MCPcopy
hub / github.com/dgraph-io/dgraph / Update

Method Update

worker/acl_cache.go:59–154  ·  view source on GitHub ↗
(ns uint64, groups []acl.Group)

Source from the content-addressed store, hash-verified

57}
58
59func (cache *AclCache) Update(ns uint64, groups []acl.Group) {
60 // In dgraph, acl rules are divided by groups, e.g.
61 // the dev group has the following blob representing its ACL rules
62 // [friend, 4], [name, 7] where friend and name are predicates,
63 // However in the AclCachePtr in memory, we need to change the structure and store
64 // the information in two formats for efficient look-ups.
65 //
66 // First in which ACL rules are divided by predicates, e.g.
67 // friend ->
68 // dev -> 4
69 // sre -> 6
70 // name ->
71 // dev -> 7
72 // the reason is that we want to efficiently determine if any ACL rule has been defined
73 // for a given predicate, and allow the operation if none is defined, per the fail open
74 // approach
75 //
76 // Second in which ACL rules are divided by users, e.g.
77 // user-alice ->
78 // friend -> 4
79 // name -> 6
80 // user-bob ->
81 // friend -> 7
82 // the reason is so that we can efficiently determine a list of predicates (allowedPreds)
83 // to which user has access for their queries
84
85 // predPerms is the map, described above in First, that maps a single
86 // predicate to a submap, and the submap maps a group to a permission
87
88 // userPredPerms is the map, described above in Second, that maps a single
89 // user to a submap, and the submap maps a predicate to a permission
90
91 predPerms := make(map[string]map[string]int32)
92 userPredPerms := make(map[string]map[string]int32)
93 for _, group := range groups {
94 acls := group.Rules
95 users := group.Users
96
97 for _, acl := range acls {
98 if len(acl.Predicate) > 0 {
99 aclPred := x.NamespaceAttr(ns, acl.Predicate)
100 if groupPerms, found := predPerms[aclPred]; found {
101 groupPerms[group.GroupID] = acl.Perm
102 } else {
103 groupPerms := make(map[string]int32)
104 groupPerms[group.GroupID] = acl.Perm
105 predPerms[aclPred] = groupPerms
106 }
107 }
108 }
109
110 for _, user := range users {
111 if _, found := userPredPerms[user.UserID]; !found {
112 userPredPerms[user.UserID] = make(map[string]int32)
113 }
114 // For each user we store all the permissions available to that user
115 // via different groups. Therefore we take OR if the user already has
116 // a permission for a predicate

Callers 14

TestAclCacheFunction · 0.45
MapMethod · 0.45
TestGetScalarListFunction · 0.45
TestMultipleTxnListCountFunction · 0.45
TestScalarPredicateCountFunction · 0.45
TestSingleUidReplacementFunction · 0.45
TestSingleStringFunction · 0.45
TestLangExactFunction · 0.45
commitTransactionFunction · 0.45

Calls 4

NamespaceAttrFunction · 0.92
ParseNamespaceFunction · 0.92
LockMethod · 0.45
UnlockMethod · 0.45

Tested by 11

TestAclCacheFunction · 0.36
TestGetScalarListFunction · 0.36
TestMultipleTxnListCountFunction · 0.36
TestScalarPredicateCountFunction · 0.36
TestSingleUidReplacementFunction · 0.36
TestSingleStringFunction · 0.36
TestLangExactFunction · 0.36
commitTransactionFunction · 0.36