Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(86)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: scheduler/appengine/acl/acl.go

Issue 2993793003: [scheduler]: ACLs phase 3 - require ACLs specs for each Job/Trigger. (Closed)
Patch Set: Updated patchset dependency Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | scheduler/appengine/acl/acl_test.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. 1 // Copyright 2017 The LUCI Authors.
2 // 2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License. 4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at 5 // You may obtain a copy of the License at
6 // 6 //
7 // http://www.apache.org/licenses/LICENSE-2.0 7 // http://www.apache.org/licenses/LICENSE-2.0
8 // 8 //
9 // Unless required by applicable law or agreed to in writing, software 9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, 10 // distributed under the License is distributed on an "AS IS" BASIS,
(...skipping 23 matching lines...) Expand all
34 type GrantsByRole struct { 34 type GrantsByRole struct {
35 Owners []string `gae:",noindex"` 35 Owners []string `gae:",noindex"`
36 Readers []string `gae:",noindex"` 36 Readers []string `gae:",noindex"`
37 } 37 }
38 38
39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { 39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) {
40 return hasGrant(c, g.Owners, groupsAdministrators) 40 return hasGrant(c, g.Owners, groupsAdministrators)
41 } 41 }
42 42
43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { 43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) {
44 if len(g.Readers) == 0 && len(g.Owners) == 0 {
45 // This is here for backwards compatiblity before ACLs were intr oduced.
46 // If Job doesn't specify READERs nor OWNERS explicitely, everyb ody can read.
47 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi ed.
48 logging.Warningf(c, "Granting READ rights to all because no ACLs specified")
49 return true, nil
50 }
51 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) 44 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators)
52 } 45 }
53 46
54 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { 47 func (g *GrantsByRole) Equal(o *GrantsByRole) bool {
55 eqSlice := func(a, b []string) bool { 48 eqSlice := func(a, b []string) bool {
56 if len(a) != len(b) { 49 if len(a) != len(b) {
57 return false 50 return false
58 } 51 }
59 for i := range a { 52 for i := range a {
60 if a[i] != b[i] { 53 if a[i] != b[i] {
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
101 grantsList, exists := pSets[set] 94 grantsList, exists := pSets[set]
102 if !exists { 95 if !exists {
103 return nil, fmt.Errorf("referencing AclSet '%s' which do esn't exist", set) 96 return nil, fmt.Errorf("referencing AclSet '%s' which do esn't exist", set)
104 } 97 }
105 grantsLists = append(grantsLists, grantsList) 98 grantsLists = append(grantsLists, grantsList)
106 } 99 }
107 mg := mergeGrants(grantsLists...) 100 mg := mergeGrants(grantsLists...)
108 if n := len(mg.Owners) + len(mg.Readers); n > maxGrantsPerJob { 101 if n := len(mg.Owners) + len(mg.Readers); n > maxGrantsPerJob {
109 return nil, fmt.Errorf("Job or Trigger can have at most %d acls, but %d given", maxGrantsPerJob, n) 102 return nil, fmt.Errorf("Job or Trigger can have at most %d acls, but %d given", maxGrantsPerJob, n)
110 } 103 }
104 if len(mg.Owners) == 0 {
105 return nil, fmt.Errorf("Job or Trigger must have OWNER acl set")
106 }
107 if len(mg.Readers) == 0 {
108 return nil, fmt.Errorf("Job or Trigger must have READER acl set" )
109 }
111 return mg, nil 110 return mg, nil
112 } 111 }
113 112
114 //////////////////////////////////////////////////////////////////////////////// 113 ////////////////////////////////////////////////////////////////////////////////
115 114
116 var ( 115 var (
117 // aclSetNameRe is used to validate AclSet Name field. 116 // aclSetNameRe is used to validate AclSet Name field.
118 aclSetNameRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`) 117 aclSetNameRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`)
119 // maxGrantsPerJob is how many different grants are specified for a job. 118 // maxGrantsPerJob is how many different grants are specified for a job.
120 maxGrantsPerJob = 32 119 maxGrantsPerJob = 32
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
189 } 188 }
190 } 189 }
191 } 190 }
192 if isMember, err := auth.IsMember(c, groups...); err != nil { 191 if isMember, err := auth.IsMember(c, groups...); err != nil {
193 return false, transient.Tag.Apply(err) 192 return false, transient.Tag.Apply(err)
194 } else { 193 } else {
195 logging.Debugf(c, "Result of group membership of %s in %s: %t", currentIdentity, groups, isMember) 194 logging.Debugf(c, "Result of group membership of %s in %s: %t", currentIdentity, groups, isMember)
196 return isMember, nil 195 return isMember, nil
197 } 196 }
198 } 197 }
OLDNEW
« no previous file with comments | « no previous file | scheduler/appengine/acl/acl_test.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698