geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Swapnil Bawaskar <sbawas...@pivotal.io>
Subject [DISCUSS] authorizing function execution
Date Thu, 17 Aug 2017 08:42:05 GMT
Discuss fix for GEODE-2817
<https://issues.apache.org/jira/browse/GEODE-2817>

Currently to execute a function, you will need "data:write" permission, but
it really depends on what the function is doing. For example, if a function
is just reading data, the function author might want users with DATA:READ
permissions to execute the function. The two options mentioned in the
ticket are:

1) externalize SecurityService so that function author can use it in the
function.execute code to check authorization.
2) add a method to function interface to tell the framework what permission
this function needs to execute, so that the framework will check the
permission before executing the function.

I vote for #2 because, I think, a function author will be able to easily
discover a method on the Function interface, rather than trying to look for
SecurityService.

I propose that we add the following new method to Function:

default public List<ResourcePermission> requiredPermissions() {
   // default DATA:WRITE
}

In order to preserve existing behavior, the default required permission
would be DATA:WRITE.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message