| 57 | } |
| 58 | |
| 59 | func (cache *AclCache) Update(ns uint64, groups []acl.Group) { |
| 60 | // In dgraph, acl rules are divided by groups, e.g. |
| 61 | // the dev group has the following blob representing its ACL rules |
| 62 | // [friend, 4], [name, 7] where friend and name are predicates, |
| 63 | // However in the AclCachePtr in memory, we need to change the structure and store |
| 64 | // the information in two formats for efficient look-ups. |
| 65 | // |
| 66 | // First in which ACL rules are divided by predicates, e.g. |
| 67 | // friend -> |
| 68 | // dev -> 4 |
| 69 | // sre -> 6 |
| 70 | // name -> |
| 71 | // dev -> 7 |
| 72 | // the reason is that we want to efficiently determine if any ACL rule has been defined |
| 73 | // for a given predicate, and allow the operation if none is defined, per the fail open |
| 74 | // approach |
| 75 | // |
| 76 | // Second in which ACL rules are divided by users, e.g. |
| 77 | // user-alice -> |
| 78 | // friend -> 4 |
| 79 | // name -> 6 |
| 80 | // user-bob -> |
| 81 | // friend -> 7 |
| 82 | // the reason is so that we can efficiently determine a list of predicates (allowedPreds) |
| 83 | // to which user has access for their queries |
| 84 | |
| 85 | // predPerms is the map, described above in First, that maps a single |
| 86 | // predicate to a submap, and the submap maps a group to a permission |
| 87 | |
| 88 | // userPredPerms is the map, described above in Second, that maps a single |
| 89 | // user to a submap, and the submap maps a predicate to a permission |
| 90 | |
| 91 | predPerms := make(map[string]map[string]int32) |
| 92 | userPredPerms := make(map[string]map[string]int32) |
| 93 | for _, group := range groups { |
| 94 | acls := group.Rules |
| 95 | users := group.Users |
| 96 | |
| 97 | for _, acl := range acls { |
| 98 | if len(acl.Predicate) > 0 { |
| 99 | aclPred := x.NamespaceAttr(ns, acl.Predicate) |
| 100 | if groupPerms, found := predPerms[aclPred]; found { |
| 101 | groupPerms[group.GroupID] = acl.Perm |
| 102 | } else { |
| 103 | groupPerms := make(map[string]int32) |
| 104 | groupPerms[group.GroupID] = acl.Perm |
| 105 | predPerms[aclPred] = groupPerms |
| 106 | } |
| 107 | } |
| 108 | } |
| 109 | |
| 110 | for _, user := range users { |
| 111 | if _, found := userPredPerms[user.UserID]; !found { |
| 112 | userPredPerms[user.UserID] = make(map[string]int32) |
| 113 | } |
| 114 | // For each user we store all the permissions available to that user |
| 115 | // via different groups. Therefore we take OR if the user already has |
| 116 | // a permission for a predicate |