deephaven.plugin_authorization¶
Authorization helpers for Deephaven Python plugins.
A server-side plugin (an ObjectType) may hand server objects (tables, etc.) to a client by passing them as
references to MessageStream.on_data. By default those references are exported as-is. Plugins that want to apply the
server’s authorization rules themselves can call transform() on each object before exporting it; this applies the
same transform the server uses when resolving tickets, in the current user’s context.
A plugin that performs its own transformation this way should also declare authorization_export_behavior = "manual"
on its ObjectType so that the server does not additionally transform the references (which would double-apply ACLs).
Notes
transform()consults the authorization context that is active when it is called. Call it on the thread that is rendering for the intended user (for example, inside adeephaven.ui@ui.component), so that the object is transformed in the authentication context of the request rather than a context with distinct permissions.The transform may produce a new derived object (e.g. an ACL-filtered table). Call it within a liveness scope that remains open until the object is exported.
In Deephaven Community the transform is the identity, so calling
transform()is always safe; it only changes behavior under an authorization provider that implements transformations.
- transform(obj)[source]¶
Apply the server’s authorization transform to
objfor the current user’s context.- Parameters:
obj (Any) – the object to transform (typically a table or other exportable object).
Noneis returned unchanged.- Return type:
Any- Returns:
the transformed object (which may be the same object, or a derived/filtered one), or
Noneif the current user is not permitted to accessobj.- Raises:
RuntimeError – if the authorization transformer has not been initialized (i.e. this is not running inside a Deephaven server that registered its Python plugins).