Resource definitions in service configuration JSON

[Elliot West <te...@gmail.com>]

Hello,

I'm trying to figure out how to implement a service configuration for a
complex custom resource hierarchy and have been peeking into the definition
for Hive for inspiration as this has a similar hierarchy
(database/table/column). I'm curious to know how the 'mandatory' and
'isValidLeaf' attributes are interpreted in the policy engine.

My first assumption was that 'mandatory' might be used for resource types
that may not always be present in particular classes of access request. In
Hive for example, if I wish to drop a table, I would not expect the access
request to describe a column name. However, I see this is not how the Hive
service is implemented - column is mandatory.

I'm also guessing that isValidLeaf=false would be used to denote a resource
attribute that does not in and of itself point to resource, but is merely a
coordinate to such a resource?

Can anyone provide any insights as I fear I'm likely on the wrong track.

Many thanks,

Elliot.

Re: Resource definitions in service configuration JSON

[Elliot West <te...@gmail.com>]

Thank you, that is helpful indeed. I have some additional questions but
I'll put them in another thread.

On Wed, 16 Sep 2020 at 21:22, Abhay Kulkarni <ab...@apache.org> wrote:

> Hello,
>
> 'mandatory' should be set to 'true' for all resources. It is used in some
> validations, however, in general, its semantics has changed over time and
> is not consistently enforced. This is how resources are specified in all
> existing service-definitions.
>
> If 'isValidLeaf' is set to true (default is false) for a resource which
> has children (that is, there is some resource whose 'parent' value points
> to it), then it defines a valid resource hierarchy with this resource being
> the leaf.
>
> If A->B->C is a resource structure, where A is B's parent and B is C's
> parent, and B is marked with 'isValidLeaf' set to true, then [A, B] also
> defines a valid and complete resource hierarchy (in addition to resource
> hierarchy [A,B,C]).
>
> For a leaf resource, you may specify an attribute 'accessTypeRestrictions'
> whose value is typically a subset of accessTypes which are valid for it.
>
> Hope this helps!
>
> -Abhay
>
> On Wed, Sep 16, 2020 at 11:32 AM Elliot West <te...@gmail.com> wrote:
>
>> Hello,
>>
>> I'm trying to figure out how to implement a service configuration for a
>> complex custom resource hierarchy and have been peeking into the definition
>> for Hive for inspiration as this has a similar hierarchy
>> (database/table/column). I'm curious to know how the 'mandatory' and
>> 'isValidLeaf' attributes are interpreted in the policy engine.
>>
>> My first assumption was that 'mandatory' might be used for resource types
>> that may not always be present in particular classes of access request. In
>> Hive for example, if I wish to drop a table, I would not expect the access
>> request to describe a column name. However, I see this is not how the Hive
>> service is implemented - column is mandatory.
>>
>> I'm also guessing that isValidLeaf=false would be used to denote a
>> resource attribute that does not in and of itself point to resource, but is
>> merely a coordinate to such a resource?
>>
>> Can anyone provide any insights as I fear I'm likely on the wrong track.
>>
>> Many thanks,
>>
>> Elliot.
>>
>

Re: Resource definitions in service configuration JSON

[Abhay Kulkarni <ab...@apache.org>]

Hello,

'mandatory' should be set to 'true' for all resources. It is used in some
validations, however, in general, its semantics has changed over time and
is not consistently enforced. This is how resources are specified in all
existing service-definitions.

If 'isValidLeaf' is set to true (default is false) for a resource which has
children (that is, there is some resource whose 'parent' value points to
it), then it defines a valid resource hierarchy with this resource being
the leaf.

If A->B->C is a resource structure, where A is B's parent and B is C's
parent, and B is marked with 'isValidLeaf' set to true, then [A, B] also
defines a valid and complete resource hierarchy (in addition to resource
hierarchy [A,B,C]).

For a leaf resource, you may specify an attribute 'accessTypeRestrictions'
whose value is typically a subset of accessTypes which are valid for it.

Hope this helps!

-Abhay

On Wed, Sep 16, 2020 at 11:32 AM Elliot West <te...@gmail.com> wrote:

> Hello,
>
> I'm trying to figure out how to implement a service configuration for a
> complex custom resource hierarchy and have been peeking into the definition
> for Hive for inspiration as this has a similar hierarchy
> (database/table/column). I'm curious to know how the 'mandatory' and
> 'isValidLeaf' attributes are interpreted in the policy engine.
>
> My first assumption was that 'mandatory' might be used for resource types
> that may not always be present in particular classes of access request. In
> Hive for example, if I wish to drop a table, I would not expect the access
> request to describe a column name. However, I see this is not how the Hive
> service is implemented - column is mandatory.
>
> I'm also guessing that isValidLeaf=false would be used to denote a
> resource attribute that does not in and of itself point to resource, but is
> merely a coordinate to such a resource?
>
> Can anyone provide any insights as I fear I'm likely on the wrong track.
>
> Many thanks,
>
> Elliot.
>