You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by "style95 (via GitHub)" <gi...@apache.org> on 2023/05/20 21:40:56 UTC

[GitHub] [openwhisk] style95 commented on a diff in pull request #4058: Add protect feature to avoid update or delete actions by mistake

style95 commented on code in PR #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r1199663383


##########
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala:
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction] with WhiskEntityQueries[
   val execFieldName = "exec"
   val requireWhiskAuthHeader = "x-require-whisk-auth"
 
+  // annotation permission key name
+  val permissionsFieldName = "permissions"
+
+  val defaultPermissions = "rwxr-x"
+
+  // notes on users, just have 2 type users,
+  // 1. the action's owner
+  // 2. the user (not the owner) who used the shared action directly(e.g. get, invoke), we call it "the shared user"
+  //
+  // Notes on permission control
+  // 1. the owner has read(or download) permission on any situation, but for the shared user,
+  //    in spite of has read permission on any situation, but can set it undownloadable or downloadable
+  // 2. the shared user can't update/delete the action on any situation.
+  // 3. the owner's permission can affect the shared user's permission, e.g
+  //    if the owner is not given execute permission, the shared user can't have execute permission as well.
+  //
+  // Notes on permission values, include below permission value
+  //  1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(yes), this is default
+  //  2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(yes)
+  //  4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  7. permission code:rwx--x: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(no)/write(no)/execute(yes)
+  //  8. permission code:rwx---: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(no)/write(no)/execute(no)
+  //  9. permission code:r-x--x: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(no)/write(no)/execute(yes)
+  // 10. permission code:r-x---: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(no)/write(no)/execute(no)
+  // 11. permission code:r-----: owner:read(yes)/write(no)/execute(no)|the shared action's user:download(no)/write(no)/execute(no)
+  // 12. permission code:rw----: owner:read(yes)/write(yes)/execute(no)|the shared action's user:download(no)/write(no)/execute(no)
+  val permissionList = List(
+    defaultPermissions,
+    "rwxr--",
+    "r-xr-x",
+    "r-xr--",
+    "r--r--",

Review Comment:
   So even if a owner doesn't have any permission, he can still update the permission annotations?



##########
common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala:
##########
@@ -351,6 +361,49 @@ object WhiskAction extends DocumentFactory[WhiskAction] with WhiskEntityQueries[
   val execFieldName = "exec"
   val requireWhiskAuthHeader = "x-require-whisk-auth"
 
+  // annotation permission key name
+  val permissionsFieldName = "permissions"
+
+  val defaultPermissions = "rwxr-x"
+
+  // notes on users, just have 2 type users,
+  // 1. the action's owner
+  // 2. the user (not the owner) who used the shared action directly(e.g. get, invoke), we call it "the shared user"
+  //
+  // Notes on permission control
+  // 1. the owner has read(or download) permission on any situation, but for the shared user,
+  //    in spite of has read permission on any situation, but can set it undownloadable or downloadable
+  // 2. the shared user can't update/delete the action on any situation.
+  // 3. the owner's permission can affect the shared user's permission, e.g
+  //    if the owner is not given execute permission, the shared user can't have execute permission as well.
+  //
+  // Notes on permission values, include below permission value
+  //  1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(yes), this is default
+  //  2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(yes)
+  //  4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the shared action's user:download(yes)/write(no)/execute(no)
+  //  7. permission code:rwx--x: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(no)/write(no)/execute(yes)
+  //  8. permission code:rwx---: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:download(no)/write(no)/execute(no)
+  //  9. permission code:r-x--x: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(no)/write(no)/execute(yes)
+  // 10. permission code:r-x---: owner:read(yes)/write(no)/execute(yes)|the shared action's user:download(no)/write(no)/execute(no)
+  // 11. permission code:r-----: owner:read(yes)/write(no)/execute(no)|the shared action's user:download(no)/write(no)/execute(no)
+  // 12. permission code:rw----: owner:read(yes)/write(yes)/execute(no)|the shared action's user:download(no)/write(no)/execute(no)
+  val permissionList = List(
+    defaultPermissions,
+    "rwxr--",
+    "r-xr-x",
+    "r-xr--",
+    "r--r--",

Review Comment:
   So even if an owner doesn't have any permission, he can still update the permission annotations?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@openwhisk.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org