Re: [infinispan-dev] Infinispan Security
On 11/25/2013 04:11 PM, Pedro Ruivo wrote:
I was questioning about having EXEC without any other permission... What
a user/role can do only with EXEC?
Nothing. You need EXEC to be able to launch a
distexec/mapreduce, and
then you need whichever extra perms you need on top of that.
Since we have a BULK permission (that it is a READ) why not split
the
WRITE? like MODIFY(put* replace*), DELETE(remove*) and CLEAR(clear)?
> BULK is also for WRITEs (putAll ?).
good point. So, I don't see the goal of BULK permission. why don't allow
the user/role to invoke the keySet/etc... if he has READ permission and
the same thing for the WRITE permission?
Because a bulk operation (potentially)
requires far more resources. The
reasoning is the same as above: BULK needs to be combined with READ
and/or WRITE to be useful.
BTW, one question: are we going to support to store keys under
different
permissions? Like some keys are private to a user and he is the only one
that can read and write over it, other keys are public and everybody can
access it (like a filesystem permissions: permission for the user, role
and others)
Not explicitly. That falls in the scope of what the custom security
interceptor should do. While the idea of fs-like permissions with owner,
group, etc sounds cool, I'd leave that as a user implementation detail.
We just provide the hooks.
Tristan