AccessList{
In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
NotIn: []string(nil)}}
- if got := acl; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
+ if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
t.Errorf("got %#v, exected %#v ", got, expected)
}
vlog.VI(2).Infof("self attempting to give other permission to update application")
- newAccessList := make(access.Permissions)
+ newPerms := make(access.Permissions)
for _, tag := range access.AllTypicalTags() {
- newAccessList.Add("root/self", string(tag))
- newAccessList.Add("root/other", string(tag))
+ newPerms.Add("root/self", string(tag))
+ newPerms.Add("root/other", string(tag))
}
- if err := repostub.SetPermissions(ctx, newAccessList, ""); err != nil {
+ if err := repostub.SetPermissions(ctx, newPerms, ""); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
- acl, version, err = repostub.GetPermissions(ctx)
+ perms, version, err = repostub.GetPermissions(ctx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
- expected = newAccessList
- if got := acl; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
+ expected = newPerms
+ if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
t.Errorf("got %#v, exected %#v ", got, expected)
}
@@ -174,14 +173,14 @@
}
// Other takes control.
- acl, version, err = repostub.GetPermissions(otherCtx)
+ perms, version, err = repostub.GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions 2 should not have failed: %v", err)
}
- acl["Admin"] = access.AccessList{
+ perms["Admin"] = access.AccessList{
In: []security.BlessingPattern{"root/other"},
NotIn: []string{}}
- if err = repostub.SetPermissions(otherCtx, acl, version); err != nil {
+ if err = repostub.SetPermissions(otherCtx, perms, version); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
@@ -189,7 +188,7 @@
if _, _, err = repostub.GetPermissions(ctx); err == nil {
t.Fatalf("GetPermissions should not have succeeded")
}
- acl, _, err = repostub.GetPermissions(otherCtx)
+ perms, _, err = repostub.GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
@@ -210,19 +209,18 @@
"root/self"},
NotIn: []string{}}}
- if got := acl; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
+ if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
t.Errorf("got %#v, exected %#v ", got, expected)
}
}
-func TestPerAppAccessList(t *testing.T) {
+func TestPerAppPermissions(t *testing.T) {
ctx, shutdown := test.InitForTest()
defer shutdown()
v23.GetNamespace(ctx).CacheCtl(naming.DisableCache(true))
- // By default, all principals in this test will have blessings
- // generated based on the username/machine running this process. Give
- // them recognizable names ("root/self" etc.), so the AccessLists can be set
- // deterministically.
+ // By default, all principals in this test will have blessings generated based
+ // on the username/machine running this process. Give them recognizable names
+ // ("root/self" etc.), so the Permissions can be set deterministically.
idp := testutil.NewIDProvider("root")
if err := idp.Bless(v23.GetPrincipal(ctx), "self"); err != nil {
t.Fatal(err)
@@ -268,7 +266,7 @@
t.Fatalf("Put() failed: %v", err)
}
- vlog.VI(2).Info("Self can access.AccessLists but other can't.")
+ vlog.VI(2).Info("Self can access Permissions but other can't.")
expectedSelfPermissions := access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"root/$", "root/self"},
@@ -284,12 +282,12 @@
for _, path := range []string{"repo/search", "repo/search/v1", "repo/search/v2", "repo/naps", "repo/naps/v1"} {
stub := repository.ApplicationClient(path)
- acl, _, err := stub.GetPermissions(ctx)
+ perms, _, err := stub.GetPermissions(ctx)
if err != nil {
t.Fatalf("Newly uploaded envelopes failed to receive permission lists: %v", err)
}
- if got := acl; !reflect.DeepEqual(expectedSelfPermissions.Normalize(), got.Normalize()) {
+ if got := perms; !reflect.DeepEqual(expectedSelfPermissions.Normalize(), got.Normalize()) {
t.Errorf("got %#v, expected %#v ", got, expectedSelfPermissions)
}
@@ -299,13 +297,13 @@
}
}
- vlog.VI(2).Infof("Self sets root AccessLists.")
+ vlog.VI(2).Infof("Self sets root Permissions.")
repostub := repository.ApplicationClient("repo")
- newAccessList := make(access.Permissions)
+ newPerms := make(access.Permissions)
for _, tag := range access.AllTypicalTags() {
- newAccessList.Add("root/self", string(tag))
+ newPerms.Add("root/self", string(tag))
}
- if err := repostub.SetPermissions(ctx, newAccessList, ""); err != nil {
+ if err := repostub.SetPermissions(ctx, newPerms, ""); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
@@ -315,14 +313,14 @@
}
vlog.VI(2).Infof("Self gives other full access to repo/search/...")
- newAccessList, version, err := v1stub.GetPermissions(ctx)
+ newPerms, version, err := v1stub.GetPermissions(ctx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
for _, tag := range access.AllTypicalTags() {
- newAccessList.Add("root/other", string(tag))
+ newPerms.Add("root/other", string(tag))
}
- if err := v1stub.SetPermissions(ctx, newAccessList, version); err != nil {
+ if err := v1stub.SetPermissions(ctx, newPerms, version); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
@@ -356,12 +354,12 @@
for _, path := range []string{"repo/search", "repo/search/v1", "repo/search/v2"} {
stub := repository.ApplicationClient(path)
vlog.VI(2).Infof("Other can now access this app independent of version.")
- acl, _, err := stub.GetPermissions(otherCtx)
+ perms, _, err := stub.GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
- if got := acl; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
+ if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
t.Errorf("got %#v, expected %#v ", got, expected)
}
vlog.VI(2).Infof("Self can also access thanks to hierarchical auth.")
@@ -379,12 +377,12 @@
}
// Self gives other write perms on base.
- newAccessList, version, err = repostub.GetPermissions(ctx)
+ newPerms, version, err = repostub.GetPermissions(ctx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
- newAccessList["Write"] = access.AccessList{In: []security.BlessingPattern{"root/other", "root/self"}}
- if err := repostub.SetPermissions(ctx, newAccessList, version); err != nil {
+ newPerms["Write"] = access.AccessList{In: []security.BlessingPattern{"root/other", "root/self"}}
+ if err := repostub.SetPermissions(ctx, newPerms, version); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
@@ -395,19 +393,19 @@
}
}
- // But because application search already exists, the ACLs do not change.
+ // But because application search already exists, the Permissions do not change.
for _, path := range []string{"repo/search", "repo/search/v1", "repo/search/v2"} {
stub := repository.ApplicationClient(path)
- acl, _, err := stub.GetPermissions(otherCtx)
+ perms, _, err := stub.GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions should not have failed: %v", err)
}
- if got := acl; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
+ if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
t.Errorf("got %#v, expected %#v ", got, expected)
}
}
- // But self didn't give other AccessList modification permissions.
+ // But self didn't give other Permissions modification permissions.
for _, path := range []string{"repo/search", "repo/search/v2"} {
stub := repository.ApplicationClient(path)
if _, _, err := stub.GetPermissions(otherCtx); err != nil {
diff --git a/services/application/applicationd/service.go b/services/application/applicationd/service.go
index d0c70a1..e79ff03 100644
--- a/services/application/applicationd/service.go
+++ b/services/application/applicationd/service.go
@@ -7,8 +7,8 @@
import (
"strings"
- "v.io/x/ref/services/internal/acls"
"v.io/x/ref/services/internal/fs"
+ "v.io/x/ref/services/internal/pathperms"
"v.io/x/ref/services/repository"
"v.io/v23/context"
@@ -105,8 +105,7 @@
return err
}
- // Only add a Permission list value if there is not already one
- // present.
+ // Only add a Permissions value if there is not already one present.
apath := naming.Join("/acls", name, "data")
aobj := i.store.BindObject(apath)
if _, err := aobj.Get(call); verror.ErrorID(err) == fs.ErrNotInMemStore.ID {
@@ -115,8 +114,8 @@
// None of the client's blessings are valid.
return verror.New(ErrNotAuthorized, ctx)
}
- newacls := acls.PermissionsForBlessings(rb)
- if _, err := aobj.Put(nil, newacls); err != nil {
+ newperms := pathperms.PermissionsForBlessings(rb)
+ if _, err := aobj.Put(nil, newperms); err != nil {
return err
}
}
@@ -248,7 +247,7 @@
return ch, nil
}
-func (i *appRepoService) GetPermissions(ctx *context.T, call rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (i *appRepoService) GetPermissions(ctx *context.T, call rpc.ServerCall) (perms access.Permissions, version string, err error) {
name, _, err := parse(ctx, i.suffix)
if err != nil {
return nil, "", err
@@ -257,15 +256,15 @@
defer i.store.Unlock()
path := naming.Join("/acls", name, "data")
- acl, version, err = getAccessList(i.store, path)
+ perms, version, err = getPermissions(i.store, path)
if verror.ErrorID(err) == verror.ErrNoExist.ID {
- return acls.NilAuthPermissions(ctx, call.Security()), "", nil
+ return pathperms.NilAuthPermissions(ctx, call.Security()), "", nil
}
- return acl, version, err
+ return perms, version, err
}
-func (i *appRepoService) SetPermissions(ctx *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
+func (i *appRepoService) SetPermissions(ctx *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
name, _, err := parse(ctx, i.suffix)
if err != nil {
return err
@@ -273,39 +272,39 @@
i.store.Lock()
defer i.store.Unlock()
path := naming.Join("/acls", name, "data")
- return setAccessList(i.store, path, acl, version)
+ return setPermissions(i.store, path, perms, version)
}
-// getAccessList fetches a Permissions out of the Memstore at the provided path.
+// getPermissions fetches a Permissions out of the Memstore at the provided path.
// path is expected to already have been cleaned by naming.Join or its ilk.
-func getAccessList(store *fs.Memstore, path string) (access.Permissions, string, error) {
+func getPermissions(store *fs.Memstore, path string) (access.Permissions, string, error) {
entry, err := store.BindObject(path).Get(nil)
if verror.ErrorID(err) == fs.ErrNotInMemStore.ID {
- // No AccessList exists
+ // No Permissions exists
return nil, "", verror.New(verror.ErrNoExist, nil)
} else if err != nil {
- vlog.Errorf("getAccessList: internal failure in fs.Memstore")
+ vlog.Errorf("getPermissions: internal failure in fs.Memstore")
return nil, "", err
}
- acl, ok := entry.Value.(access.Permissions)
+ perms, ok := entry.Value.(access.Permissions)
if !ok {
return nil, "", err
}
- version, err := acls.ComputeVersion(acl)
+ version, err := pathperms.ComputeVersion(perms)
if err != nil {
return nil, "", err
}
- return acl, version, nil
+ return perms, version, nil
}
-// setAccessList writes a Permissions into the Memstore at the provided path.
+// setPermissions writes a Permissions into the Memstore at the provided path.
// where path is expected to have already been cleaned by naming.Join.
-func setAccessList(store *fs.Memstore, path string, acl access.Permissions, version string) error {
+func setPermissions(store *fs.Memstore, path string, perms access.Permissions, version string) error {
if version != "" {
- _, oversion, err := getAccessList(store, path)
+ _, oversion, err := getPermissions(store, path)
if verror.ErrorID(err) == verror.ErrNoExist.ID {
oversion = version
} else if err != nil {
@@ -324,7 +323,7 @@
object := store.BindObject(path)
- if _, err := object.Put(nil, acl); err != nil {
+ if _, err := object.Put(nil, perms); err != nil {
return err
}
if err := store.BindTransaction(tname).Commit(nil); err != nil {
diff --git a/services/binary/binary/impl_test.go b/services/binary/binary/impl_test.go
index a97dcb7..2b6c87d 100644
--- a/services/binary/binary/impl_test.go
+++ b/services/binary/binary/impl_test.go
@@ -81,11 +81,11 @@
return nil
}
-func (s *server) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (s *server) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
return nil, "", nil
}
-func (s *server) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
+func (s *server) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
return nil
}
diff --git a/services/build/buildd/buildd_v23_test.go b/services/build/buildd/buildd_v23_test.go
index 8ad4515..68381bb 100644
--- a/services/build/buildd/buildd_v23_test.go
+++ b/services/build/buildd/buildd_v23_test.go
@@ -35,9 +35,8 @@
v23tests.RunRootMT(i, "--v23.tcp.address=127.0.0.1:0")
// Build binaries for the client and server.
- // Since ACLs are not setup on the server, the client must pass the
- // default authorization policy, i.e., must be a "delegate" of the
- // server.
+ // Since Permissions are not setup on the server, the client must pass the
+ // default authorization policy, i.e., must be a "delegate" of the server.
var (
buildServerBin = binaryWithCredentials(i, "buildd", "v.io/x/ref/services/build/buildd")
buildBin = binaryWithCredentials(i, "buildd/client", "v.io/x/ref/services/build/build")
diff --git a/services/device/device/acl_fmt.go b/services/device/device/acl_fmt.go
index feeeb0e..e8ea558 100644
--- a/services/device/device/acl_fmt.go
+++ b/services/device/device/acl_fmt.go
@@ -12,16 +12,16 @@
"v.io/v23/security"
)
-// aclEntries maps blessing patterns to the kind of access they should have.
-type aclEntries map[string]accessTags
+// permsEntries maps blessing patterns to the kind of access they should have.
+type permsEntries map[string]accessTags
// accessTags maps access tags to whether they should be blacklisted
// (i.e., part of the NotIn list) or not (part of the In list).
//
// TODO(ashankar,caprita): This structure is not friendly to a blessing
-// appearing in both the "In" and "NotIn" lists of an AccessList. Arguably, such an
-// AccessList is silly (In: ["foo"], NotIn: ["foo"]), but is legal. This structure can
-// end up hiding that.
+// appearing in both the "In" and "NotIn" lists of an AccessList. Arguably, such
+// an AccessList is silly (In: ["foo"], NotIn: ["foo"]), but is legal. This
+// structure can end up hiding that.
type accessTags map[string]bool
// String representation of access tags. Between String and parseAccessTags,
@@ -60,7 +60,7 @@
return ret, nil
}
-func (entries aclEntries) String() string {
+func (entries permsEntries) String() string {
var list []string
for pattern, _ := range entries {
list = append(list, pattern)
@@ -72,7 +72,7 @@
return strings.Join(list, "\n")
}
-func (entries aclEntries) Tags(pattern string) accessTags {
+func (entries permsEntries) Tags(pattern string) accessTags {
tags, exists := entries[pattern]
if !exists {
tags = make(accessTags)
diff --git a/services/device/device/acl_impl.go b/services/device/device/acl_impl.go
index 5eacbfa..9e0c940 100644
--- a/services/device/device/acl_impl.go
+++ b/services/device/device/acl_impl.go
@@ -4,7 +4,7 @@
package main
-// Commands to get/set AccessLists.
+// Commands to get/set Permissions.
import (
"fmt"
@@ -19,8 +19,8 @@
var cmdGet = &cmdline.Command{
Run: runGet,
Name: "get",
- Short: "Get AccessLists for the given target.",
- Long: "Get AccessLists for the given target.",
+ Short: "Get Permissions for the given target.",
+ Long: "Get Permissions for the given target.",
ArgsName: "<device manager name>",
ArgsLong: `
<device manager name> can be a Vanadium name for a device manager,
@@ -33,17 +33,17 @@
}
vanaName := args[0]
- objAccessList, _, err := device.ApplicationClient(vanaName).GetPermissions(gctx)
+ objPerms, _, err := device.ApplicationClient(vanaName).GetPermissions(gctx)
if err != nil {
return fmt.Errorf("GetPermissions on %s failed: %v", vanaName, err)
}
- // Convert objAccessList (Permissions) into aclEntries for pretty printing.
- entries := make(aclEntries)
- for tag, acl := range objAccessList {
- for _, p := range acl.In {
+ // Convert objPerms (Permissions) into permsEntries for pretty printing.
+ entries := make(permsEntries)
+ for tag, perms := range objPerms {
+ for _, p := range perms.In {
entries.Tags(string(p))[tag] = false
}
- for _, b := range acl.NotIn {
+ for _, b := range perms.NotIn {
entries.Tags(b)[tag] = true
}
}
@@ -57,8 +57,8 @@
var cmdSet = &cmdline.Command{
Run: runSet,
Name: "set",
- Short: "Set AccessLists for the given target.",
- Long: "Set AccessLists for the given target",
+ Short: "Set Permissions for the given target.",
+ Long: "Set Permissions for the given target",
ArgsName: "<device manager name> (<blessing> [!]<tag>(,[!]<tag>)*",
ArgsLong: `
<device manager name> can be a Vanadium name for a device manager,
@@ -95,7 +95,7 @@
vanaName := args[0]
pairs := args[1:]
- entries := make(aclEntries)
+ entries := make(permsEntries)
for i := 0; i < len(pairs); i += 2 {
blessing := pairs[i]
tags, err := parseAccessTags(pairs[i+1])
@@ -105,26 +105,26 @@
entries[blessing] = tags
}
- // Set the AccessLists on the specified names.
+ // Set the Permissions on the specified names.
for {
- objAccessList, version := make(access.Permissions), ""
+ objPerms, version := make(access.Permissions), ""
if !forceSet {
var err error
- if objAccessList, version, err = device.ApplicationClient(vanaName).GetPermissions(gctx); err != nil {
+ if objPerms, version, err = device.ApplicationClient(vanaName).GetPermissions(gctx); err != nil {
return fmt.Errorf("GetPermissions(%s) failed: %v", vanaName, err)
}
}
for blessingOrPattern, tags := range entries {
- objAccessList.Clear(blessingOrPattern) // Clear out any existing references
+ objPerms.Clear(blessingOrPattern) // Clear out any existing references
for tag, blacklist := range tags {
if blacklist {
- objAccessList.Blacklist(blessingOrPattern, tag)
+ objPerms.Blacklist(blessingOrPattern, tag)
} else {
- objAccessList.Add(security.BlessingPattern(blessingOrPattern), tag)
+ objPerms.Add(security.BlessingPattern(blessingOrPattern), tag)
}
}
}
- switch err := device.ApplicationClient(vanaName).SetPermissions(gctx, objAccessList, version); {
+ switch err := device.ApplicationClient(vanaName).SetPermissions(gctx, objPerms, version); {
case err != nil && verror.ErrorID(err) != verror.ErrBadVersion.ID:
return fmt.Errorf("SetPermissions(%s) failed: %v", vanaName, err)
case err == nil:
@@ -138,9 +138,9 @@
func aclRoot() *cmdline.Command {
return &cmdline.Command{
Name: "acl",
- Short: "Tool for setting device manager AccessLists",
+ Short: "Tool for setting device manager Permissions",
Long: `
-The acl tool manages AccessLists on the device manger, installations and instances.
+The acl tool manages Permissions on the device manger, installations and instances.
`,
Children: []*cmdline.Command{cmdGet, cmdSet},
}
diff --git a/services/device/device/acl_test.go b/services/device/device/acl_test.go
index 873c9cd..e8a3449 100644
--- a/services/device/device/acl_test.go
+++ b/services/device/device/acl_test.go
@@ -44,7 +44,7 @@
// Test the 'get' command.
rootTape := tapes.forSuffix("")
rootTape.SetResponses([]interface{}{GetPermissionsResponse{
- acl: access.Permissions{
+ perms: access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"self"},
NotIn: []string{"self/bad"},
@@ -129,7 +129,7 @@
stdout.Reset()
rootTape := tapes.forSuffix("")
rootTape.SetResponses([]interface{}{GetPermissionsResponse{
- acl: access.Permissions{
+ perms: access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"self"},
},
@@ -143,7 +143,7 @@
},
verror.NewErrBadVersion(nil),
GetPermissionsResponse{
- acl: access.Permissions{
+ perms: access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"self"},
},
@@ -185,7 +185,7 @@
"GetPermissions",
SetPermissionsStimulus{
fun: "SetPermissions",
- acl: access.Permissions{
+ perms: access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"friends", "self"},
NotIn: []string{"friends/alice"},
@@ -204,7 +204,7 @@
"GetPermissions",
SetPermissionsStimulus{
fun: "SetPermissions",
- acl: access.Permissions{
+ perms: access.Permissions{
"Admin": access.AccessList{
In: []security.BlessingPattern{"friends", "self"},
NotIn: []string{"friends/alice"},
@@ -231,14 +231,14 @@
// GetPermissions fails.
rootTape.SetResponses([]interface{}{GetPermissionsResponse{
- acl: access.Permissions{},
+ perms: access.Permissions{},
version: "aVersionForToday",
err: verror.New(errOops, nil),
},
})
if err := cmd.Execute([]string{"acl", "set", deviceName, "vana/bad", "Read"}); err == nil {
- t.Fatalf("GetPermissions RPC inside acl set command failed but error wrongly not detected")
+ t.Fatalf("GetPermissions RPC inside perms set command failed but error wrongly not detected")
} else if expected, got := `^GetPermissions\(`+deviceName+`\) failed:.*oops!`, err.Error(); !regexp.MustCompile(expected).MatchString(got) {
t.Fatalf("Unexpected output from list. Got %q, regexp %q", got, expected)
}
@@ -258,7 +258,7 @@
// SetPermissions fails with something other than a bad version failure.
rootTape.SetResponses([]interface{}{GetPermissionsResponse{
- acl: access.Permissions{
+ perms: access.Permissions{
"Read": access.AccessList{
In: []security.BlessingPattern{"other", "self"},
},
@@ -282,7 +282,7 @@
"GetPermissions",
SetPermissionsStimulus{
fun: "SetPermissions",
- acl: access.Permissions{
+ perms: access.Permissions{
"Read": access.AccessList{
In: []security.BlessingPattern{"friend", "other", "self"},
NotIn: []string(nil),
diff --git a/services/device/device/devicemanager_mock_test.go b/services/device/device/devicemanager_mock_test.go
index 18d7e7d..81d4544 100644
--- a/services/device/device/devicemanager_mock_test.go
+++ b/services/device/device/devicemanager_mock_test.go
@@ -237,27 +237,27 @@
func (*mockDeviceInvoker) UpdateTo(*context.T, rpc.ServerCall, string) error { return nil }
-// Mock AccessList getting and setting
+// Mock Permissions getting and setting
type GetPermissionsResponse struct {
- acl access.Permissions
+ perms access.Permissions
version string
err error
}
type SetPermissionsStimulus struct {
fun string
- acl access.Permissions
+ perms access.Permissions
version string
}
-func (mdi *mockDeviceInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
- return mdi.simpleCore(SetPermissionsStimulus{"SetPermissions", acl, version}, "SetPermissions")
+func (mdi *mockDeviceInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
+ return mdi.simpleCore(SetPermissionsStimulus{"SetPermissions", perms, version}, "SetPermissions")
}
func (mdi *mockDeviceInvoker) GetPermissions(*context.T, rpc.ServerCall) (access.Permissions, string, error) {
ir := mdi.tape.Record("GetPermissions")
r := ir.(GetPermissionsResponse)
- return r.acl, r.version, r.err
+ return r.perms, r.version, r.err
}
func (mdi *mockDeviceInvoker) Debug(*context.T, rpc.ServerCall) (string, error) {
diff --git a/services/device/device/doc.go b/services/device/device/doc.go
index 706c6f3..fd9111e 100644
--- a/services/device/device/doc.go
+++ b/services/device/device/doc.go
@@ -28,7 +28,7 @@
updateall Update all installations/instances of an application
status Get application status.
debug Debug the device.
- acl Tool for setting device manager AccessLists
+ acl Tool for setting device manager Permissions
publish Publish the given application(s).
help Display help for commands or topics
Run "device help [command]" for command usage.
@@ -71,9 +71,9 @@
-v23.namespace.root=[/(dev.v.io/role/vprod/service/mounttabled)@ns.dev.v.io:8101]
local namespace root; can be repeated to provided multiple roots
-v23.permissions.file=map[]
- specify an acl file as <name>:<aclfile>
+ specify a perms file as <name>:<permsfile>
-v23.permissions.literal=
- explicitly specify the runtime acl as a JSON-encoded access.Permissions.
+ explicitly specify the runtime perms as a JSON-encoded access.Permissions.
Overrides all --v23.permissions.file flags.
-v23.proxy=
object name of proxy service to use to export services across network
@@ -321,19 +321,19 @@
Device Acl
-The acl tool manages AccessLists on the device manger, installations and
+The acl tool manages Permissions on the device manger, installations and
instances.
Usage:
device acl <command>
The device acl commands are:
- get Get AccessLists for the given target.
- set Set AccessLists for the given target.
+ get Get Permissions for the given target.
+ set Set Permissions for the given target.
Device Acl Get
-Get AccessLists for the given target.
+Get Permissions for the given target.
Usage:
device acl get <device manager name>
@@ -343,7 +343,7 @@
Device Acl Set
-Set AccessLists for the given target
+Set Permissions for the given target
Usage:
device acl set [flags] <device manager name> (<blessing> [!]<tag>(,[!]<tag>)*
diff --git a/services/device/device/local_install.go b/services/device/device/local_install.go
index dae431f..f2a3243 100644
--- a/services/device/device/local_install.go
+++ b/services/device/device/local_install.go
@@ -200,11 +200,11 @@
return errNotImplemented
}
-func (binaryInvoker) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (binaryInvoker) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
return nil, "", errNotImplemented
}
-func (binaryInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
+func (binaryInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
return errNotImplemented
}
@@ -213,7 +213,8 @@
func (i envelopeInvoker) Match(*context.T, rpc.ServerCall, []string) (application.Envelope, error) {
return application.Envelope(i), nil
}
-func (envelopeInvoker) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+
+func (envelopeInvoker) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
return nil, "", errNotImplemented
}
diff --git a/services/device/device/publish.go b/services/device/device/publish.go
index ad62461..7412cda 100644
--- a/services/device/device/publish.go
+++ b/services/device/device/publish.go
@@ -57,21 +57,21 @@
if readBlessings == "" {
return nil
}
- acl, version, err := permissions.ObjectClient(von).GetPermissions(gctx)
+ perms, version, err := permissions.ObjectClient(von).GetPermissions(gctx)
if err != nil {
// TODO(caprita): This is a workaround until we sort out the
// default AccessLists for applicationd (see issue #1317). At that
// time, uncomment the line below.
//
// return err
- acl = make(access.Permissions)
+ perms = make(access.Permissions)
}
for _, blessing := range strings.Split(readBlessings, ",") {
for _, tag := range []access.Tag{access.Read, access.Resolve} {
- acl.Add(security.BlessingPattern(blessing), string(tag))
+ perms.Add(security.BlessingPattern(blessing), string(tag))
}
}
- if err := permissions.ObjectClient(von).SetPermissions(gctx, acl, version); err != nil {
+ if err := permissions.ObjectClient(von).SetPermissions(gctx, perms, version); err != nil {
return err
}
fmt.Fprintf(cmd.Stdout(), "Added patterns %q to Read,Resolve AccessList for %q\n", readBlessings, von)
@@ -92,7 +92,7 @@
}
fmt.Fprintf(cmd.Stdout(), "Binary %q uploaded from file %s\n", binaryVON, binaryFile)
- // Step 2, set the acls for the uploaded binary.
+ // Step 2, set the perms for the uploaded binary.
if err := setAccessLists(cmd, binaryVON); err != nil {
return err
@@ -123,7 +123,7 @@
}
fmt.Fprintf(cmd.Stdout(), "Published %q\n", appVON)
- // Step 4, set the acls for the uploaded envelope.
+ // Step 4, set the perms for the uploaded envelope.
if err := setAccessLists(cmd, appVON); err != nil {
return err
diff --git a/services/device/deviced/server.go b/services/device/deviced/server.go
index 95b7068..052e0fe 100644
--- a/services/device/deviced/server.go
+++ b/services/device/deviced/server.go
@@ -66,9 +66,9 @@
vlog.Errorf("Failed to load config passed from parent: %v", err)
return err
}
- mtAclDir := filepath.Join(configState.Root, "mounttable")
- if err := os.MkdirAll(mtAclDir, 0700); err != nil {
- vlog.Errorf("os.MkdirAll(%q) failed: %v", mtAclDir, err)
+ mtPermsDir := filepath.Join(configState.Root, "mounttable")
+ if err := os.MkdirAll(mtPermsDir, 0700); err != nil {
+ vlog.Errorf("os.MkdirAll(%q) failed: %v", mtPermsDir, err)
return err
}
@@ -76,7 +76,7 @@
// setting and getting of exitErr.
var exitErr error
ns := starter.NamespaceArgs{
- AccessListFile: filepath.Join(mtAclDir, "acls"),
+ PermissionsFile: filepath.Join(mtPermsDir, "acls"),
}
if testMode {
ns.ListenSpec = rpc.ListenSpec{Addrs: rpc.ListenAddrs{{"tcp", "127.0.0.1:0"}}}
diff --git a/services/device/internal/impl/acl_propagator.go b/services/device/internal/impl/acl_propagator.go
deleted file mode 100644
index 37cfa38..0000000
--- a/services/device/internal/impl/acl_propagator.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright 2015 The Vanadium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package impl
-
-import (
- "path/filepath"
-
- "v.io/v23/security"
- "v.io/v23/security/access"
-
- "v.io/x/ref/services/internal/acls"
-)
-
-// computePath builds the desired path for the debug acls.
-func computePath(path string) string {
- return filepath.Join(path, "debugacls")
-}
-
-// setACLsForDebugging constructs an ACL file for use by applications that
-// permits principals with a Debug right on an application instance to
-// access names in the app's __debug space.
-func setACLsForDebugging(blessings []string, acl access.Permissions, instancePath string, aclstore *acls.PathStore) error {
- path := computePath(instancePath)
- newACL := make(access.Permissions)
-
- // Add blessings for the DM so that it can access the app too.
-
- set := func(bl security.BlessingPattern) {
- for _, tag := range []access.Tag{access.Resolve, access.Debug} {
- newACL.Add(bl, string(tag))
- }
- }
-
- for _, b := range blessings {
- set(security.BlessingPattern(b))
- }
-
- // add Resolve for every blessing that has debug
- for _, v := range acl["Debug"].In {
- set(v)
- }
- return aclstore.Set(path, newACL, "")
-}
diff --git a/services/device/internal/impl/app_service.go b/services/device/internal/impl/app_service.go
index 4307bb6..ad6c452 100644
--- a/services/device/internal/impl/app_service.go
+++ b/services/device/internal/impl/app_service.go
@@ -54,13 +54,13 @@
// data(700d) - the AccessLists for this instance. These
// AccessLists control access to Run,
// Kill and Delete.
-// signature(700d) - the signature for these AccessLists.
+// signature(700d) - the signature for these AccessLists.
// <status>(700d) - one of the values for InstanceState enum
// systemname(700d) - the system name used to execute this instance
// debugacls (711d)/
-// data(644)/ - the ACLs for Debug access to the application. Shared
+// data(644)/ - the Permissions for Debug access to the application. Shared
// with the application.
-// signature(644)/ - the signature for these ACLs.
+// signature(644)/ - the signature for these Permissions.
// instance-<id b>(711d)
// ...
// installation-<id 2>(711d)
@@ -150,8 +150,8 @@
"v.io/x/ref/services/agent/agentlib"
"v.io/x/ref/services/agent/keymgr"
"v.io/x/ref/services/device/internal/config"
- "v.io/x/ref/services/internal/acls"
"v.io/x/ref/services/internal/packages"
+ "v.io/x/ref/services/internal/pathperms"
)
// instanceInfo holds state about a running instance.
@@ -197,9 +197,9 @@
// suffix contains the name components of the current invocation name
// suffix. It is used to identify an application, installation, or
// instance.
- suffix []string
- uat BlessingSystemAssociationStore
- aclstore *acls.PathStore
+ suffix []string
+ uat BlessingSystemAssociationStore
+ permsStore *pathperms.PathStore
// Reference to the devicemanager top-level AccessList list.
deviceAccessList access.Permissions
// securityAgent holds state related to the security agent (nil if not
@@ -649,16 +649,17 @@
return installFrom(overridePackages, installationDir)
}
-// initializeSubAccessLists updates the provided acl for instance-specific ACLs
-func (i *appService) initializeSubAccessLists(instanceDir string, blessings []string, acl access.Permissions) error {
+// initializeSubAccessLists updates the provided perms for instance-specific
+// Permissions.
+func (i *appService) initializeSubAccessLists(instanceDir string, blessings []string, perms access.Permissions) error {
for _, b := range blessings {
b = b + string(security.ChainSeparator) + string(security.NoExtension)
for _, tag := range access.AllTypicalTags() {
- acl.Add(security.BlessingPattern(b), string(tag))
+ perms.Add(security.BlessingPattern(b), string(tag))
}
}
- aclDir := path.Join(instanceDir, "acls")
- return i.aclstore.Set(aclDir, acl, "")
+ permsDir := path.Join(instanceDir, "acls")
+ return i.permsStore.Set(permsDir, perms, "")
}
func (i *appService) newInstance(ctx *context.T, call device.ApplicationInstantiateServerCall) (string, string, error) {
@@ -704,8 +705,8 @@
return instanceDir, instanceID, err
}
blessings, _ := security.RemoteBlessingNames(ctx, call.Security())
- aclCopy := i.deviceAccessList.Copy()
- if err := i.initializeSubAccessLists(instanceDir, blessings, aclCopy); err != nil {
+ permsCopy := i.deviceAccessList.Copy()
+ if err := i.initializeSubAccessLists(instanceDir, blessings, permsCopy); err != nil {
return instanceDir, instanceID, err
}
if err := initializeInstance(instanceDir, device.InstanceStateNotRunning); err != nil {
@@ -714,7 +715,7 @@
// TODO(rjkroege): Divide the permission lists into those used by the device manager
// and those used by the application itself.
dmBlessings := security.LocalBlessingNames(ctx, call.Security())
- if err := setACLsForDebugging(dmBlessings, aclCopy, instanceDir, i.aclstore); err != nil {
+ if err := setPermsForDebugging(dmBlessings, permsCopy, instanceDir, i.permsStore); err != nil {
return instanceDir, instanceID, err
}
return instanceDir, instanceID, nil
@@ -809,8 +810,8 @@
cfg.Set(mgmt.AddressConfigKey, "127.0.0.1:0")
cfg.Set(mgmt.ParentBlessingConfigKey, info.DeviceManagerPeerPattern)
- appAclDir := filepath.Join(instanceDir, "debugacls", "data")
- cfg.Set("v23.permissions.file", "runtime:"+appAclDir)
+ appPermsDir := filepath.Join(instanceDir, "debugacls", "data")
+ cfg.Set("v23.permissions.file", "runtime:"+appPermsDir)
// This adds to cmd.Extrafiles. The helper expects a fixed fd, so this call needs
// to go before anything that conditionally adds to Extrafiles, like the agent
@@ -1299,26 +1300,26 @@
}
// TODO(rjkroege): Consider maintaining an in-memory Permissions cache.
-func (i *appService) SetPermissions(ctx *context.T, call rpc.ServerCall, acl access.Permissions, version string) error {
+func (i *appService) SetPermissions(ctx *context.T, call rpc.ServerCall, perms access.Permissions, version string) error {
dir, isInstance, err := dirFromSuffix(i.suffix, i.config.Root)
if err != nil {
return err
}
if isInstance {
dmBlessings := security.LocalBlessingNames(ctx, call.Security())
- if err := setACLsForDebugging(dmBlessings, acl, dir, i.aclstore); err != nil {
+ if err := setPermsForDebugging(dmBlessings, perms, dir, i.permsStore); err != nil {
return err
}
}
- return i.aclstore.Set(path.Join(dir, "acls"), acl, version)
+ return i.permsStore.Set(path.Join(dir, "acls"), perms, version)
}
-func (i *appService) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (i *appService) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
dir, _, err := dirFromSuffix(i.suffix, i.config.Root)
if err != nil {
return nil, "", err
}
- return i.aclstore.Get(path.Join(dir, "acls"))
+ return i.permsStore.Get(path.Join(dir, "acls"))
}
func (i *appService) Debug(ctx *context.T, call rpc.ServerCall) (string, error) {
diff --git a/services/device/internal/impl/claim.go b/services/device/internal/impl/claim.go
index 474507b..10133ea 100644
--- a/services/device/internal/impl/claim.go
+++ b/services/device/internal/impl/claim.go
@@ -15,7 +15,7 @@
"v.io/v23/security/access"
"v.io/v23/verror"
"v.io/x/lib/vlog"
- "v.io/x/ref/services/internal/acls"
+ "v.io/x/ref/services/internal/pathperms"
)
// claimable implements the device.Claimable RPC interface and the
@@ -23,10 +23,10 @@
//
// It allows the Claim RPC to be successfully invoked exactly once.
type claimable struct {
- token string
- aclstore *acls.PathStore
- aclDir string
- notify chan struct{} // GUARDED_BY(mu)
+ token string
+ permsStore *pathperms.PathStore
+ permsDir string
+ notify chan struct{} // GUARDED_BY(mu)
// Lock used to ensure that a successful claim can happen at most once.
// This is done by allowing only a single goroutine to execute the
@@ -66,30 +66,30 @@
return verror.New(ErrInvalidBlessing, ctx, err)
}
- // Create an AccessList with all the granted blessings (which are now the default blessings)
+ // Create Permissions with all the granted blessings (which are now the default blessings)
// (irrespective of caveats).
patterns := security.DefaultBlessingPatterns(principal)
if len(patterns) == 0 {
return verror.New(ErrInvalidBlessing, ctx)
}
- // Create AccessLists that allow principals with the caller's blessings to
+ // Create Permissions that allow principals with the caller's blessings to
// administer and use the device.
- acl := make(access.Permissions)
+ perms := make(access.Permissions)
for _, bp := range patterns {
// TODO(caprita,ataly,ashankar): Do we really need the
// NonExtendable restriction below?
patterns := bp.MakeNonExtendable().PrefixPatterns()
for _, p := range patterns {
for _, tag := range access.AllTypicalTags() {
- acl.Add(p, string(tag))
+ perms.Add(p, string(tag))
}
}
}
- if err := c.aclstore.Set(c.aclDir, acl, ""); err != nil {
+ if err := c.permsStore.Set(c.permsDir, perms, ""); err != nil {
return verror.New(ErrOperationFailed, ctx)
}
- vlog.Infof("Device claimed and AccessLists set to: %v", acl)
+ vlog.Infof("Device claimed and Permissions set to: %v", perms)
close(c.notify)
c.notify = nil
return nil
diff --git a/services/device/internal/impl/debug_acls_test.go b/services/device/internal/impl/debug_perms_test.go
similarity index 97%
rename from services/device/internal/impl/debug_acls_test.go
rename to services/device/internal/impl/debug_perms_test.go
index 79f6c6d..5179c07 100644
--- a/services/device/internal/impl/debug_acls_test.go
+++ b/services/device/internal/impl/debug_perms_test.go
@@ -22,12 +22,12 @@
func updateAccessList(t *testing.T, ctx *context.T, blessing, right string, name ...string) {
accessStub := permissions.ObjectClient(naming.Join(name...))
- acl, version, err := accessStub.GetPermissions(ctx)
+ perms, version, err := accessStub.GetPermissions(ctx)
if err != nil {
t.Fatalf(testutil.FormatLogLine(2, "GetPermissions(%v) failed %v", name, err))
}
- acl.Add(security.BlessingPattern(blessing), right)
- if err = accessStub.SetPermissions(ctx, acl, version); err != nil {
+ perms.Add(security.BlessingPattern(blessing), right)
+ if err = accessStub.SetPermissions(ctx, perms, version); err != nil {
t.Fatalf(testutil.FormatLogLine(2, "SetPermissions(%v, %v, %v) failed: %v", name, blessing, right, err))
}
}
@@ -158,7 +158,7 @@
verifyGlob(t, hjCtx, "app", globtestminus, res)
verifyStatsValues(t, hjCtx, "appV1", "__debug", "stats/system/start-time*")
- // Alice might be able to help but Bob didn't give Alice access to the debug ACLs.
+ // Alice might be able to help but Bob didn't give Alice access to the debug Permissionss.
testAccessFail(t, verror.ErrNoAccess.ID, aliceCtx, "Alice", "dm", "apps", appID, bobApp, "stats/system/pid")
// Bob forgets that Alice can't read the stats when he can.
diff --git a/services/device/internal/impl/device_service.go b/services/device/internal/impl/device_service.go
index fb35fa2..5235290 100644
--- a/services/device/internal/impl/device_service.go
+++ b/services/device/internal/impl/device_service.go
@@ -24,7 +24,7 @@
// acls/
// data
// signature
-// associated.accounts
+// associated.accounts
// persistent-args - list of persistent arguments for the device
// manager (json encoded)
//
@@ -615,14 +615,14 @@
return nil
}
-func (s *deviceService) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
- d := AclDir(s.disp.config)
- return s.disp.aclstore.Set(d, acl, version)
+func (s *deviceService) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
+ d := PermsDir(s.disp.config)
+ return s.disp.permsStore.Set(d, perms, version)
}
-func (s *deviceService) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
- d := AclDir(s.disp.config)
- return s.disp.aclstore.Get(d)
+func (s *deviceService) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
+ d := PermsDir(s.disp.config)
+ return s.disp.permsStore.Get(d)
}
// TODO(rjkroege): Make it possible for users on the same system to also
diff --git a/services/device/internal/impl/dispatcher.go b/services/device/internal/impl/dispatcher.go
index d649d84..7e2f25c 100644
--- a/services/device/internal/impl/dispatcher.go
+++ b/services/device/internal/impl/dispatcher.go
@@ -29,8 +29,8 @@
"v.io/x/ref/services/agent/keymgr"
s_device "v.io/x/ref/services/device"
"v.io/x/ref/services/device/internal/config"
- "v.io/x/ref/services/internal/acls"
"v.io/x/ref/services/internal/logreaderlib"
+ "v.io/x/ref/services/internal/pathperms"
)
// internalState wraps state shared between different device manager
@@ -53,8 +53,8 @@
// dispatcher methods.
mu sync.RWMutex
// TODO(rjkroege): Consider moving this inside internal.
- uat BlessingSystemAssociationStore
- aclstore *acls.PathStore
+ uat BlessingSystemAssociationStore
+ permsStore *pathperms.PathStore
// Namespace
mtAddress string // The address of the local mounttable.
// reap is the app process monitoring subsystem.
@@ -96,21 +96,21 @@
// It returns (nil, nil) if the device is no longer claimable.
func NewClaimableDispatcher(ctx *context.T, config *config.State, pairingToken string) (rpc.Dispatcher, <-chan struct{}) {
var (
- aclDir = AclDir(config)
- aclstore = acls.NewPathStore(v23.GetPrincipal(ctx))
+ permsDir = PermsDir(config)
+ permsStore = pathperms.NewPathStore(v23.GetPrincipal(ctx))
)
- if _, _, err := aclstore.Get(aclDir); !os.IsNotExist(err) {
+ if _, _, err := permsStore.Get(permsDir); !os.IsNotExist(err) {
return nil, nil
}
// The device is claimable only if Claim hasn't been called before. The
- // existence of the AccessList file is an indication of a successful prior
+ // existence of the Permissions file is an indication of a successful prior
// call to Claim.
notify := make(chan struct{})
- return &claimable{token: pairingToken, aclstore: aclstore, aclDir: aclDir, notify: notify}, notify
+ return &claimable{token: pairingToken, permsStore: permsStore, permsDir: permsDir, notify: notify}, notify
}
// NewDispatcher is the device manager dispatcher factory.
-func NewDispatcher(ctx *context.T, config *config.State, mtAddress string, testMode bool, restartHandler func(), permStore *acls.PathStore) (rpc.Dispatcher, error) {
+func NewDispatcher(ctx *context.T, config *config.State, mtAddress string, testMode bool, restartHandler func(), permStore *pathperms.PathStore) (rpc.Dispatcher, error) {
if err := config.Validate(); err != nil {
return nil, verror.New(errInvalidConfig, ctx, config, err)
}
@@ -130,11 +130,11 @@
restartHandler: restartHandler,
testMode: testMode,
},
- config: config,
- uat: uat,
- aclstore: permStore,
- mtAddress: mtAddress,
- reap: reap,
+ config: config,
+ uat: uat,
+ permsStore: permStore,
+ mtAddress: mtAddress,
+ reap: reap,
}
// If we're in 'security agent mode', set up the key manager agent.
@@ -231,15 +231,15 @@
return loggingInvoker, auth, nil
}
-func newTestableHierarchicalAuth(testMode bool, rootDir, childDir string, get acls.TAMGetter) (security.Authorizer, error) {
+func newTestableHierarchicalAuth(testMode bool, rootDir, childDir string, get pathperms.PermsGetter) (security.Authorizer, error) {
if testMode {
- // In test mode, the device manager will not be able to read
- // the AccessLists, because they were signed with the key of the real
- // device manager. It's not a problem because the
- // testModeDispatcher overrides the authorizer anyway.
+ // In test mode, the device manager will not be able to read the
+ // Permissions, because they were signed with the key of the real device
+ // manager. It's not a problem because the testModeDispatcher overrides the
+ // authorizer anyway.
return nil, nil
}
- return acls.NewHierarchicalAuthorizer(rootDir, childDir, get)
+ return pathperms.NewHierarchicalAuthorizer(rootDir, childDir, get)
}
func (d *dispatcher) internalLookup(suffix string) (interface{}, security.Authorizer, error) {
@@ -251,10 +251,9 @@
}
}
- // TODO(rjkroege): Permit the root AccessLists to diverge for the
- // device and app sub-namespaces of the device manager after
- // claiming.
- auth, err := newTestableHierarchicalAuth(d.internal.testMode, AclDir(d.config), AclDir(d.config), d.aclstore)
+ // TODO(rjkroege): Permit the root Permissions to diverge for the device and
+ // app sub-namespaces of the device manager after claiming.
+ auth, err := newTestableHierarchicalAuth(d.internal.testMode, PermsDir(d.config), PermsDir(d.config), d.permsStore)
if err != nil {
return nil, nil, err
}
@@ -291,7 +290,7 @@
case "logs":
logsDir := filepath.Join(appInstanceDir, "logs")
suffix := naming.Join(components[5:]...)
- appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.aclstore)
+ appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.permsStore)
if err != nil {
return nil, nil, err
}
@@ -315,7 +314,7 @@
remote := naming.JoinAddressName(info.AppCycleMgrName, suffix)
// Use hierarchical auth with debugacls under debug access.
- appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.aclstore)
+ appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.permsStore)
if err != nil {
return nil, nil, err
}
@@ -327,12 +326,12 @@
config: d.config,
suffix: components[1:],
uat: d.uat,
- aclstore: d.aclstore,
+ permsStore: d.permsStore,
securityAgent: d.internal.securityAgent,
mtAddress: d.mtAddress,
reap: d.reap,
})
- appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.aclstore)
+ appSpecificAuthorizer, err := newAppSpecificAuthorizer(auth, d.config, components[1:], d.permsStore)
if err != nil {
return nil, nil, err
}
@@ -379,35 +378,35 @@
return verror.New(ErrInvalidSuffix, nil)
}
-func newAppSpecificAuthorizer(sec security.Authorizer, config *config.State, suffix []string, getter acls.TAMGetter) (security.Authorizer, error) {
+func newAppSpecificAuthorizer(sec security.Authorizer, config *config.State, suffix []string, getter pathperms.PermsGetter) (security.Authorizer, error) {
// TODO(rjkroege): This does not support <appname>.Start() to start all
// instances. Correct this.
- // If we are attempting a method invocation against "apps/", we use
- // the root AccessList.
+ // If we are attempting a method invocation against "apps/", we use the root
+ // Permissions.
if len(suffix) == 0 || len(suffix) == 1 {
return sec, nil
}
- // Otherwise, we require a per-installation and per-instance AccessList file.
+ // Otherwise, we require a per-installation and per-instance Permissions file.
if len(suffix) == 2 {
p, err := installationDirCore(suffix, config.Root)
if err != nil {
return nil, verror.New(ErrOperationFailed, nil, fmt.Sprintf("newAppSpecificAuthorizer failed: %v", err))
}
- return acls.NewHierarchicalAuthorizer(AclDir(config), path.Join(p, "acls"), getter)
+ return pathperms.NewHierarchicalAuthorizer(PermsDir(config), path.Join(p, "acls"), getter)
}
- // Use the special debugacls for instance/logs, instance/pprof, instance//stats.
+ // Use the special debugacls for instance/logs, instance/pprof, instance/stats.
if len(suffix) > 3 && (suffix[3] == "logs" || suffix[3] == "pprof" || suffix[3] == "stats") {
p, err := instanceDir(config.Root, suffix[0:3])
if err != nil {
return nil, verror.New(ErrOperationFailed, nil, fmt.Sprintf("newAppSpecificAuthorizer failed: %v", err))
}
- return acls.NewHierarchicalAuthorizer(AclDir(config), path.Join(p, "debugacls"), getter)
+ return pathperms.NewHierarchicalAuthorizer(PermsDir(config), path.Join(p, "debugacls"), getter)
}
p, err := instanceDir(config.Root, suffix[0:3])
if err != nil {
return nil, verror.New(ErrOperationFailed, nil, fmt.Sprintf("newAppSpecificAuthorizer failed: %v", err))
}
- return acls.NewHierarchicalAuthorizer(AclDir(config), path.Join(p, "acls"), getter)
+ return pathperms.NewHierarchicalAuthorizer(PermsDir(config), path.Join(p, "acls"), getter)
}
diff --git a/services/device/internal/impl/impl_test.go b/services/device/internal/impl/impl_test.go
index 24a8a4d..91718af 100644
--- a/services/device/internal/impl/impl_test.go
+++ b/services/device/internal/impl/impl_test.go
@@ -1073,12 +1073,12 @@
// manager version.
md5hash := md5.Sum(b.Bytes())
expectedVersion := hex.EncodeToString(md5hash[:])
- acl, version, err := deviceStub.GetPermissions(selfCtx)
+ perms, version, err := deviceStub.GetPermissions(selfCtx)
if err != nil {
t.Fatal(err)
}
if version != expectedVersion {
- t.Fatalf("getAccessList expected:%v(%v), got:%v(%v)", expectedAccessList, expectedVersion, acl, version)
+ t.Fatalf("getAccessList expected:%v(%v), got:%v(%v)", expectedAccessList, expectedVersion, perms, version)
}
// Install from octx should fail, since it does not match the AccessList.
installAppExpectError(t, octx, verror.ErrNoAccess.ID)
@@ -1568,7 +1568,7 @@
appID := installApp(t, selfCtx)
vlog.VI(2).Infof("Validate that the created app has the right permission lists.")
- acl, _, err := appStub(appID).GetPermissions(selfCtx)
+ perms, _, err := appStub(appID).GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions on appID: %v failed %v", appID, err)
}
@@ -1576,7 +1576,7 @@
for _, tag := range access.AllTypicalTags() {
expected[string(tag)] = access.AccessList{In: []security.BlessingPattern{"root/self/$"}}
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v", got, want)
}
@@ -1637,11 +1637,11 @@
for _, tag := range access.AllTypicalTags() {
expected[string(tag)] = access.AccessList{In: []security.BlessingPattern{"root/other/$"}}
}
- acl, _, err = appStub(appID, instance2ID).GetPermissions(selfCtx)
+ perms, _, err = appStub(appID, instance2ID).GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions on instance %v/%v failed: %v", appID, instance2ID, err)
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
diff --git a/services/device/internal/impl/mock_repo_test.go b/services/device/internal/impl/mock_repo_test.go
index 987a086..7f6a03d 100644
--- a/services/device/internal/impl/mock_repo_test.go
+++ b/services/device/internal/impl/mock_repo_test.go
@@ -77,11 +77,11 @@
return i.envelope, nil
}
-func (i *arInvoker) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (i *arInvoker) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
return nil, "", nil
}
-func (i *arInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
+func (i *arInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
return nil
}
@@ -171,10 +171,10 @@
return nil
}
-func (i *brInvoker) GetPermissions(*context.T, rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (i *brInvoker) GetPermissions(*context.T, rpc.ServerCall) (perms access.Permissions, version string, err error) {
return nil, "", nil
}
-func (i *brInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
+func (i *brInvoker) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
return nil
}
diff --git a/services/device/internal/impl/perms_propagator.go b/services/device/internal/impl/perms_propagator.go
new file mode 100644
index 0000000..ef3c0d1
--- /dev/null
+++ b/services/device/internal/impl/perms_propagator.go
@@ -0,0 +1,44 @@
+// Copyright 2015 The Vanadium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package impl
+
+import (
+ "path/filepath"
+
+ "v.io/v23/security"
+ "v.io/v23/security/access"
+ "v.io/x/ref/services/internal/pathperms"
+)
+
+// computePath builds the desired path for the debug perms.
+func computePath(path string) string {
+ return filepath.Join(path, "debugacls")
+}
+
+// setPermsForDebugging constructs a Permissions file for use by applications
+// that permits principals with a Debug right on an application instance to
+// access names in the app's __debug space.
+func setPermsForDebugging(blessings []string, perms access.Permissions, instancePath string, permsStore *pathperms.PathStore) error {
+ path := computePath(instancePath)
+ newPerms := make(access.Permissions)
+
+ // Add blessings for the DM so that it can access the app too.
+
+ set := func(bl security.BlessingPattern) {
+ for _, tag := range []access.Tag{access.Resolve, access.Debug} {
+ newPerms.Add(bl, string(tag))
+ }
+ }
+
+ for _, b := range blessings {
+ set(security.BlessingPattern(b))
+ }
+
+ // add Resolve for every blessing that has debug
+ for _, v := range perms["Debug"].In {
+ set(v)
+ }
+ return permsStore.Set(path, newPerms, "")
+}
diff --git a/services/device/internal/impl/util.go b/services/device/internal/impl/util.go
index ce8ba53..dd22307 100644
--- a/services/device/internal/impl/util.go
+++ b/services/device/internal/impl/util.go
@@ -146,7 +146,7 @@
}
}
-func AclDir(c *config.State) string {
+func PermsDir(c *config.State) string {
return filepath.Join(c.Root, "device-manager", "device-data", "acls")
}
diff --git a/services/device/internal/starter/starter.go b/services/device/internal/starter/starter.go
index 4c059f9..9ea7dba 100644
--- a/services/device/internal/starter/starter.go
+++ b/services/device/internal/starter/starter.go
@@ -19,7 +19,7 @@
"v.io/x/ref/services/debug/debuglib"
"v.io/x/ref/services/device/internal/config"
"v.io/x/ref/services/device/internal/impl"
- "v.io/x/ref/services/internal/acls"
+ "v.io/x/ref/services/internal/pathperms"
"v.io/x/ref/services/mounttable/mounttablelib"
"v.io/v23"
@@ -40,9 +40,9 @@
)
type NamespaceArgs struct {
- Name string // Name to publish the mounttable service under.
- ListenSpec rpc.ListenSpec // ListenSpec for the server.
- AccessListFile string // Path to the AccessList file used by the mounttable.
+ Name string // Name to publish the mounttable service under.
+ ListenSpec rpc.ListenSpec // ListenSpec for the server.
+ PermissionsFile string // Path to the Permissions file used by the mounttable.
// Name in the local neighborhood on which to make the mounttable
// visible. If empty, the mounttable will not be visible in the local
// neighborhood.
@@ -90,8 +90,8 @@
}
// In test mode, we skip writing the info file to disk, and we skip
// attempting to start the claimable service: the device must have been
- // claimed already to enable updates anyway, and checking for acls in
- // NewClaimableDispatcher needlessly prints an acl signature
+ // claimed already to enable updates anyway, and checking for perms in
+ // NewClaimableDispatcher needlessly prints a perms signature
// verification error to the logs.
if args.Device.TestMode {
return startClaimedDevice(ctx, args)
@@ -222,9 +222,9 @@
}
func startClaimedDevice(ctx *context.T, args Args) (func(), error) {
- permStore := acls.NewPathStore(v23.GetPrincipal(ctx))
- acldir := impl.AclDir(args.Device.ConfigState)
- debugAuth, err := acls.NewHierarchicalAuthorizer(acldir, acldir, permStore)
+ permStore := pathperms.NewPathStore(v23.GetPrincipal(ctx))
+ permsdir := impl.PermsDir(args.Device.ConfigState)
+ debugAuth, err := pathperms.NewHierarchicalAuthorizer(permsdir, permsdir, permStore)
if err != nil {
return nil, err
}
@@ -304,7 +304,7 @@
}
func startMounttable(ctx *context.T, n NamespaceArgs) (string, func(), error) {
- mtName, stopMT, err := mounttablelib.StartServers(ctx, n.ListenSpec, n.Name, n.Neighborhood, n.AccessListFile, "mounttable")
+ mtName, stopMT, err := mounttablelib.StartServers(ctx, n.ListenSpec, n.Name, n.Neighborhood, n.PermissionsFile, "mounttable")
if err != nil {
vlog.Errorf("mounttablelib.StartServers(%#v) failed: %v", n, err)
} else {
@@ -329,7 +329,7 @@
// Returns:
// (1) Function to be called to force the service to shutdown
// (2) Any errors in starting the service (in which case, (1) will be nil)
-func startDeviceServer(ctx *context.T, args DeviceArgs, mt string, permStore *acls.PathStore) (shutdown func(), err error) {
+func startDeviceServer(ctx *context.T, args DeviceArgs, mt string, permStore *pathperms.PathStore) (shutdown func(), err error) {
server, err := v23.NewServer(ctx)
if err != nil {
return nil, err
diff --git a/services/groups/groupsd/main.go b/services/groups/groupsd/main.go
index ab59f78..ad79ca6 100644
--- a/services/groups/groupsd/main.go
+++ b/services/groups/groupsd/main.go
@@ -40,8 +40,8 @@
}
// TODO(sadovsky): Switch to using NewAuthorizerOrDie.
- acl := access.Permissions{}
- m := server.NewManager(memstore.New(), acl)
+ perms := access.Permissions{}
+ m := server.NewManager(memstore.New(), perms)
// Publish the service in the mount table.
if err := s.ServeDispatcher(*name, m); err != nil {
diff --git a/services/groups/internal/server/group.go b/services/groups/internal/server/group.go
index cc0f090..50181b4 100644
--- a/services/groups/internal/server/group.go
+++ b/services/groups/internal/server/group.go
@@ -27,17 +27,17 @@
// It seems we need either (a) identity providers to manage group servers and
// reserve buckets for users they've blessed, or (b) some way to determine the
// user name from a blessing and enforce that group names start with user names.
-func (g *group) Create(ctx *context.T, call rpc.ServerCall, acl access.Permissions, entries []groups.BlessingPatternChunk) error {
- // Perform AccessList check.
- // TODO(sadovsky): Enable this AccessList check and acquire a lock on the group
- // server AccessList.
+func (g *group) Create(ctx *context.T, call rpc.ServerCall, perms access.Permissions, entries []groups.BlessingPatternChunk) error {
+ // Perform Permissions check.
+ // TODO(sadovsky): Enable this Permissions check and acquire a lock on the
+ // group server Permissions.
if false {
- if err := g.authorize(ctx, call.Security(), g.m.acl); err != nil {
+ if err := g.authorize(ctx, call.Security(), g.m.perms); err != nil {
return err
}
}
- if acl == nil {
- acl = access.Permissions{}
+ if perms == nil {
+ perms = access.Permissions{}
blessings, _ := security.RemoteBlessingNames(ctx, call.Security())
if len(blessings) == 0 {
// The blessings presented by the caller do not give it a name for this
@@ -47,7 +47,7 @@
}
for _, tag := range access.AllTypicalTags() {
for _, b := range blessings {
- acl.Add(security.BlessingPattern(b), string(tag))
+ perms.Add(security.BlessingPattern(b), string(tag))
}
}
}
@@ -55,7 +55,7 @@
for _, v := range entries {
entrySet[v] = struct{}{}
}
- gd := groupData{AccessList: acl, Entries: entrySet}
+ gd := groupData{Perms: perms, Entries: entrySet}
if err := g.m.st.Insert(g.name, gd); err != nil {
// TODO(sadovsky): We are leaking the fact that this group exists. If the
// client doesn't have access to this group, we should probably return an
@@ -105,30 +105,30 @@
return groups.RestResponse{}, version, nil
}
-func (g *group) SetPermissions(ctx *context.T, call rpc.ServerCall, acl access.Permissions, version string) error {
+func (g *group) SetPermissions(ctx *context.T, call rpc.ServerCall, perms access.Permissions, version string) error {
return g.update(ctx, call.Security(), version, func(gd *groupData) {
- gd.AccessList = acl
+ gd.Perms = perms
})
}
-func (g *group) GetPermissions(ctx *context.T, call rpc.ServerCall) (acl access.Permissions, version string, err error) {
+func (g *group) GetPermissions(ctx *context.T, call rpc.ServerCall) (perms access.Permissions, version string, err error) {
gd, version, err := g.getInternal(ctx, call.Security())
if err != nil {
return nil, "", err
}
- return gd.AccessList, version, nil
+ return gd.Perms, version, nil
}
////////////////////////////////////////
// Internal helpers
// Returns a VDL-compatible error.
-func (g *group) authorize(ctx *context.T, call security.Call, acl access.Permissions) error {
+func (g *group) authorize(ctx *context.T, call security.Call, perms access.Permissions) error {
// TODO(sadovsky): We ignore the returned error since TypicalTagType is
// guaranteed to return a valid tagType. It would be nice to have an
// alternative function that assumes TypicalTagType, since presumably that's
// the overwhelmingly common case.
- auth, _ := access.PermissionsAuthorizer(acl, access.TypicalTagType())
+ auth, _ := access.PermissionsAuthorizer(perms, access.TypicalTagType())
if err := auth.Authorize(ctx, call); err != nil {
// TODO(sadovsky): Return NoAccess if appropriate.
return verror.New(verror.ErrNoExistOrNoAccess, ctx, err)
@@ -150,7 +150,7 @@
if !ok {
return groupData{}, "", verror.New(verror.ErrInternal, ctx, "bad value for key: "+g.name)
}
- if err := g.authorize(ctx, call, gd.AccessList); err != nil {
+ if err := g.authorize(ctx, call, gd.Perms); err != nil {
return groupData{}, "", err
}
return gd, version, nil
diff --git a/services/groups/internal/server/manager.go b/services/groups/internal/server/manager.go
index af8e7d4..bc050ad 100644
--- a/services/groups/internal/server/manager.go
+++ b/services/groups/internal/server/manager.go
@@ -14,14 +14,14 @@
)
type manager struct {
- st Store
- acl access.Permissions
+ st Store
+ perms access.Permissions
}
var _ rpc.Dispatcher = (*manager)(nil)
-func NewManager(st Store, acl access.Permissions) *manager {
- return &manager{st: st, acl: acl}
+func NewManager(st Store, perms access.Permissions) *manager {
+ return &manager{st: st, perms: perms}
}
func (m *manager) Lookup(suffix string) (interface{}, security.Authorizer, error) {
diff --git a/services/groups/internal/server/server_test.go b/services/groups/internal/server/server_test.go
index 0efc3b2..0d4d8f5 100644
--- a/services/groups/internal/server/server_test.go
+++ b/services/groups/internal/server/server_test.go
@@ -35,7 +35,7 @@
return res.Entries
}
-func getAccessListOrDie(g groups.GroupClientStub, ctx *context.T, t *testing.T) access.Permissions {
+func getPermissionsOrDie(g groups.GroupClientStub, ctx *context.T, t *testing.T) access.Permissions {
res, _, err := g.GetPermissions(ctx)
if err != nil {
debug.PrintStack()
@@ -91,10 +91,10 @@
vlog.Fatal("s.Listen() failed: ", err)
}
- // TODO(sadovsky): Pass in an AccessList and test AccessList-checking in
+ // TODO(sadovsky): Pass in a Permissions and test Permissions-checking in
// Group.Create().
- acl := access.Permissions{}
- m := server.NewManager(memstore.New(), acl)
+ perms := access.Permissions{}
+ m := server.NewManager(memstore.New(), perms)
if err := s.ServeDispatcher("", m); err != nil {
vlog.Fatal("s.ServeDispatcher() failed: ", err)
@@ -154,19 +154,19 @@
ctx, serverName, cleanup := setupOrDie()
defer cleanup()
- // Create a group with a default AccessList and no entries.
+ // Create a group with a default Permissions and no entries.
g := groups.GroupClient(naming.JoinAddressName(serverName, "grpA"))
if err := g.Create(ctx, nil, nil); err != nil {
t.Fatal("Create failed: ", err)
}
- // Verify AccessList of created group.
- acl := access.Permissions{}
+ // Verify Permissions of created group.
+ perms := access.Permissions{}
for _, tag := range access.AllTypicalTags() {
- acl.Add(security.BlessingPattern("server/client"), string(tag))
+ perms.Add(security.BlessingPattern("server/client"), string(tag))
}
- wantAccessList, gotAccessList := acl, getAccessListOrDie(g, ctx, t)
- if !reflect.DeepEqual(wantAccessList, gotAccessList) {
- t.Errorf("AccessLists do not match: want %v, got %v", wantAccessList, gotAccessList)
+ wantPermissions, gotPermissions := perms, getPermissionsOrDie(g, ctx, t)
+ if !reflect.DeepEqual(wantPermissions, gotPermissions) {
+ t.Errorf("Permissions do not match: want %v, got %v", wantPermissions, gotPermissions)
}
// Verify entries of created group.
want, got := bpcSet(), getEntriesOrDie(g, ctx, t)
@@ -180,21 +180,21 @@
t.Fatal("Create should have failed")
}
- // Create a group with an AccessList and a few entries, including some
+ // Create a group with a Permissions and a few entries, including some
// redundant ones.
g = groups.GroupClient(naming.JoinAddressName(serverName, "grpB"))
- acl = access.Permissions{}
+ perms = access.Permissions{}
// Allow Admin and Read so that we can call GetPermissions and Get.
for _, tag := range []access.Tag{access.Admin, access.Read} {
- acl.Add(security.BlessingPattern("server/client"), string(tag))
+ perms.Add(security.BlessingPattern("server/client"), string(tag))
}
- if err := g.Create(ctx, acl, bpcSlice("foo", "bar", "foo")); err != nil {
+ if err := g.Create(ctx, perms, bpcSlice("foo", "bar", "foo")); err != nil {
t.Fatal("Create failed: ", err)
}
- // Verify AccessList of created group.
- wantAccessList, gotAccessList = acl, getAccessListOrDie(g, ctx, t)
- if !reflect.DeepEqual(wantAccessList, gotAccessList) {
- t.Errorf("AccessLists do not match: want %v, got %v", wantAccessList, gotAccessList)
+ // Verify Permissions of created group.
+ wantPermissions, gotPermissions = perms, getPermissionsOrDie(g, ctx, t)
+ if !reflect.DeepEqual(wantPermissions, gotPermissions) {
+ t.Errorf("Permissions do not match: want %v, got %v", wantPermissions, gotPermissions)
}
// Verify entries of created group.
want, got = bpcSet("foo", "bar"), getEntriesOrDie(g, ctx, t)
@@ -207,7 +207,7 @@
ctx, serverName, cleanup := setupOrDie()
defer cleanup()
- // Create a group with a default AccessList and no entries, check that we can
+ // Create a group with a default Permissions and no entries, check that we can
// delete it.
g := groups.GroupClient(naming.JoinAddressName(serverName, "grpA"))
if err := g.Create(ctx, nil, nil); err != nil {
@@ -245,12 +245,12 @@
t.Fatal("Create failed: ", err)
}
- // Create a group with an AccessList that disallows Delete(), check that
+ // Create a group with a Permissions that disallows Delete(), check that
// Delete() fails.
g = groups.GroupClient(naming.JoinAddressName(serverName, "grpC"))
- acl := access.Permissions{}
- acl.Add(security.BlessingPattern("server/client"), string(access.Admin))
- if err := g.Create(ctx, acl, nil); err != nil {
+ perms := access.Permissions{}
+ perms.Add(security.BlessingPattern("server/client"), string(access.Admin))
+ if err := g.Create(ctx, perms, nil); err != nil {
t.Fatal("Create failed: ", err)
}
// Delete should fail (no access).
@@ -259,90 +259,90 @@
}
}
-func TestAccessListMethods(t *testing.T) {
+func TestPermissionsMethods(t *testing.T) {
ctx, serverName, cleanup := setupOrDie()
defer cleanup()
- // Create a group with a default AccessList and no entries.
+ // Create a group with a default Permissions and no entries.
g := groups.GroupClient(naming.JoinAddressName(serverName, "grpA"))
if err := g.Create(ctx, nil, nil); err != nil {
t.Fatal("Create failed: ", err)
}
- myacl := access.Permissions{}
- myacl.Add(security.BlessingPattern("server/client"), string(access.Admin))
- // Demonstrate that myacl differs from the default AccessList.
- if reflect.DeepEqual(myacl, getAccessListOrDie(g, ctx, t)) {
- t.Fatal("AccessLists should not match: %v", myacl)
+ myperms := access.Permissions{}
+ myperms.Add(security.BlessingPattern("server/client"), string(access.Admin))
+ // Demonstrate that myperms differs from the default Permissions.
+ if reflect.DeepEqual(myperms, getPermissionsOrDie(g, ctx, t)) {
+ t.Fatal("Permissions should not match: %v", myperms)
}
- var aclBefore, aclAfter access.Permissions
+ var permsBefore, permsAfter access.Permissions
var versionBefore, versionAfter string
- getAccessListAndVersionOrDie := func() (access.Permissions, string) {
+ getPermissionsAndVersionOrDie := func() (access.Permissions, string) {
// Doesn't use getVersionOrDie since that requires access.Read permission.
- acl, version, err := g.GetPermissions(ctx)
+ perms, version, err := g.GetPermissions(ctx)
if err != nil {
debug.PrintStack()
t.Fatal("GetPermissions failed: ", err)
}
- return acl, version
+ return perms, version
}
// SetPermissions with bad version should fail.
- aclBefore, versionBefore = getAccessListAndVersionOrDie()
- if err := g.SetPermissions(ctx, myacl, "20"); verror.ErrorID(err) != verror.ErrBadVersion.ID {
+ permsBefore, versionBefore = getPermissionsAndVersionOrDie()
+ if err := g.SetPermissions(ctx, myperms, "20"); verror.ErrorID(err) != verror.ErrBadVersion.ID {
t.Fatal("SetPermissions should have failed with version error")
}
- // Since SetPermissions failed, the AccessList and version should not have
+ // Since SetPermissions failed, the Permissions and version should not have
// changed.
- aclAfter, versionAfter = getAccessListAndVersionOrDie()
- if !reflect.DeepEqual(aclBefore, aclAfter) {
- t.Errorf("AccessLists do not match: want %v, got %v", aclBefore, aclAfter)
+ permsAfter, versionAfter = getPermissionsAndVersionOrDie()
+ if !reflect.DeepEqual(permsBefore, permsAfter) {
+ t.Errorf("Permissions do not match: want %v, got %v", permsBefore, permsAfter)
}
if versionBefore != versionAfter {
t.Errorf("Versions do not match: want %v, got %v", versionBefore, versionAfter)
}
// SetPermissions with correct version should succeed.
- aclBefore, versionBefore = aclAfter, versionAfter
- if err := g.SetPermissions(ctx, myacl, versionBefore); err != nil {
+ permsBefore, versionBefore = permsAfter, versionAfter
+ if err := g.SetPermissions(ctx, myperms, versionBefore); err != nil {
t.Fatal("SetPermissions failed: ", err)
}
- // Check that the AccessList and version actually changed.
- aclAfter, versionAfter = getAccessListAndVersionOrDie()
- if !reflect.DeepEqual(myacl, aclAfter) {
- t.Errorf("AccessLists do not match: want %v, got %v", myacl, aclAfter)
+ // Check that the Permissions and version actually changed.
+ permsAfter, versionAfter = getPermissionsAndVersionOrDie()
+ if !reflect.DeepEqual(myperms, permsAfter) {
+ t.Errorf("Permissions do not match: want %v, got %v", myperms, permsAfter)
}
if versionBefore == versionAfter {
t.Errorf("Versions should not match: %v", versionBefore)
}
// SetPermissions with empty version should succeed.
- aclBefore, versionBefore = aclAfter, versionAfter
- myacl.Add(security.BlessingPattern("server/client"), string(access.Read))
- if err := g.SetPermissions(ctx, myacl, ""); err != nil {
+ permsBefore, versionBefore = permsAfter, versionAfter
+ myperms.Add(security.BlessingPattern("server/client"), string(access.Read))
+ if err := g.SetPermissions(ctx, myperms, ""); err != nil {
t.Fatal("SetPermissions failed: ", err)
}
- // Check that the AccessList and version actually changed.
- aclAfter, versionAfter = getAccessListAndVersionOrDie()
- if !reflect.DeepEqual(myacl, aclAfter) {
- t.Errorf("AccessLists do not match: want %v, got %v", myacl, aclAfter)
+ // Check that the Permissions and version actually changed.
+ permsAfter, versionAfter = getPermissionsAndVersionOrDie()
+ if !reflect.DeepEqual(myperms, permsAfter) {
+ t.Errorf("Permissions do not match: want %v, got %v", myperms, permsAfter)
}
if versionBefore == versionAfter {
t.Errorf("Versions should not match: %v", versionBefore)
}
- // SetPermissions with unchanged AccessList should succeed, and version should
+ // SetPermissions with unchanged Permissions should succeed, and version should
// still change.
- aclBefore, versionBefore = aclAfter, versionAfter
- if err := g.SetPermissions(ctx, myacl, ""); err != nil {
+ permsBefore, versionBefore = permsAfter, versionAfter
+ if err := g.SetPermissions(ctx, myperms, ""); err != nil {
t.Fatal("SetPermissions failed: ", err)
}
- // Check that the AccessList did not change and the version did change.
- aclAfter, versionAfter = getAccessListAndVersionOrDie()
- if !reflect.DeepEqual(aclBefore, aclAfter) {
- t.Errorf("AccessLists do not match: want %v, got %v", aclBefore, aclAfter)
+ // Check that the Permissions did not change and the version did change.
+ permsAfter, versionAfter = getPermissionsAndVersionOrDie()
+ if !reflect.DeepEqual(permsBefore, permsAfter) {
+ t.Errorf("Permissions do not match: want %v, got %v", permsBefore, permsAfter)
}
if versionBefore == versionAfter {
t.Errorf("Versions should not match: %v", versionBefore)
@@ -355,7 +355,7 @@
if _, _, err := g.GetPermissions(ctx); verror.ErrorID(err) != verror.ErrNoExistOrNoAccess.ID {
t.Fatal("GetPermissions should have failed with access error")
}
- if err := g.SetPermissions(ctx, myacl, ""); verror.ErrorID(err) != verror.ErrNoExistOrNoAccess.ID {
+ if err := g.SetPermissions(ctx, myperms, ""); verror.ErrorID(err) != verror.ErrNoExistOrNoAccess.ID {
t.Fatal("SetPermissions should have failed with access error")
}
}
@@ -365,7 +365,7 @@
ctx, serverName, cleanup := setupOrDie()
defer cleanup()
- // Create a group with a default AccessList and no entries.
+ // Create a group with a default Permissions and no entries.
g := groups.GroupClient(naming.JoinAddressName(serverName, "grpA"))
if err := g.Create(ctx, nil, nil); err != nil {
t.Fatal("Create failed: ", err)
@@ -432,12 +432,12 @@
t.Errorf("Versions should not match: %v", versionBefore)
}
- // Create a group with an AccessList that disallows Add(), check that Add()
+ // Create a group with a Permissions that disallows Add(), check that Add()
// fails.
g = groups.GroupClient(naming.JoinAddressName(serverName, "grpB"))
- acl := access.Permissions{}
- acl.Add(security.BlessingPattern("server/client"), string(access.Admin))
- if err := g.Create(ctx, acl, nil); err != nil {
+ perms := access.Permissions{}
+ perms.Add(security.BlessingPattern("server/client"), string(access.Admin))
+ if err := g.Create(ctx, perms, nil); err != nil {
t.Fatal("Create failed: ", err)
}
// Add should fail (no access).
@@ -451,7 +451,7 @@
ctx, serverName, cleanup := setupOrDie()
defer cleanup()
- // Create a group with a default AccessList and two entries.
+ // Create a group with a default Permissions and two entries.
g := groups.GroupClient(naming.JoinAddressName(serverName, "grpA"))
if err := g.Create(ctx, nil, bpcSlice("foo", "bar")); err != nil {
t.Fatal("Create failed: ", err)
@@ -517,12 +517,12 @@
t.Errorf("Versions should not match: %v", versionBefore)
}
- // Create a group with an AccessList that disallows Remove(), check that
+ // Create a group with a Permissions that disallows Remove(), check that
// Remove() fails.
g = groups.GroupClient(naming.JoinAddressName(serverName, "grpB"))
- acl := access.Permissions{}
- acl.Add(security.BlessingPattern("server/client"), string(access.Admin))
- if err := g.Create(ctx, acl, bpcSlice("foo", "bar")); err != nil {
+ perms := access.Permissions{}
+ perms.Add(security.BlessingPattern("server/client"), string(access.Admin))
+ if err := g.Create(ctx, perms, bpcSlice("foo", "bar")); err != nil {
t.Fatal("Create failed: ", err)
}
// Remove should fail (no access).
diff --git a/services/groups/internal/server/types.vdl b/services/groups/internal/server/types.vdl
index d569880..5631696 100644
--- a/services/groups/internal/server/types.vdl
+++ b/services/groups/internal/server/types.vdl
@@ -12,6 +12,6 @@
// groupData represents the persistent state of a group. (The group name is
// persisted as the store entry key.)
type groupData struct {
- AccessList access.Permissions
+ Perms access.Permissions
Entries set[groups.BlessingPatternChunk]
}
diff --git a/services/groups/internal/server/types.vdl.go b/services/groups/internal/server/types.vdl.go
index 0a2eb83..7b14760 100644
--- a/services/groups/internal/server/types.vdl.go
+++ b/services/groups/internal/server/types.vdl.go
@@ -19,8 +19,8 @@
// groupData represents the persistent state of a group. (The group name is
// persisted as the store entry key.)
type groupData struct {
- AccessList access.Permissions
- Entries map[groups.BlessingPatternChunk]struct{}
+ Perms access.Permissions
+ Entries map[groups.BlessingPatternChunk]struct{}
}
func (groupData) __VDLReflect(struct {
diff --git a/services/internal/binarylib/dispatcher.go b/services/internal/binarylib/dispatcher.go
index 9b0b4d9..3a138c7 100644
--- a/services/internal/binarylib/dispatcher.go
+++ b/services/internal/binarylib/dispatcher.go
@@ -10,8 +10,7 @@
"v.io/v23/rpc"
"v.io/v23/security"
"v.io/v23/services/repository"
-
- "v.io/x/ref/services/internal/acls"
+ "v.io/x/ref/services/internal/pathperms"
)
const (
@@ -21,21 +20,21 @@
// dispatcher holds the state of the binary repository dispatcher.
type dispatcher struct {
- state *state
- aclstore *acls.PathStore
+ state *state
+ permsStore *pathperms.PathStore
}
// NewDispatcher is the dispatcher factory.
func NewDispatcher(principal security.Principal, state *state) (rpc.Dispatcher, error) {
return &dispatcher{
- state: state,
- aclstore: acls.NewPathStore(principal),
+ state: state,
+ permsStore: pathperms.NewPathStore(principal),
}, nil
}
// DISPATCHER INTERFACE IMPLEMENTATION
-func aclPath(rootDir, suffix string) string {
+func permsPath(rootDir, suffix string) string {
var dir string
if suffix == "" {
// Directory is in namespace overlapped with Vanadium namespace
@@ -47,17 +46,17 @@
return dir
}
-func newAuthorizer(rootDir, suffix string, aclstore *acls.PathStore) (security.Authorizer, error) {
- return acls.NewHierarchicalAuthorizer(
- aclPath(rootDir, ""),
- aclPath(rootDir, suffix),
- aclstore)
+func newAuthorizer(rootDir, suffix string, permsStore *pathperms.PathStore) (security.Authorizer, error) {
+ return pathperms.NewHierarchicalAuthorizer(
+ permsPath(rootDir, ""),
+ permsPath(rootDir, suffix),
+ permsStore)
}
func (d *dispatcher) Lookup(suffix string) (interface{}, security.Authorizer, error) {
- auth, err := newAuthorizer(d.state.rootDir, suffix, d.aclstore)
+ auth, err := newAuthorizer(d.state.rootDir, suffix, d.permsStore)
if err != nil {
return nil, nil, err
}
- return repository.BinaryServer(newBinaryService(d.state, suffix, d.aclstore)), auth, nil
+ return repository.BinaryServer(newBinaryService(d.state, suffix, d.permsStore)), auth, nil
}
diff --git a/services/internal/binarylib/acl_test.go b/services/internal/binarylib/perms_test.go
similarity index 87%
rename from services/internal/binarylib/acl_test.go
rename to services/internal/binarylib/perms_test.go
index c338de1..59de734 100644
--- a/services/internal/binarylib/acl_test.go
+++ b/services/internal/binarylib/perms_test.go
@@ -126,7 +126,7 @@
}
vlog.VI(2).Infof("Validate that the AccessList also allows Self")
- acl, _, err := b("bini/private").GetPermissions(selfCtx)
+ perms, _, err := b("bini/private").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
@@ -137,7 +137,7 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}},
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
}
@@ -199,7 +199,7 @@
}
vlog.VI(2).Infof("Validate the AccessList file on bini/private.")
- acl, _, err := b("bini/private").GetPermissions(selfCtx)
+ perms, _, err := b("bini/private").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
@@ -210,16 +210,16 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self"}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self"}},
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
vlog.VI(2).Infof("Validate the AccessList file on bini/private.")
- acl, version, err := b("bini/private").GetPermissions(selfCtx)
+ perms, version, err := b("bini/private").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
@@ -235,14 +235,14 @@
vlog.VI(2).Infof("Self modifies the AccessList file on bini/private.")
for _, tag := range access.AllTypicalTags() {
- acl.Clear("self", string(tag))
- acl.Add("self/$", string(tag))
+ perms.Clear("self", string(tag))
+ perms.Add("self/$", string(tag))
}
- if err := b("bini/private").SetPermissions(selfCtx, acl, version); err != nil {
+ if err := b("bini/private").SetPermissions(selfCtx, perms, version); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
}
- vlog.VI(2).Infof(" Verify that bini/private's acls are updated.")
+ vlog.VI(2).Infof(" Verify that bini/private's perms are updated.")
updated := access.Permissions{
"Admin": access.AccessList{In: []security.BlessingPattern{"self/$"}},
"Read": access.AccessList{In: []security.BlessingPattern{"self/$"}},
@@ -250,11 +250,11 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/$"}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/$"}},
}
- acl, _, err = b("bini/private").GetPermissions(selfCtx)
+ perms, _, err = b("bini/private").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
- if got, want := acl.Normalize(), updated.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), updated.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
@@ -284,7 +284,7 @@
}
vlog.VI(2).Infof("Other still can't create so Self gives Other right to Create.")
- acl, tag, err := b("bini").GetPermissions(selfCtx)
+ perms, tag, err := b("bini").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions() failed: %v", err)
}
@@ -293,17 +293,17 @@
// this test: that self/other acquires the right to invoke Create at the
// root. In particular:
//
- // a. acl.Add("self", "Write ")
- // b. acl.Add("self/other", "Write")
- // c. acl.Add("self/other/$", "Write")
+ // a. perms.Add("self", "Write ")
+ // b. perms.Add("self/other", "Write")
+ // c. perms.Add("self/other/$", "Write")
//
// will all give self/other the right to invoke Create but in the case of
// (a) it will also extend this right to self's delegates (because of the
// absence of the $) including other and in (b) will also extend the
// Create right to all of other's delegates. Since (c) is the minimum
// case, use that.
- acl.Add("self/other/$", string("Write"))
- err = b("bini").SetPermissions(selfCtx, acl, tag)
+ perms.Add("self/other/$", string("Write"))
+ err = b("bini").SetPermissions(selfCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
@@ -317,7 +317,7 @@
t.FailNow()
}
- vlog.VI(2).Infof("Other can read acls for bini/otherbinary.")
+ vlog.VI(2).Infof("Other can read perms for bini/otherbinary.")
updated = access.Permissions{
"Admin": access.AccessList{In: []security.BlessingPattern{"self/$", "self/other"}},
"Read": access.AccessList{In: []security.BlessingPattern{"self/$", "self/other"}},
@@ -325,21 +325,21 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/$", "self/other"}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/$", "self/other"}},
}
- acl, _, err = b("bini/otherbinary").GetPermissions(otherCtx)
+ perms, _, err = b("bini/otherbinary").GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
- if got, want := acl.Normalize(), updated.Normalize(); !reflect.DeepEqual(want, got) {
+ if got, want := perms.Normalize(), updated.Normalize(); !reflect.DeepEqual(want, got) {
t.Errorf("got %#v, expected %#v ", got, want)
}
vlog.VI(2).Infof("Other tries to exclude self by removing self from the AccessList set")
- acl, tag, err = b("bini/otherbinary").GetPermissions(otherCtx)
+ perms, tag, err = b("bini/otherbinary").GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions() failed: %v", err)
}
- acl.Clear("self/$")
- err = b("bini/otherbinary").SetPermissions(otherCtx, acl, tag)
+ perms.Clear("self/$")
+ err = b("bini/otherbinary").SetPermissions(otherCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
@@ -352,11 +352,11 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/other"}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/other"}},
}
- acl, _, err = b("bini/otherbinary").GetPermissions(otherCtx)
+ perms, _, err = b("bini/otherbinary").GetPermissions(otherCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %v", err)
}
- if got, want := acl.Normalize(), updated.Normalize(); !reflect.DeepEqual(want, got) {
+ if got, want := perms.Normalize(), updated.Normalize(); !reflect.DeepEqual(want, got) {
t.Errorf("got %#v, expected %#v ", got, want)
}
@@ -366,14 +366,14 @@
}
vlog.VI(2).Infof("Self petulantly blacklists other back.")
- acl, tag, err = b("bini").GetPermissions(selfCtx)
+ perms, tag, err = b("bini").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions() failed: %v", err)
}
for _, tag := range access.AllTypicalTags() {
- acl.Blacklist("self/other", string(tag))
+ perms.Blacklist("self/other", string(tag))
}
- err = b("bini").SetPermissions(selfCtx, acl, tag)
+ err = b("bini").SetPermissions(selfCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
@@ -389,14 +389,14 @@
}
vlog.VI(2).Infof("Self petulantly blacklists other's binary too.")
- acl, tag, err = b("bini/shared").GetPermissions(selfCtx)
+ perms, tag, err = b("bini/shared").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions() failed: %v", err)
}
for _, tag := range access.AllTypicalTags() {
- acl.Blacklist("self/other", string(tag))
+ perms.Blacklist("self/other", string(tag))
}
- err = b("bini/shared").SetPermissions(selfCtx, acl, tag)
+ err = b("bini/shared").SetPermissions(selfCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
@@ -410,12 +410,12 @@
vlog.VI(2).Infof("Self feels guilty for petulance and disempowers itself")
// TODO(rjkroege,caprita): This is a one-way transition for self. Perhaps it
// should not be. Consider adding a factory-reset facility.
- acl, tag, err = b("bini").GetPermissions(selfCtx)
+ perms, tag, err = b("bini").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions() failed: %v", err)
}
- acl.Clear("self/$", "Admin")
- err = b("bini").SetPermissions(selfCtx, acl, tag)
+ perms.Clear("self/$", "Admin")
+ err = b("bini").SetPermissions(selfCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
@@ -453,7 +453,7 @@
pid := servicetest.ReadPID(t, nmh)
defer syscall.Kill(pid, syscall.SIGINT)
- acl, tag, err := b("bini").GetPermissions(selfCtx)
+ perms, tag, err := b("bini").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %#v", err)
}
@@ -464,17 +464,17 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}, NotIn: []string{}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}, NotIn: []string{}},
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
- acl.Blacklist("self", string("Read"))
- err = b("bini").SetPermissions(selfCtx, acl, tag)
+ perms.Blacklist("self", string("Read"))
+ err = b("bini").SetPermissions(selfCtx, perms, tag)
if err != nil {
t.Fatalf("SetPermissions() failed: %v", err)
}
- acl, tag, err = b("bini").GetPermissions(selfCtx)
+ perms, tag, err = b("bini").GetPermissions(selfCtx)
if err != nil {
t.Fatalf("GetPermissions failed: %#v", err)
}
@@ -485,7 +485,7 @@
"Debug": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}, NotIn: []string{}},
"Resolve": access.AccessList{In: []security.BlessingPattern{"self/$", "self/child"}, NotIn: []string{}},
}
- if got, want := acl.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
+ if got, want := perms.Normalize(), expected.Normalize(); !reflect.DeepEqual(got, want) {
t.Errorf("got %#v, expected %#v ", got, want)
}
diff --git a/services/internal/binarylib/service.go b/services/internal/binarylib/service.go
index 85a0a03..dd8ad2c 100644
--- a/services/internal/binarylib/service.go
+++ b/services/internal/binarylib/service.go
@@ -3,15 +3,15 @@
// license that can be found in the LICENSE file.
// The implementation of the binary repository interface stores objects
-// identified by object name suffixes using the local file system. Given
-// an object name suffix, the implementation computes an MD5 hash of the
-// suffix and generates the following path in the local filesystem:
-// /<root-dir>/<dir_1>/.../<dir_n>/<hash>. The root directory and the
-// directory depth are parameters of the implementation. <root-dir> also
-// contains __acls/data and __acls/sig files storing the AccessLists for the
-// root level. The contents of the directory include the checksum and
-// data for each of the individual parts of the binary, the name of the
-// object and a directory containing the acls for this particular object:
+// identified by object name suffixes using the local file system. Given an
+// object name suffix, the implementation computes an MD5 hash of the suffix and
+// generates the following path in the local filesystem:
+// /<root-dir>/<dir_1>/.../<dir_n>/<hash>. The root directory and the directory
+// depth are parameters of the implementation. <root-dir> also contains
+// __acls/data and __acls/sig files storing the Permissions for the root level.
+// The contents of the directory include the checksum and data for each of the
+// individual parts of the binary, the name of the object and a directory
+// containing the perms for this particular object:
//
// name
// acls/data
@@ -48,7 +48,7 @@
"v.io/v23/services/repository"
"v.io/v23/verror"
"v.io/x/lib/vlog"
- "v.io/x/ref/services/internal/acls"
+ "v.io/x/ref/services/internal/pathperms"
)
// binaryService implements the Binary server interface.
@@ -60,8 +60,8 @@
// invocations.
state *state
// suffix is the name of the binary object.
- suffix string
- aclstore *acls.PathStore
+ suffix string
+ permsStore *pathperms.PathStore
}
const pkgPath = "v.io/x/ref/services/internal/binarylib"
@@ -82,12 +82,12 @@
}
// newBinaryService returns a new Binary service implementation.
-func newBinaryService(state *state, suffix string, aclstore *acls.PathStore) *binaryService {
+func newBinaryService(state *state, suffix string, permsStore *pathperms.PathStore) *binaryService {
return &binaryService{
- path: state.dir(suffix),
- state: state,
- suffix: suffix,
- aclstore: aclstore,
+ path: state.dir(suffix),
+ state: state,
+ suffix: suffix,
+ permsStore: permsStore,
}
}
@@ -120,8 +120,8 @@
// None of the client's blessings are valid.
return verror.New(ErrNotAuthorized, ctx)
}
- if err := i.aclstore.Set(aclPath(i.state.rootDir, i.suffix), acls.PermissionsForBlessings(rb), ""); err != nil {
- vlog.Errorf("insertAccessLists(%v) failed: %v", rb, err)
+ if err := i.permsStore.Set(permsPath(i.state.rootDir, i.suffix), pathperms.PermissionsForBlessings(rb), ""); err != nil {
+ vlog.Errorf("insertPermissions(%v) failed: %v", rb, err)
return verror.New(ErrOperationFailed, ctx)
}
@@ -371,15 +371,16 @@
return ch, nil
}
-func (i *binaryService) GetPermissions(ctx *context.T, call rpc.ServerCall) (acl access.Permissions, version string, err error) {
- acl, version, err = i.aclstore.Get(aclPath(i.state.rootDir, i.suffix))
+func (i *binaryService) GetPermissions(ctx *context.T, call rpc.ServerCall) (perms access.Permissions, version string, err error) {
+ perms, version, err = i.permsStore.Get(permsPath(i.state.rootDir, i.suffix))
if os.IsNotExist(err) {
- // No AccessList file found which implies a nil authorizer. This results in default authorization.
- return acls.NilAuthPermissions(ctx, call.Security()), "", nil
+ // No Permissions file found which implies a nil authorizer. This results in
+ // default authorization.
+ return pathperms.NilAuthPermissions(ctx, call.Security()), "", nil
}
- return acl, version, err
+ return perms, version, err
}
-func (i *binaryService) SetPermissions(_ *context.T, _ rpc.ServerCall, acl access.Permissions, version string) error {
- return i.aclstore.Set(aclPath(i.state.rootDir, i.suffix), acl, version)
+func (i *binaryService) SetPermissions(_ *context.T, _ rpc.ServerCall, perms access.Permissions, version string) error {
+ return i.permsStore.Set(permsPath(i.state.rootDir, i.suffix), perms, version)
}
diff --git a/services/internal/acls/hierarchical_authorizer.go b/services/internal/pathperms/hierarchical_authorizer.go
similarity index 74%
rename from services/internal/acls/hierarchical_authorizer.go
rename to services/internal/pathperms/hierarchical_authorizer.go
index ddc79d4..1556eb0 100644
--- a/services/internal/acls/hierarchical_authorizer.go
+++ b/services/internal/pathperms/hierarchical_authorizer.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package acls
+package pathperms
import (
"v.io/v23/context"
@@ -15,24 +15,24 @@
// hierarchical authorization in the Authorize method.
type hierarchicalAuthorizer struct {
rootDir, childDir string
- get TAMGetter
+ get PermsGetter
}
-// TAMGetter defines an abstract interface that a customer of
+// PermsGetter defines an abstract interface that a customer of
// NewHierarchicalAuthorizer can use to obtain the PermissionsAuthorizer
// instances that it needs to construct a hierarchicalAuthorizer.
-type TAMGetter interface {
- // TAMForPath has two successful outcomes: either returning a valid
+type PermsGetter interface {
+ // PermsForPath has two successful outcomes: either returning a valid
// Permissions object or a boolean status true indicating that the
// Permissions object is intentionally not present. Finally, it returns an
// error if anything has gone wrong.
- TAMForPath(path string) (access.Permissions, bool, error)
+ PermsForPath(path string) (access.Permissions, bool, error)
}
-func mkRootAuth(rootTam access.Permissions) (security.Authorizer, error) {
- rootAuth, err := access.PermissionsAuthorizer(rootTam, access.TypicalTagType())
+func mkRootAuth(rootPerms access.Permissions) (security.Authorizer, error) {
+ rootAuth, err := access.PermissionsAuthorizer(rootPerms, access.TypicalTagType())
if err != nil {
- vlog.Errorf("Successfully obtained an AccessList from the filesystem but PermissionsAuthorizer couldn't use it: %v", err)
+ vlog.Errorf("Successfully obtained Permissions from the filesystem but PermissionsAuthorizer couldn't use it: %v", err)
return nil, err
}
return rootAuth, nil
@@ -41,7 +41,7 @@
// NewHierarchicalAuthorizer creates a new hierarchicalAuthorizer: one
// that implements a "root" like concept: admin rights at the root of
// a server can invoke RPCs regardless of permissions set on child objects.
-func NewHierarchicalAuthorizer(rootDir, childDir string, get TAMGetter) (security.Authorizer, error) {
+func NewHierarchicalAuthorizer(rootDir, childDir string, get PermsGetter) (security.Authorizer, error) {
return &hierarchicalAuthorizer{
rootDir: rootDir,
childDir: childDir,
@@ -50,11 +50,11 @@
}
func (ha *hierarchicalAuthorizer) Authorize(ctx *context.T, call security.Call) error {
- rootPerms, intentionallyEmpty, err := ha.get.TAMForPath(ha.rootDir)
+ rootPerms, intentionallyEmpty, err := ha.get.PermsForPath(ha.rootDir)
if err != nil {
return err
} else if intentionallyEmpty {
- vlog.VI(2).Infof("TAMForPath(%s) is intentionally empty", ha.rootDir)
+ vlog.VI(2).Infof("PermsForPath(%s) is intentionally empty", ha.rootDir)
return security.DefaultAuthorizer().Authorize(ctx, call)
}
@@ -69,7 +69,7 @@
// This is not fatal: the childDir may not exist if we are invoking
// a Create() method so we only use the root Permissions.
- childPerms, intentionallyEmpty, err := ha.get.TAMForPath(ha.childDir)
+ childPerms, intentionallyEmpty, err := ha.get.PermsForPath(ha.childDir)
if err != nil {
return err
} else if intentionallyEmpty {
diff --git a/services/internal/acls/aclaccess.go b/services/internal/pathperms/permsaccess.go
similarity index 63%
rename from services/internal/acls/aclaccess.go
rename to services/internal/pathperms/permsaccess.go
index 9eabd47..a343fb0 100644
--- a/services/internal/acls/aclaccess.go
+++ b/services/internal/pathperms/permsaccess.go
@@ -2,11 +2,11 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package acls provides a library to assist servers implementing
+// Package pathperms provides a library to assist servers implementing
// GetPermissions/SetPermissions functions and authorizers where there are
-// path-specific AccessLists stored individually in files.
+// path-specific Permissions stored individually in files.
// TODO(rjkroege): Add unit tests.
-package acls
+package pathperms
import (
"io/ioutil"
@@ -23,18 +23,18 @@
)
const (
- pkgPath = "v.io/x/ref/services/internal/acls"
- sigName = "signature"
- aclName = "data"
+ pkgPath = "v.io/x/ref/services/internal/pathperms"
+ sigName = "signature"
+ permsName = "data"
)
var (
ErrOperationFailed = verror.Register(pkgPath+".OperationFailed", verror.NoRetry, "{1:}{2:} operation failed{:_}")
)
-// PathStore manages storage of a set of AccessLists in the filesystem where each
-// path identifies a specific AccessList in the set. PathStore synchronizes
-// access to its member AccessLists.
+// PathStore manages storage of a set of Permissions in the filesystem where each
+// path identifies a specific Permissions in the set. PathStore synchronizes
+// access to its member Permissions.
type PathStore struct {
// TODO(rjkroege): Garbage collect the locks map.
pthlks map[string]*sync.Mutex
@@ -43,17 +43,17 @@
}
// NewPathStore creates a new instance of the lock map that uses
-// principal to sign stored AccessList files.
+// principal to sign stored Permissions files.
func NewPathStore(principal security.Principal) *PathStore {
return &PathStore{pthlks: make(map[string]*sync.Mutex), principal: principal}
}
// Get returns the Permissions from the data file in dir.
func (store PathStore) Get(dir string) (access.Permissions, string, error) {
- aclpath := filepath.Join(dir, aclName)
+ permspath := filepath.Join(dir, permsName)
sigpath := filepath.Join(dir, sigName)
defer store.lockPath(dir)()
- return getCore(store.principal, aclpath, sigpath)
+ return getCore(store.principal, permspath, sigpath)
}
// TODO(rjkroege): Improve lock handling.
@@ -69,66 +69,66 @@
return lck.Unlock
}
-func getCore(principal security.Principal, aclpath, sigpath string) (access.Permissions, string, error) {
- f, err := os.Open(aclpath)
+func getCore(principal security.Principal, permspath, sigpath string) (access.Permissions, string, error) {
+ f, err := os.Open(permspath)
if err != nil {
// This path is rarely a fatal error so log informationally only.
- vlog.VI(2).Infof("os.Open(%s) failed: %v", aclpath, err)
+ vlog.VI(2).Infof("os.Open(%s) failed: %v", permspath, err)
return nil, "", err
}
defer f.Close()
s, err := os.Open(sigpath)
if err != nil {
- vlog.Errorf("Signatures for AccessLists are required: %s unavailable: %v", aclpath, err)
+ vlog.Errorf("Signatures for Permissions are required: %s unavailable: %v", permspath, err)
return nil, "", verror.New(ErrOperationFailed, nil)
}
defer s.Close()
- // read and verify the signature of the acl file
+ // read and verify the signature of the perms file
vf, err := serialization.NewVerifyingReader(f, s, principal.PublicKey())
if err != nil {
- vlog.Errorf("NewVerifyingReader() failed: %v (acl=%s, sig=%s)", err, aclpath, sigpath)
+ vlog.Errorf("NewVerifyingReader() failed: %v (perms=%s, sig=%s)", err, permspath, sigpath)
return nil, "", verror.New(ErrOperationFailed, nil)
}
- acl, err := access.ReadPermissions(vf)
+ perms, err := access.ReadPermissions(vf)
if err != nil {
- vlog.Errorf("ReadPermissions(%s) failed: %v", aclpath, err)
+ vlog.Errorf("ReadPermissions(%s) failed: %v", permspath, err)
return nil, "", err
}
- version, err := ComputeVersion(acl)
+ version, err := ComputeVersion(perms)
if err != nil {
- vlog.Errorf("acls.ComputeVersion failed: %v", err)
+ vlog.Errorf("pathperms.ComputeVersion failed: %v", err)
return nil, "", err
}
- return acl, version, nil
+ return perms, version, nil
}
// Set writes the specified Permissions to the provided directory with
// enforcement of version synchronization mechanism and locking.
-func (store PathStore) Set(dir string, acl access.Permissions, version string) error {
- aclpath := filepath.Join(dir, aclName)
+func (store PathStore) Set(dir string, perms access.Permissions, version string) error {
+ permspath := filepath.Join(dir, permsName)
sigpath := filepath.Join(dir, sigName)
defer store.lockPath(dir)()
- _, oversion, err := getCore(store.principal, aclpath, sigpath)
+ _, oversion, err := getCore(store.principal, permspath, sigpath)
if err != nil && !os.IsNotExist(err) {
return verror.New(ErrOperationFailed, nil)
}
if len(version) > 0 && version != oversion {
return verror.NewErrBadVersion(nil)
}
- return write(store.principal, aclpath, sigpath, dir, acl)
+ return write(store.principal, permspath, sigpath, dir, perms)
}
-// write writes the specified Permissions to the aclFile with a
+// write writes the specified Permissions to the permsFile with a
// signature in sigFile.
-func write(principal security.Principal, aclFile, sigFile, dir string, acl access.Permissions) error {
+func write(principal security.Principal, permsFile, sigFile, dir string, perms access.Permissions) error {
// Create dir directory if it does not exist
os.MkdirAll(dir, os.FileMode(0700))
// Save the object to temporary data and signature files, and then move
// those files to the actual data and signature file.
- data, err := ioutil.TempFile(dir, aclName)
+ data, err := ioutil.TempFile(dir, permsName)
if err != nil {
vlog.Errorf("Failed to open tmpfile data:%v", err)
return verror.New(ErrOperationFailed, nil)
@@ -145,15 +145,15 @@
vlog.Errorf("Failed to create NewSigningWriteCloser:%v", err)
return verror.New(ErrOperationFailed, nil)
}
- if err = acl.WriteTo(writer); err != nil {
- vlog.Errorf("Failed to SaveAccessList:%v", err)
+ if err = perms.WriteTo(writer); err != nil {
+ vlog.Errorf("Failed to SavePermissions:%v", err)
return verror.New(ErrOperationFailed, nil)
}
if err = writer.Close(); err != nil {
vlog.Errorf("Failed to Close() SigningWriteCloser:%v", err)
return verror.New(ErrOperationFailed, nil)
}
- if err := os.Rename(data.Name(), aclFile); err != nil {
+ if err := os.Rename(data.Name(), permsFile); err != nil {
vlog.Errorf("os.Rename() failed:%v", err)
return verror.New(ErrOperationFailed, nil)
}
@@ -164,18 +164,18 @@
return nil
}
-func (store PathStore) TAMForPath(path string) (access.Permissions, bool, error) {
- tam, _, err := store.Get(path)
+func (store PathStore) PermsForPath(path string) (access.Permissions, bool, error) {
+ perms, _, err := store.Get(path)
if os.IsNotExist(err) {
return nil, true, nil
} else if err != nil {
return nil, false, err
}
- return tam, false, nil
+ return perms, false, nil
}
-// PrefixPatterns creates a pattern containing all of the prefix patterns of
-// the provided blessings.
+// PrefixPatterns creates a pattern containing all of the prefix patterns of the
+// provided blessings.
func PrefixPatterns(blessings []string) []security.BlessingPattern {
var patterns []security.BlessingPattern
for _, b := range blessings {
@@ -184,31 +184,31 @@
return patterns
}
-// PermissionsForBlessings creates the Permissions list that should be used
-// with a newly created object.
+// PermissionsForBlessings creates the Permissions list that should be used with
+// a newly created object.
func PermissionsForBlessings(blessings []string) access.Permissions {
- tam := make(access.Permissions)
+ perms := make(access.Permissions)
// Add the invoker's blessings and all its prefixes.
for _, p := range PrefixPatterns(blessings) {
for _, tag := range access.AllTypicalTags() {
- tam.Add(p, string(tag))
+ perms.Add(p, string(tag))
}
}
- return tam
+ return perms
}
-// NilAuthPermissions creates an AccessList that mimics the default
-// authorization policy (i.e., the AccessList is matched by all blessings
-// that are either extensions of one of the local blessings or can be
-// extended to form one of the local blessings.)
+// NilAuthPermissions creates Permissions that mimics the default authorization
+// policy (i.e., Permissions is matched by all blessings that are either
+// extensions of one of the local blessings or can be extended to form one of
+// the local blessings.)
func NilAuthPermissions(ctx *context.T, call security.Call) access.Permissions {
- tam := make(access.Permissions)
+ perms := make(access.Permissions)
lb := security.LocalBlessingNames(ctx, call)
for _, p := range PrefixPatterns(lb) {
for _, tag := range access.AllTypicalTags() {
- tam.Add(p, string(tag))
+ perms.Add(p, string(tag))
}
}
- return tam
+ return perms
}
diff --git a/services/internal/acls/version.go b/services/internal/pathperms/version.go
similarity index 65%
rename from services/internal/acls/version.go
rename to services/internal/pathperms/version.go
index 4b8839a..1cdf2d5 100644
--- a/services/internal/acls/version.go
+++ b/services/internal/pathperms/version.go
@@ -2,9 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package acls provides a library to assist servers implementing
-// GetPermissions/SetPermissions functions.
-package acls
+package pathperms
import (
"bytes"
@@ -16,10 +14,10 @@
// ComputeVersion produces the tag value returned by access.GetPermissions()
// (per v23/services/permissions/service.vdl) that GetPermissions/SetPermissions
-// use to determine if the AccessLists have been asynchronously modified.
-func ComputeVersion(acl access.Permissions) (string, error) {
+// use to determine if the Permissions have been asynchronously modified.
+func ComputeVersion(perms access.Permissions) (string, error) {
b := new(bytes.Buffer)
- if err := acl.WriteTo(b); err != nil {
+ if err := perms.WriteTo(b); err != nil {
return "", err
}
diff --git a/services/role/roled/internal/role_test.go b/services/role/roled/internal/role_test.go
index 630a715..28cce94 100644
--- a/services/role/roled/internal/role_test.go
+++ b/services/role/roled/internal/role_test.go
@@ -35,7 +35,7 @@
}
defer os.RemoveAll(workdir)
- // Role A is a restricted role, i.e. it can be used in sensitive ACLs.
+ // Role A is a restricted role, i.e. it can be used in sensitive Permissions.
roleAConf := irole.Config{
Members: []security.BlessingPattern{
"root/users/user1/_role",
diff --git a/services/wspr/internal/namespace/namespace.vdl b/services/wspr/internal/namespace/namespace.vdl
index 9e06768..fba8427 100644
--- a/services/wspr/internal/namespace/namespace.vdl
+++ b/services/wspr/internal/namespace/namespace.vdl
@@ -36,9 +36,9 @@
// SetRoots sets the current mounttable roots.
SetRoots(roots []string) error
// SetPermissions sets the AccessList in a node in a mount table.
- SetPermissions(name string, acl access.Permissions, version string) error
+ SetPermissions(name string, perms access.Permissions, version string) error
// GetPermissions returns the AccessList in a node in a mount table.
- GetPermissions(name string) (acl access.Permissions, version string | error)
+ GetPermissions(name string) (perms access.Permissions, version string | error)
// Delete deletes the name from the mounttable and, if requested, any subtree.
Delete(name string, deleteSubtree bool) error
}
diff --git a/services/wspr/internal/namespace/namespace.vdl.go b/services/wspr/internal/namespace/namespace.vdl.go
index e6550ef..ade1ee0 100644
--- a/services/wspr/internal/namespace/namespace.vdl.go
+++ b/services/wspr/internal/namespace/namespace.vdl.go
@@ -48,9 +48,9 @@
// SetRoots sets the current mounttable roots.
SetRoots(ctx *context.T, roots []string, opts ...rpc.CallOpt) error
// SetPermissions sets the AccessList in a node in a mount table.
- SetPermissions(ctx *context.T, name string, acl access.Permissions, version string, opts ...rpc.CallOpt) error
+ SetPermissions(ctx *context.T, name string, perms access.Permissions, version string, opts ...rpc.CallOpt) error
// GetPermissions returns the AccessList in a node in a mount table.
- GetPermissions(ctx *context.T, name string, opts ...rpc.CallOpt) (acl access.Permissions, version string, err error)
+ GetPermissions(ctx *context.T, name string, opts ...rpc.CallOpt) (perms access.Permissions, version string, err error)
// Delete deletes the name from the mounttable and, if requested, any subtree.
Delete(ctx *context.T, name string, deleteSubtree bool, opts ...rpc.CallOpt) error
}
@@ -225,9 +225,9 @@
// SetRoots sets the current mounttable roots.
SetRoots(ctx *context.T, call rpc.ServerCall, roots []string) error
// SetPermissions sets the AccessList in a node in a mount table.
- SetPermissions(ctx *context.T, call rpc.ServerCall, name string, acl access.Permissions, version string) error
+ SetPermissions(ctx *context.T, call rpc.ServerCall, name string, perms access.Permissions, version string) error
// GetPermissions returns the AccessList in a node in a mount table.
- GetPermissions(ctx *context.T, call rpc.ServerCall, name string) (acl access.Permissions, version string, err error)
+ GetPermissions(ctx *context.T, call rpc.ServerCall, name string) (perms access.Permissions, version string, err error)
// Delete deletes the name from the mounttable and, if requested, any subtree.
Delete(ctx *context.T, call rpc.ServerCall, name string, deleteSubtree bool) error
}
@@ -257,9 +257,9 @@
// SetRoots sets the current mounttable roots.
SetRoots(ctx *context.T, call rpc.ServerCall, roots []string) error
// SetPermissions sets the AccessList in a node in a mount table.
- SetPermissions(ctx *context.T, call rpc.ServerCall, name string, acl access.Permissions, version string) error
+ SetPermissions(ctx *context.T, call rpc.ServerCall, name string, perms access.Permissions, version string) error
// GetPermissions returns the AccessList in a node in a mount table.
- GetPermissions(ctx *context.T, call rpc.ServerCall, name string) (acl access.Permissions, version string, err error)
+ GetPermissions(ctx *context.T, call rpc.ServerCall, name string) (perms access.Permissions, version string, err error)
// Delete deletes the name from the mounttable and, if requested, any subtree.
Delete(ctx *context.T, call rpc.ServerCall, name string, deleteSubtree bool) error
}
@@ -438,7 +438,7 @@
Doc: "// SetPermissions sets the AccessList in a node in a mount table.",
InArgs: []rpc.ArgDesc{
{"name", ``}, // string
- {"acl", ``}, // access.Permissions
+ {"perms", ``}, // access.Permissions
{"version", ``}, // string
},
},
@@ -449,7 +449,7 @@
{"name", ``}, // string
},
OutArgs: []rpc.ArgDesc{
- {"acl", ``}, // access.Permissions
+ {"perms", ``}, // access.Permissions
{"version", ``}, // string
},
},
diff --git a/services/wspr/internal/namespace/request_handler.go b/services/wspr/internal/namespace/request_handler.go
index 8756061..c2cbc34 100644
--- a/services/wspr/internal/namespace/request_handler.go
+++ b/services/wspr/internal/namespace/request_handler.go
@@ -91,8 +91,8 @@
return nil
}
-func (s *Server) SetPermissions(ctx *context.T, _ rpc.ServerCall, name string, acl access.Permissions, version string) error {
- return s.ns.SetPermissions(ctx, name, acl, version)
+func (s *Server) SetPermissions(ctx *context.T, _ rpc.ServerCall, name string, perms access.Permissions, version string) error {
+ return s.ns.SetPermissions(ctx, name, perms, version)
}
func (s *Server) GetPermissions(ctx *context.T, _ rpc.ServerCall, name string) (access.Permissions, string, error) {
