openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dragos Dascalita Haut <>
Subject Re: How to share an action but not its code, nor parameters
Date Thu, 15 Feb 2018 19:23:22 GMT
Following on this thread after a quick chat with Rodric to discuss the fine grained approach
in more details ( credits go to Rodric ).

For the fine grained permissions OpenWhisk could support unix style permissions: "rwx" when
defining actions and packages. For example:

   wsk package create my-package --shared yes -a permissions x

This would make actions inside the shared package to be "eXecutable", and w/o the "r", other
developers won't be able to read the code, nor the default parameters.  These permissions
could be applied at a more granular level to the actions inside a package, in the same way
directories and files in unix can have different permissions ( in this context, directory
= package, and file = action).

I think this idea alone would solve the need to share actions with others, while keeping the
code private. IIUC it should also fix the issue references bellow in the thread.

There are some aspects that result from it:

  1.  In Unix, permissions reflect 3 scopes or classes: permissions for the owner/user, for
the group, and for others. What do these mean in the OW context ? Do we see benefits from
differentiating between these 3 ? Assuming the "owner" always has "rwx", there's no "group"
concept at the moment in OW (we could assume that the "group is the namespace ?), and "others"
is what we care about when it comes to permissions.
  2.  Implications for displaying activation results. Right now the caller of the shared action
sees the activation results, including its logs. If the permission restricts to "x" only,
should it have an implication on the activation result ?
  3.  Code vs default parameters. Should permissions differentiate the code from the default
params or they should apply to both ?

This idea can be extended later to support groups, if OpenWhisk extends the namespace:user
relation so that a namespace can be accessed by multiple users. At that point, a package,
or an action, can be shared with specific developers belonging to a group, including specific
permissions. Right now a package is either private, either shared with everybody.


@Rodric<>, feel free to add to what I missed.



From: Dragos Dascalita Haut <>
Sent: Wednesday, February 14, 2018 6:58 PM
Subject: Re: How to share an action but not its code, nor parameters

"... pursuing the fine grained rights approach. ..."

I was also re-reading your email and I was thinking... it would actually be v nice to have
this in openwhisk. In this way developers can fully control what they want to do with the
action. Another use-case I once had was to share an action that exposes a key-value store;
in that case the action would have the credentials to talk to the key-value store which I
didn't want to share with others. Having an option to hide default params from a shared actions
would have been handy. So a fine-grained control would help other use-cases too.

From: Rodric Rabbah <>
Sent: Wednesday, February 14, 2018 6:39:04 PM
Subject: Re: How to share an action but not its code, nor parameters

It’s worth mentioning that going through the web action path limits the compositions to
those that can complete is 60s. So there are other benefits to pursuing the fine grained rights


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message