using authorization stacks instead of a list #1525
Conversation
There was a problem hiding this comment.
This file is refactored from the AuthorizationCheck.java class
There was a problem hiding this comment.
Refactored to:
AuthorizationEntity.javaAuthControlFlag.java
There was a problem hiding this comment.
This file is heavily refactored and changed to easily form the test cases for the authorization and to support a test cases for substacks. All important test functions in the previous version have been converted to the array of parameters in the new version.
There was a problem hiding this comment.
This is necessary because the application changes the stack at runtime directly into env and does not have its local copy in the auth. framework.
There was a problem hiding this comment.
there is still a bit of schizophrenia in the naming - role vs. control flag.
There was a problem hiding this comment.
so all should be flag as in pam list?
tulinkry force-pushed the auth-stacks branch 3 times, most recently from a3a5643 to e04b811 Compare | import org.opensolaris.opengrok.configuration.Nameable; | ||
| | ||
| /** | ||
| * |
There was a problem hiding this comment.
should have some description of the purpose
| } | ||
| | ||
| /** | ||
| * Load all authorization checks in this stack. |
There was a problem hiding this comment.
"checks" should probably be replaced with different term.
There was a problem hiding this comment.
project/group - the terminology clashes a bit here
There was a problem hiding this comment.
added a more detailed comment
There was a problem hiding this comment.
does not match the code below + explain the rationale (why this is done)
There was a problem hiding this comment.
changed both code and the comment + added the purpose
There was a problem hiding this comment.
how does the unload/remove work in general w.r.t. incoming requests ? If the Configuration is being reloaded and the authorization stack deconstructed what mechanism is used to ensure that the evaluation of the request waits until the stack is fully loaded ?
There was a problem hiding this comment.
I added a synchronized block over the stack replacement and changed couple of stuff:
- the stack is copied from the configuration (not just the reference)
The reload is made like:
- construct a new copy of the configuration stack
- load plugins into this new copy
- replace the old stack with the new stack in the synchronized block (this should be fast as it's just a reference swap)
- free the old stack
| Other than the partial comments I had this looks good, feel free to merge. |
| Check the new addition, it should be fine by now |
There was a problem hiding this comment.
explained, waiting for the travis to finish
| Ok, merge then. |
2 participants
Plugin stack
This change is to introduce the ability to a plugin stack to be a substack of another plugin stack with similar attributes as the plugins have (1):
The substack can contain an arbitrary number of
The meaning of the three keywords in (1) is not changed and is extended for the entire stacks as well.
There is a default required top level stack for the application with a name "default stack"
Plugin parameters
Another friendliness is that the plugin can now accept an arbitrary parameter included in java
Mapobject. This parameters can be configured in configuration. The parameters can be also used for the entire stack and then it is merged with the plugin specific parameters (the plugin overwrites the conflicts).However note that this is BC break as the
IAuthorizationInterfacehas changed slightly.A configuration example can be this configuration with:
Also note this parts which is how you can set the parameters to the plugin class - property setup which is a
Map.