Package com.illumon.iris.db.v2.permissions

Class AclHelper

java.lang.Object
com.illumon.iris.db.v2.permissions.AclHelper
public final class AclHelper extends Object
This purely static class centralizes the logic around table row/column ACL application.

  • Constructor Details

    • AclHelper

      public AclHelper()

  • Method Details

    • applyUserPermissions

      public static Table applyUserPermissions(@NotNull Database database, String namespace, String tableName, @NotNull Table table, boolean refreshing, @NotNull PermissionFilterProvider permissionFilterProvider)
      Apply system-level table ACLs (both row and column based) to the specified table.
      Parameters:
      database - the database for the table
      namespace - the namespace of the table
      tableName - the name of the table
      table - the table to apply ACLs to
      refreshing - if the table is refreshing
      permissionFilterProvider - a permission filter provider for the system's configured ACL store
      Returns:
      the input table with ACLs applied
      Throws:
      TableAccessException - if the table may not be accessed.

    • hasTableAcls

      public static boolean hasTableAcls(@NotNull Table table)
      Check if the specified table has ACLs at the table level.
      Parameters:
      table - the table to check for ACLs
      Returns:
      if the table has ACLs

    • applyAcls

      public static Table applyAcls(@Nullable io.deephaven.enterprise.auth.UserContext userContext, @NotNull Table table, String name, @NotNull IrisGroupProvider groupProvider, @NotNull String owner, @NotNull Supplier<String[]> adminGroupSupplier) throws TableAccessException
      Apply both Row and Column ACLs to the specified table.
      Parameters:
      userContext - the user trying to access the table
      table - the table
      name - the name of the table (if any)
      groupProvider - the source of group information
      owner - the owner of the source
      adminGroupSupplier - a supplier to find admin groups
      Returns:
      the table with ACLs applied, or the original table if there were no ACLs.
      Throws:
      TableAccessException - if the user may not access the table.

    • checkAccess

      public static FilterGenerator.AccessType checkAccess(@NotNull PermissionFilterProvider pfp, @NotNull Database db, @NotNull io.deephaven.enterprise.auth.UserContext userContext, @NotNull String namespace, @NotNull String tableName)
      Check if the user associated with this PermissionFilterProvider can access the specified table.
      Parameters:
      pfp - the PermissionFilterProvider to use for accessing ACL information
      db - the database object
      userContext - the user to check access for
      namespace - the namespace
      tableName - the name of the table
      Returns:
      the FilterGenerator.AccessType the user has for the specified table

    • checkAccess

      public static FilterGenerator.AccessType checkAccess(@NotNull PermissionFilterProvider pfp, @NotNull Collection<FilterGenerator> generators, @NotNull Database db, @NotNull io.deephaven.enterprise.auth.UserContext userContext, @NotNull String namespace, @NotNull String tableName, boolean isDisjunctive)
      Check if the user associated with this PermissionFilterProvider can access the specified table.
      Parameters:
      db - the database object
      namespace - the namespace
      tableName - the name of the table
      Returns:
      the FilterGenerator.AccessType the user has for the specified table

    • generateFilterSetForACL

      public static Collection<SelectFilter> generateFilterSetForACL(@NotNull PermissionFilterProvider provider, @NotNull Database database, String namespace, String tableName, @NotNull String acl, @NotNull io.deephaven.enterprise.auth.UserContext effectiveUserContext)
      Generate the collection of filters for the specified ACL string.
      Parameters:
      provider - the PermissionFilterProvider to use
      database - the Database object for generation
      namespace - the namespace of the table
      tableName - the name of the table
      acl - the ACL string
      effectiveUserContext - the user ACLs are being generated for
      Returns:
      a collection of SelectFilters representing the ACL filter for the specified user and ACL string.

    • getColumnACLsForTable

      public static ColumnACLDefinition getColumnACLsForTable(@NotNull Database database, String namespace, String tableName, @NotNull String[] columnNames, boolean isRefreshing, @NotNull Map<String,List<com.fishlib.base.Pair<String,String>>> rawAcls, @NotNull io.deephaven.enterprise.auth.UserContext userContext, @NotNull PermissionFilterProvider provider)

    • createGroupToColumnToAclMap

      @NotNull public static Map<String,Map<String,Collection<String>>> createGroupToColumnToAclMap(String namespace, String tableName, Map<String,List<com.fishlib.base.Pair<String,String>>> rawAcls)

    • makeColumnACLs

      public static <ACL_DEF, FILTER, RESULT> RESULT makeColumnACLs(@NotNull Map<String,Map<String,Collection<ACL_DEF>>> aclsByGroupAndColumn, @NotNull Database database, @NotNull PermissionFilterProvider provider, @NotNull io.deephaven.enterprise.auth.UserContext context, @Nullable String namespace, @Nullable String tableName, @NotNull String[] columnNames, boolean refreshing, @NotNull AclHelper.FilterFactory<FILTER,ACL_DEF> filterFactory, @NotNull BiFunction<Map<String,io.deephaven.shadow.fastutil.it.unimi.dsi.fastutil.ints.IntSet>,List<FILTER[]>,RESULT> resultFactory)
      Create a ColumnACLDefinition from a set of ACLs grouped by group, and then column. Users must provide a method to filter out undesired groups, as well as a method to interpret the input filter generator representation into an actual FilterGenerator.
      Parameters:
      aclsByGroupAndColumn - The ACLs grouped by group then column.
      database - the database
      provider - the permission provider
      context - the user to get ACLs for
      namespace - the namespace of the table
      tableName - the name of the table
      columnNames - the column names to locate ACLs for
      refreshing - if the table is refreshing
      Returns:
      a completed ColumnACLDefinition