Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authz consistency fixes #68

Merged
merged 4 commits into from
Oct 30, 2023
Merged

Authz consistency fixes #68

merged 4 commits into from
Oct 30, 2023

Conversation

karlcz
Copy link
Contributor

@karlcz karlcz commented Oct 26, 2023

No description provided.

These changes make the ACL system more consistent and explainable,
correcting several accumulated flaws:

1. `;metadata` reads allowed by per-version `read` ACL
2. namespace reads allowed by per-namespace `read` ACL
3. `;versions` reads allowed by per-object `read` ACL
4. object or namespace `subtree-read` ACL affects versions below
5. namespace `subtree-read` ACL affects objects below
6. namespace `subtree-read` ACL affects namespaces below
- allow `read` ACL to be stored on namespaces
- fetch read and ancestor subtree-read ACLs for use in namespace logic
- load ancestor subtree-read ACLs for use in object logic
- include object subtree-{read,owner} ACLs in version read authz check
Consider these additional ACLs for read access to ;metadata
- version-specific `read` ACL
- ancestor namespace `subtree-read` ACL
- object-level `subtree-read` ACL

This aligns the ;metadata read access privileges with the
object/object-version GET/HEAD privileges where the same
metadata is returned in response headers already.
@karlcz karlcz self-assigned this Oct 26, 2023
@karlcz karlcz merged commit a7c37c2 into master Oct 30, 2023
1 check passed
@karlcz karlcz deleted the authz_consistency_fixes branch October 30, 2023 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant