[infinispan-dev] Infinispan Security
Tristan Tarrant
ttarrant at redhat.com
Mon Nov 25 11:51:16 EST 2013
On 11/25/2013 04:11 PM, Pedro Ruivo wrote:
>
> I was questioning about having EXEC without any other permission... What
> a user/role can do only with EXEC?
Nothing. You need EXEC to be able to launch a distexec/mapreduce, and
then you need whichever extra perms you need on top of that.
> Since we have a BULK permission (that it is a READ) why not split the
> WRITE? like MODIFY(put* replace*), DELETE(remove*) and CLEAR(clear)?
>> BULK is also for WRITEs (putAll ?).
> good point. So, I don't see the goal of BULK permission. why don't allow
> the user/role to invoke the keySet/etc... if he has READ permission and
> the same thing for the WRITE permission?
Because a bulk operation (potentially) requires far more resources. The
reasoning is the same as above: BULK needs to be combined with READ
and/or WRITE to be useful.
> BTW, one question: are we going to support to store keys under different
> permissions? Like some keys are private to a user and he is the only one
> that can read and write over it, other keys are public and everybody can
> access it (like a filesystem permissions: permission for the user, role
> and others)
Not explicitly. That falls in the scope of what the custom security
interceptor should do. While the idea of fs-like permissions with owner,
group, etc sounds cool, I'd leave that as a user implementation detail.
We just provide the hooks.
Tristan
More information about the infinispan-dev
mailing list