|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.ObjectARoad0.gBase.BasicImpl
ARoad0.gBase.ResourceImpl
ARoad0.gBase.DirectoryImpl
ARoad0.AcsAddon.Accbee.MySQL.gBase.DirectoryMySQLImpl
public class DirectoryMySQLImpl
This class is responsible to manage the inherited AclEntries of the children, to manage the global rights, and to provide the main documentation for all the ResourceMySQL classes.
The children of a DirectoryMySQLImpl are ResourceMySQL, which is implemented by this class, and by ResourceMySQLImpl, ActorMySQLImpl and BasesSetMySQLImpl. This class manages a map of primary inherited AclEntry rights. The final access rights include these primary rights, but only if there is at least one right on the root 'MySQL server' for the user. Otherwise, the user has no right on the resource. On every child of the root 'MySQL server', a new ACL for a pair (user@host or accounts-for-hosts group) produces a new ACL on the root for the same pair if it does not exist. This new root ACL has the right USAGE, and it is not deleted by default when the initial ACL is deleted. For a new non-conditional ACL for an user, a host or a hosts group, there is no adding on the root. The inverse operation is to delete all the direct ACL of a pair on the root children when the root ACL for this pair is deleted.
In the ACS MySQL, the effective rights of a pair (user, host) on a resource are selected by a two-steps algorithm, derived from the MySQL specification, that is described hereinafter:
At the first step of access control, only the ACL on the root 'MySQL server' are implied to select the first pair (user, host or accounts-for-hosts group) that user matches. An accounts-for-hosts group contains some accounts to which it transfers the rights of all its ACL. Its behavior is like a Privilege having the type LINKED_IF_ALL_SOURCES. This pair (user, host or accounts-for-hosts group) is called by MySQL the current user, and it may be the initial pair (user, host) or not. For instance, all the effective rights of a pair (jerry, localhost) may be provided by the current user ('jerry', '%'). The AclEntries on the root 'MySQL server', for this first step of access control, may be:
- conditional user/host ACL on the root 'MySQL server' EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on the root 'MySQL server'.
The ACL list is not totally ordered, since the accounts conditional ACL are not sorted if the accounts are not 'anomymous'. If a right is granted at this first step (at least the 'USAGE' right), some complementary rights may be added, for the SAME current user, at each parent level from the database to the resource direct parent, as inherited ACL, then other complementary rights may be added from the direct ACLs of the resource. At each of these parent levels, and for the resource itself, into the sorted list of inherited or direct ACLs, the FIRST ACL or the FIRST couple of ACL for the current user, if any, defines the effective rights, at this level, for the pair (user, host) on the resource. This is the sens of the 'EXCLUSIVE OR' into each description of the two-steps algorithm. This first-selected-single-output rule is also applied into each category of ACL, like into the sorted list of the non-conditional 'accounts-for-hosts group' ACL for a resource.
The database and the bases set are both called 'database-specific target', because the bases set AclEntries are copied into the direct ACL list of every database that matches the bases set name. This copy is mainly provided by the class BasesSetMySQLImpl. For instance, the bases set named 'on%' matches the database named 'one', and all the 'on%' direct ACL are then copied by BasesSetMySQLImpl into the direct ACL list of the database 'one'. As we have seen, if a right is granted at the first step on the root 'MySQL server', some complementary rights may be added from the other levels:
first from the database-specific targets:
- AND ((conditional user/host ACL on a database-specific target EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on a database-specific target) EXCLUSIVE OR (user non-conditional ACL on a database-specific target AND host non-conditional ACL on the database-specific target)),
and secondly, some complementary rights may be also added, for the SAME current user (user, host or group of hosts), from the rights on all the database children which are parents of the resource or which is the resource itself:
- AND (conditional user/host ACL on a table EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this table),
- AND (conditional user/host ACL on a column EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this column),
- AND (conditional user/host ACL on a routine EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this routine),
- AND (conditional user/host ACL on a view delegate EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this view delegate),
Routines are the stored functions and the stored procedures. The rights on a resource may use any direct ACL rights on itself and also may use any of the rights on any direct or indirect parent. The rights on a database are the most complex. They use the ACL on the root, on the related bases sets and on this database.
Only the first applicable ACL is selected at each parent level (since there is the 'AND' logical operator between all of them), except for the to-be-mixed ACL on the databases. This selection rule explains why the ACL sorting into each ACL list is so important. The only exception is at the database level, when two to-be-mixed ACL are used into the sentence (user non-conditional ACL on a database-specific target AND host non-conditional ACL on the database-specific target) to produce the effective rights from the database level. This is true only if the previous ACL at this level do not match, because the ACL sorting puts first the conditional user/host ACL, then the non-conditional 'accounts-for-hosts group' ACL, and so, the to-be-mixed ACL are always at the end of the sorted list for a database.
Among the conditional user/host ACL, only one ACL matches a given pair (user, host). There is no sorting to apply among the hosts into this category of ACL. On the other hand, for several category of ACL into this description, like for instance 'non-conditional 'accounts-for-hosts group' ACL on the root 'MySQL server'', two specific ACL sortings are required, so that the first matched ACL is get for the effective rights. For the 'non-conditional 'accounts-for-hosts group' ACL and the host to-be-mixed ACL, the first sorting is based on the hosts group names, where for instance '192.168.1.%' is selected before '192.168.%' because it is sorted first. For the bases set ACL at the database level, there is an another sorting for the bases set names, where for instance 'on%' is selected before '%'. All the ACL sorting for a given parent level is the responsibility of the method BaseUtilityMySQLImpl.addInSortedAclList() and the related methods in the same class, like addAclNOTForDatabase(). Detecting what ACL match the current user is the responsability of the class gWork.NodeRightsMySQLImpl.
For summarizing the ResourceMySQL AclEntries, the beamer uses the ResourceImpl property m_inheritedT_ACLRights_ to show the primary rights to the user, which are defined as the rights statements of a given parent level. The map keys mimic the 'user@host' MySQL statements the administers use to declare the rights. This map does not contain only the inherited ACL, as its generic name seems to declare it, but also the direct ACL. The interface ResourceMySQL adds a new map for the global rights on the root 'MySQL server'. Comparing the keys, the single difference between the map keys is that the key for the primary rights is a String form of a Name, and the global rights key is the same Name. This is the responsibility of DirectoryMySQLImpl to create and edit these two rights maps. The map of global rights is reserved to NodeRightsMySQLImpl to detect quickly if an user has no access on the root 'MySQL server'.
There are three flows of data to manage the updating of AclEntries: (1) at the ACL creation/deletion, (2) when the inner rights of an ACL are editing, (3) only for the conditional ACL, at any change of the membership relation between the source and a condition group.
The flow of method calls at the ACL creation is summarized hereinafter. The process is fully under the responsability of the MySQL AcsAddon, with the calling of varied objects and methods:
- ResourceMySQL.addAclEntry() is the starting entry method, typically when it is called by the beamer,
- BaseUtilityMySQLImpl.setM_PrimaryTargetACLRightsFromDirectACL() to set both the map of the primary AclEntry rights and the map of the global AclEntry rights.
- if the ResourceMySQL is a BasesSetMySQLImpl, call to the matched databases to copy the new ACL,
- if the ResourceMySQL is a DirectoryMySQLImpl, ResourceMySQL.addInheritedAclEntry() on all the children, so that the updating of each child is independant, calling ResourceMySQL.setEorL_TargetInheritedAclEntries() that calls BaseUtilityMySQLImpl.setM_TargetInheritedACLRights() to set both the map of the primary AclEntry rights and the map of the global AclEntry rights for each child.
The detailed sequence of these calls is given at the method addAclEntry().
To manage the rights editing of an AclEntry among the primary AclEntries, the process is partially managed by the MySQL AcsAddon. At each inner rights change, AclEntryImpl calls Directory.resetInheritedAclEntryRightsOfChildren() if its target is a Directory, and this method is overridden in DirectoryMySQL.
The calling sequence is the following:
- DirectoryMySQL calls the overridden resetInheritedAclEntryRightsOfChildren() method, to call Resource.resetInheritedAclEntryRights() on each child,
- if the DirectoryMySQL is a BasesSetMySQLImpl, it calls Resource.resetInheritedAclEntryRights() on each matched database,
- it calls BaseUtilityMySQLImpl.setM_PrimaryTargetACLRightsFromDirectACL().
The 'InheritedTargetAclEntries' events are bound following specific rules:
- if the inherited AclEntries list changes, then the primary AclEntries map may change, but it is not mandatory for a to-be-mixed ACL,
- the global AclEntries map change each time the ACL on the root 'MySQL server' change.
The use of the property change event 'InheritedTargetAclEntries' does not strictly fulfill with the BeanInfoPattern. In the second case, the event is fired to inform the beamer about the primary rights, while the changing is about a direct ACL, not an inherited one. This is due to the fact that the ACS addon has chosen to not alterate the generic handling of a change of rights on a direct ACL, since the addon does not subclass the AclEntryImpl class. On the other hand, a graphic view that contains a ResourceMySQL listens the direct ACL and the inherited ACL events. Then, the graphic view receives several events about the same basic event about a change among the rights of an ACL. The timer delay in Gui2.GraphiViewBaseListenerImpl allows to avoid some unuseful processings for updating the graphic view.
A database is registered into the matched bases sets which is implemented by BasesSetMySQLImpl. This class implements the following rules, and when the user enter is not fulfilled with, it delivers an error message to the Access Road user with the same sentence:
- A database must have 'BASE ' at the beginning of its name.
- A table must have 'table' at the end of its name.
- MySQL allows conditional ACL only to accounts.
- MySQL allows a conditional ACL only with a simple host as conditional group. To set 'tom@%' for instance, creates the accounts-for-groups group 'tom§@%', and creates then a new non-conditional ACL on this new group.
- MySQL allows conditional ACL only with the account first host as condition group.
- A MySQL bases set allows non-conditional ACL only to accounts, accounts-for-hosts groups, hosts and hosts groups.
Excepting for EPRViewInBaseImpl, the listeners are outside gBase, they are transient (not serialized in this instance backup). They are called in any order. They may receive a copy of the new value, a null or an empty value. All the exceptions from the listeners are catched, and a dialog box is displayed to inform the user.
This class has no subclass into this package.
BaseUtilityMySQLImpl
,
Serialized FormField Summary | |
---|---|
static DirectoryMySQLImpl |
EMPTY_INSTANCE
A reusable empty instance for initialization, to avoid the use of 'new' for temporary values. |
protected java.util.Map<ImmutableName,StringRight[]> |
m_globalT_ACLRights_
TreeMap of global AclEntry rights, that are the direct rights statements for the root 'MySQL server'. |
static java.io.ObjectStreamField[] |
serialPersistentFields
variable for the JDK 2 serialization |
private static long |
serialVersionUID__
|
Fields inherited from class ARoad0.gBase.DirectoryImpl |
---|
EnforceChildGID_, nodeHandler_ |
Fields inherited from class ARoad0.gBase.ResourceImpl |
---|
actorActivated_, groupID_, l_aclEntry_, l_groupRights_, l_inheritedT_AclEntries_, l_OpenAcsControllerNames_, l_ownerRights_, l_parentTreeAGRightsAllowToGoAcross_, l_rootRights_, m_inheritedT_ACLRights_, parent_, userID_ |
Fields inherited from class ARoad0.gBase.BasicImpl |
---|
aCS_, aCS_Name_, aliasHandler_, changeSupport_, comment_, folderMember_, INCREMENT_CAPACITY, INITIAL_CAPACITY, INITIAL_CAPACITY_2, iS_Name_, m_ConstrainedChildACS_, name_, PRIME, privHandler_, type_ |
Constructor Summary | |
---|---|
DirectoryMySQLImpl()
The basic constructor |
|
DirectoryMySQLImpl(ImmutableName _name,
ACS _acs,
Directory _parent,
UserID _owner,
java.lang.String _resourceType)
This constructor is set by the beamer editor for the ACS resources list, from the 'New' button, or from the gWork.AcsFactoryUbuntu. |
|
DirectoryMySQLImpl(ImmutableName _name,
ACS _acs,
Directory _parent,
UserID _owner,
java.lang.String _resourceType,
boolean _toRegisterInManager)
This constructor is called by the other constructor. |
Method Summary | |
---|---|
AclEntry |
addAclEntry(ImmutableACS _aclAcs,
ImmutableEligibleParty _ep,
StringRight[] _l_right,
java.lang.Boolean _positiveRight,
ImmutableGroupID _conditionGroup)
Updates the inherited AclEntry in the children, the primary and the global rights maps, if it is applicable, and sorts the new direct AclEntry list. |
void |
addInheritedAclEntry(AclEntry _acl)
Adds the inherited AclEntry. |
java.lang.Object |
clone()
Deep cloning without registering of the new object in the ACSs. |
java.lang.Object |
copy(ImmutableName _name,
ACS _acs,
Directory _parent,
java.lang.Boolean _toRegisterInManager)
This method provides a copy of the instance with another name, without children copying because the copy order will not be always correct. |
protected DirectoryMySQLImpl |
copyOwnVariables(DirectoryMySQLImpl _result,
boolean _withoutInternalAcl)
This method provides a copy of the instance variables. |
java.lang.Object |
copyWithoutInternalAcl(ImmutableName _name,
ACS _acs,
Directory _parent,
java.lang.Boolean _toRegisterInManager)
This method provides a copy of the instance as Copyable.copy(), but without copying the internal aclEntries. |
void |
finalizeForBase()
This method sets to null the primary inherited rights map, and unregisters this instance into the matched bases sets. |
protected void |
finalizeFromDeserialization()
Currently unused. |
java.util.Map<java.lang.String,java.lang.String> |
getAddonInnerPropertiesToListen()
Gets the specific events to listen from an ACSObject, because these events should change the rights of an ACSObject in an ACS Addon. |
java.util.Map<ImmutableName,StringRight[]> |
getM_GlobalTargetACLRights()
Gets the map of the global rights from the root 'MySQL server'. |
java.util.Map<java.lang.String,StringRight[]> |
getM_TargetInheritedACLRights()
Gets the internal map of the primary rights from each parent level of this resource. |
long |
getSerialVersionUID()
For the java serialization. |
void |
removeAclEntry(ImmutableACS _aclAcs,
ImmutableEligibleParty _ep,
boolean _positiveRight,
ImmutableGroupID _conditionGroup)
Removes the AclEntry and the inherited AclEntries in the children. |
void |
removeAclEntryWithoutFiring(ImmutableACS _aclAcs,
ImmutableEligibleParty _ep,
boolean _positiveRight,
ImmutableGroupID _conditionGroup)
Removes the direct AclEntry and the inherited AclEntries in the children, but without event firing. |
void |
removeInheritedAclEntry(AclEntry _acl)
Removes the inherited AclEntries in the children. |
void |
resetInheritedAclEntryRights(AclEntry _acl)
Resets the inherited AclEntry rights and the primary rights after an user edition. |
void |
resetInheritedAclEntryRightsOfChildren(AclEntry _acl)
At each rights changing into a direct ACL, if the ACL inheritance is applicable, resets the primary rights, the global rights and the inherited AclEntry rights in the children. |
AclEntry |
selectInheritedAclEntry(AclEntry _acl,
java.lang.String _type)
Returns the AclEntry to use as inherited AclEntry in a child. |
protected void |
setEorL_TargetInheritedAclEntries(java.util.ArrayList<AclEntry> _l_acl,
boolean _withFiring)
Sets all the inherited AclEntries, the global and the primary rights for this target. |
protected void |
setM_TargetInheritedACLRights(java.util.List<AclEntry> _l_acl)
Sets the internal maps of the primary and global rights. |
Methods inherited from class java.lang.Object |
---|
getClass, notify, notifyAll, wait, wait, wait |
Methods inherited from interface ARoad0.gBaseInterface.Directory |
---|
resetInheritedPrivilegeRightsOfChildren, setEnforceChildGID |
Methods inherited from interface ARoad0.gBaseInterface.ImmutableDirectory |
---|
getEnforceChildGID, getEorL_Children |
Methods inherited from interface ARoad0.gBaseInterface.Resource |
---|
resetInheritedPrivilegeRights, selectInheritedPrivilege, setEorGroupID, setEorUserID, setL_groupRights, setL_ownerRights, setL_rootRights, setResourceType |
Methods inherited from interface ARoad0.gBaseInterface.Basic |
---|
finalizeForUser, setComment |
Methods inherited from interface ARoad0.gBaseInterface.ImmutableBasic |
---|
getComment, getEorAliasAsInternalHardReference, getEorReferenceAsInternalHardAlias, getHasSoftAlias, getImpliedViews, getIS_Name, getL_AcsOfSoftReferences, getL_SoftAlias, getPropertyChangeListeners, getVirtualFolders |
Methods inherited from interface ARoad0.gBaseInterface.PrivilegeTarget |
---|
addEorPrivilegeForTypeToTarget, removeEorPrivilegeToTarget |
Methods inherited from interface ARoad0.gBaseInterface.ImmutablePrivilegeTarget |
---|
getEorImmutableL_TargetInheritedLinkedPrivileges, getEorL_TargetPrivilegeForLinks, getEorL_TargetPrivilegeForTypes, getEorL_TargetPrivileges, getM_TargetInheritedLinkedPRIRights, getType |
Methods inherited from interface ARoad0.gBaseInterface.ImmutableTarget |
---|
getEorAliasAsInternalHardReference, getEorReferenceAsInternalHardAlias, getHasSoftAlias, getL_AcsOfSoftReferences, getL_SoftAlias |
Methods inherited from interface ARoad0.gBaseInterface.ACSObject |
---|
getAcsName, getEorACS |
Methods inherited from interface ARoad0.gBaseInterface.BaseObject |
---|
equals, getFullName, getName, getNickName, hashCode |
Field Detail |
---|
private static final long serialVersionUID__
public static final DirectoryMySQLImpl EMPTY_INSTANCE
protected java.util.Map<ImmutableName,StringRight[]> m_globalT_ACLRights_
BaseUtilityMySQLImpl.setM_TargetInheritedACLRights(ARoad0.AcsAddon.Accbee.MySQL.gBaseInterface.ResourceMySQL, java.util.List, java.util.Map, java.util.Map, boolean)
public static final java.io.ObjectStreamField[] serialPersistentFields
Constructor Detail |
---|
public DirectoryMySQLImpl()
public DirectoryMySQLImpl(ImmutableName _name, ACS _acs, Directory _parent, UserID _owner, java.lang.String _resourceType) throws CreateError
_name
- of the directory_acs
- is the main ACS of the directory_parent
- of the directory; may be null._resourceType
- is the type, and may be null if the ACS allows it._owner
- owns the resource; may be null. Never used.
CreateError
- if ACSImpl.newEorResource() throws it -
the instance must then be deleted !public DirectoryMySQLImpl(ImmutableName _name, ACS _acs, Directory _parent, UserID _owner, java.lang.String _resourceType, boolean _toRegisterInManager) throws CreateError
_name
- of the directory_acs
- is the main ACS of the directory_parent
- of the directory; may be null._resourceType
- is the type, and may be null if the ACS allows it._owner
- owns the resource; may be null. Never used._toRegisterInManager
- false if this method must not register
the instance in the ACS.
CreateError
- if ACSImpl.newEorResource() throws it, or error on the name -
the instance must then be deleted !Method Detail |
---|
public long getSerialVersionUID()
BasicImpl
getSerialVersionUID
in interface ImmutableBasic
getSerialVersionUID
in class DirectoryImpl
public java.util.Map<java.lang.String,java.lang.String> getAddonInnerPropertiesToListen()
- 'THIS' to say that the single object to listen is the ACSObject,
- 'ACS.method_name' to say that the list of objects to listen is returned by the method 'method_name' in the Addon ACS class.
For each map key, the values have the following format:
'AAA.method_name IF BBB'
where:
- AAA: THIS (mandatory),
- method_name: 'get' method name of the ACSObject that is associated, in the relevant BeanInfo class, to the event to listen (mandatory)
- IF BBB: where BBB is TRUE, or FALSE, or NULL, or NOT-NULL, to say that the event must be listened if and only if the returned value of the method_name is respectively a boolean TRUE, or FALSE, or an object NULL, or NOT-NULL (option).
When the map value starts with 'ACS', the ACS method to call has the ACSObject has one argument. Otherwise, the ACS or the ACSObject method has no argument. Called by ARoad0.UtilityImpl.removeAddonParentPropertyChangeListener().
getAddonInnerPropertiesToListen
in interface ACSObjectAddon
AcsAddon.getAddonParentPropertiesToListen()
public AclEntry addAclEntry(ImmutableACS _aclAcs, ImmutableEligibleParty _ep, StringRight[] _l_right, java.lang.Boolean _positiveRight, ImmutableGroupID _conditionGroup) throws CreateError
This method stops then restores the property change firing on 'AclRights'. The generic order on 'AclRights' and 'EPsThroughAclEntry' firings is inversed. It fires the 'InheritedTargetAclEntries' events only to update the display of the primary rights map. Copies the overridden method and calls it after a removing of all the property change listeners for the event 'AclRights'. Calls addInheritedAclEntry() on the children, and calls BaseUtilityMySQLImpl.setM_PrimaryTargetACLRightsFromDirectACL(). The detailed sequence of calls from this method is the following:
- removePropertyChangeListener() for 'AclRights', to remove all the listeners,
- super.addAclEntry(), which has the calls sequence:
----- AclEntryImpl constructor,
----- ACS.newAclEntry(),
----- EligibleParty.addEorAclEntryToEP(),
----- updating of ResourceImpl.l_aclEntry_,
----- ResourceImpl.addAcsController(),
----- ResourceImpl.firePropertyChange() for 'EPsThroughAclEntry',
- BaseUtilityMySQLImpl.addInSortedAclList() with the original ResourceImpl.l_aclEntry_ as argument,
- updating of ResourceImpl.l_aclEntry_ with the returned sorted list,
- addPropertyChangeListener() for 'AclRights', to restore the initial listeners,
- BaseUtilityMySQLImpl.setM_TargetInheritedACLRights() for updating the primary and the global rights maps,
- for a conditional ACL and if the root node has no ACL with the same pair, addAclEntry() on the root node to add an equivalent ACL having only the USAGE right,
- for each child, selectInheritedAclEntry(),
- on each child, ResourceMySQL.addInheritedAclEntry(), which has the calls sequence:
----- BaseUtilityMySQLImpl.addInSortedInheritedAclList() to insert the new ACL in the inherited ACL list,
---------- BaseUtilityMySQLImpl.addInSortedAclList() with the original inherited ACL list as argument,
----- setEorL_TargetInheritedAclEntries() with the new inherited ACL list, which itself uses the sequence of calls:
---------- updating of ResourceImpl.l_inheritedT_AclEntries_,
---------- setM_TargetInheritedACLRights(), which calls:
--------------- BaseUtilityMySQLImpl.setM_TargetInheritedACLRights(), which includes:
-------------------- updating of ResourceImpl.m_inheritedT_ACLRights_,
-------------------- updating of ResourceMySQL.m_globalT_ACLRights_,
---------- firePropertyChange() for 'InheritedTargetAclEntries',
----- if the child is a Directory, repeats the calls to selectInheritedAclEntry() and addInheritedAclEntry() on its proper children,
- firePropertyChange() for 'AclRights' and 'InheritedTargetAclEntries' from this method.
addAclEntry
in interface Resource
addAclEntry
in class ResourceImpl
_aclAcs
- ImmutableACS which owns the new AclEntry, and to be recorded
as an ACS controller of this resource if it is not its main ACS._ep
- eligible party connected to the resource through a new aclEntry._l_right
- is an array of positive or negative rights of _ep on this resource
(that is, if READ is a right, _ep can read on the resource). May be null._positiveRight
- is true if the rights are set to authorize (grant),
and false if they are set to forbid (deny)._conditionGroup
- first condition group. May be null.
CreateError
- if _ep or _aclAcs is null, or if _ep is already recorded
in this resource with the same ACS, or thrown by the ACS.newEorAclEntry(),
or with a condition group while the source is not an account,
or without a condition group, and if this directory is not a database while
the source is not an accounts-for-hosts group, or for a database
when it is not for an account, a host or a host group (including the accounts-for-hosts groups).public void removeAclEntry(ImmutableACS _aclAcs, ImmutableEligibleParty _ep, boolean _positiveRight, ImmutableGroupID _conditionGroup) throws UpDateError
removeAclEntry
in interface Resource
removeAclEntry
in class ResourceImpl
_aclAcs
- ImmutableACS which owns the AclEntry, and is recorded
as an ACS controller of this resource._ep
- eligible party connected to the resource through an AclEntry.
This method unrecords the relevant aclEntry in _ep, in this resource,
and in the relevant ACS. The ACS of the aclEntry may be unrecorded in this
resource if there are no other aclEntry owned by this ACS in this resource._positiveRight
- is true if the rights are oriented to authorize,
and false if they are oriented to forbid._conditionGroup
- first condition group. May be null.
UpDateError
- if _ep is null, unknown, if _aclAcs is closed or unknown,
or if the type does not allow this operation.addAclEntry(ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.StringRight[], java.lang.Boolean, ARoad0.gBaseInterface.ImmutableGroupID)
public void addInheritedAclEntry(AclEntry _acl)
addInheritedAclEntry
in interface ResourceMySQL
_acl
- inherited AclEntry to put in the list at the right order.
Its target is not this instance.addAclEntry(ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.StringRight[], java.lang.Boolean, ARoad0.gBaseInterface.ImmutableGroupID)
public void removeInheritedAclEntry(AclEntry _acl) throws UpDateError
removeInheritedAclEntry
in interface ResourceMySQL
_acl
- inherited AclEntry. Its target is not this instance.
UpDateError
- if _acl is null or unknownpublic AclEntry selectInheritedAclEntry(AclEntry _acl, java.lang.String _type)
selectInheritedAclEntry
in interface ImmutableResource
selectInheritedAclEntry
in class ResourceImpl
_acl
- the initial AclEntry which may be given to the child_type
- type of a child, as Resource
public void resetInheritedAclEntryRights(AclEntry _acl)
resetInheritedAclEntryRights
in interface ResourceMySQL
resetInheritedAclEntryRights
in interface Resource
resetInheritedAclEntryRights
in class DirectoryImpl
_acl
- inherited AclEntry with updated rights. Never null.public void resetInheritedAclEntryRightsOfChildren(AclEntry _acl)
- one at the ACL creation/deletion, and this is not done in the generic gBase package,
- one at their inner rights editing,
- and the last flow, only for the condition ACL, at the editing of the membership relation between the source and a condition group.
This method is called for handling the second and the third cases, to update the children of the Directory which is the target of the AclEntry. This generic Directory method is used to not subclass the generic AclEntry class.
Called by an own AclEntry when there is a change in its effective rights, to update the children of the Directory which is its target. Not described in the BeanInfo since the user does not call it. Overrides the super method and calls it at the end. Note: the creation of the inherited AclEntry in a child is not handled by the generic gBase package, while the rights updating of the inherited AclEntry is handled through this method. Fires 'InheritedTargetAclEntries' events only to update the display of the primary rights map. Calls BaseUtilityMySQLImpl.setM_PrimaryTargetACLRights(). Called by AclEntryImpl.resetRightsAsInheritedAclEntry(), but not by the subclass BasesSetMySQLImpl.
resetInheritedAclEntryRightsOfChildren
in interface Directory
resetInheritedAclEntryRightsOfChildren
in class DirectoryImpl
_acl
- own AclEntry with updated rightspublic java.util.Map<java.lang.String,StringRight[]> getM_TargetInheritedACLRights()
The primary rights are not an official MySQL concept. It is an help for the Access Road user and it is necessary for the gWork classes. It describes both the inherited AclEntries and the direct AclEntries. The root 'MySQL server' has primary rights only from its direct ACL, and a database has primary rights from the root and its direct ACL.
To have some access rights on a MySQL Resource, a pair (user, host) has to match on the root 'MySQL Server' a pair (user, host) or a pair (user, accounts-for-hosts group) which has at least an USAGE right. The FIRST matching pair in the 'MySQL server' list becomes the current user. It is used to get the rights for the initial pair (user, host) at each parent level. The current user is returned by the method NodeRightsMySQLImpl.getConnectionPair(). If the current user has only an USAGE right and if, for a given Resource, the curren user has no direct ACL and no inherited ACL, then no right is granted. Otherwise, the rights are the sum of the current user rights from the FIRST matched direct ACL and from the FIRST matched inherited ACL at EACH parent level. For these inherited ACL, the rights from each parent are added to the final result.
This section is about the virtual ACL in the MySQL addon. There are two types of virtual ACL: the virtual 'user@accounts-for-hosts group' ACL on any Resource, which derives from one 'accounts-for-hosts group' real ACL, and the mixed ACL which is only on databases. The mixed ACL derives from two to-be-mixed real ACL. The virtual user@accounts-for-hosts group ACL is so derived from a non-conditional accounts-for-hosts group ACL, and the target may have any type. There are processed rights for each account member of the accounts-for-hosts group. If there are 3 members into the accounts-for-hosts group, there are 3 sets of processed rights for three keys in the rights maps. All these rights are simply the copy of the accounts-for-hosts group ACL rights.
The database level is the most complex case. It is the only parent level to handle the virtual mixed ACL, the to-be-mixed real ACL and the real bases set ACLs. The to-be-mixed real ACL are the only case where two real ACL are selected at a level (this is indeed always the database level) to build up some rights in a virtual mixed ACL. To-be-mixed and mixed ACL are not official MySQL concepts, but they implement a MySQL algorithm. Two non-conditional to-be-mixed ACL on a database-related target, respectively for an user U and a host H, are combined to define the processed rights for the pair (U, H). The processed rights are the union of the rights from the two real ACL. This define a map key even if the union of rights is empty. This is the only case where a key in the two maps, may have an empty set of effective rights.
This section is about the keys into the primary rights map. Each parent level may produce a matched key for a given couple user/host and a target. Into the primary ACL rights map, the map key may have varied forms, where the parent order is always at the end. The parent order tells the distance from the target to the parent which delivers the referenced rights. For instance, the direct parent of a resource has the string '1'. The direct parent of this parent has the string '2' as parent order, and so on. Into the two rights maps, the single difference between the keys is that the key for the primary rights is a String form of a Name, and the global rights key is the same Name.
The ten key forms are listed hereinafter:
- (user name @ host name last component) :: parent order, for instance 'one :: mysql :: jerry@localhost :: 2',
-
'
-
-
-
-
-
-
-
In this catalog of key forms for the database, '
getM_TargetInheritedACLRights
in interface ResourceMySQL
getM_TargetInheritedACLRights
in interface ImmutableResource
getM_TargetInheritedACLRights
in class ResourceImpl
public java.util.Map<ImmutableName,StringRight[]> getM_GlobalTargetACLRights()
The global rights are necessary for the gWork classes, and the first user is NodeRightsMySQLImpl.getConnectionPair(). To have some access rights on a MySQL Resource, a pair (user, host) has to match on the root 'MySQL Server' a pair (user, host) or a pair (user, accounts-for-hosts group) which has at least an USAGE right. The FIRST matching pair in the 'MySQL server' list becomes the current user. It is used to get the rights for the initial pair (user, host) at each parent level. If the current user has only an USAGE right on the root and if, for a given Resource, the current user has no other inherited ACL on the target, then no right is granted.
Into the global ACL rights map, the map key may have varied forms, where the parent order is always at the end. The parent order tells the distance from the target to the parent which delivers the referenced rights. For instance, the direct parent of a resource has the string '1'. The direct parent of this parent has the string '2' as parent order, and so on. The two key forms are listed hereinafter, where the parent order is always 0:
- (user name @ host name last component) :: parent order, for instance 'one :: mysql :: jerry@localhost :: 0',
-
'
getM_GlobalTargetACLRights
in interface DirectoryMySQL
public java.lang.Object clone()
clone
in class DirectoryImpl
java.lang.CloneNotSupportedException
public void finalizeForBase() throws UpDateError
finalizeForBase
in interface FinalizedObject
finalizeForBase
in class DirectoryImpl
UpDateError
- if the main ACS do not known the resource (if
it is a clone without setName(), typically)public java.lang.Object copy(ImmutableName _name, ACS _acs, Directory _parent, java.lang.Boolean _toRegisterInManager) throws CreateError
copy
in interface Copyable
copy
in class DirectoryImpl
_name
- copy name. Usually creates as an extension of _parent name._acs
- main ACS of the copy to create. May not be the ACS of this instance._parent
- DirectoryImpl which belongs to _acs and will have the copy.
May be null._toRegisterInManager
- false if this method must not register
the instance in the ACS.
CreateError
- of the constructor with the same parameters,
or if _parent ACS is not _acs, or addAclEntry() exceptions.public java.lang.Object copyWithoutInternalAcl(ImmutableName _name, ACS _acs, Directory _parent, java.lang.Boolean _toRegisterInManager) throws CreateError
copyWithoutInternalAcl
in interface Resource
copyWithoutInternalAcl
in class DirectoryImpl
_name
- copy name. Usually creates as an extension of _parent name._acs
- main ACS of the copy to create. May not be the ACS of this instance._parent
- is not used, wathever the value._toRegisterInManager
- false if this method must not register
the instance in the ACS.
CreateError
- of the constructor with the same parameters,
or if _parent ACS is not _acs, or addAclEntry() exceptions.public void removeAclEntryWithoutFiring(ImmutableACS _aclAcs, ImmutableEligibleParty _ep, boolean _positiveRight, ImmutableGroupID _conditionGroup) throws UpDateError
removeAclEntryWithoutFiring
in interface ResourceMySQL
_aclAcs
- ImmutableACS which owns the AclEntry, and is recorded
as an ACS controller of this resource._ep
- eligible party connected to the resource through an AclEntry.
This method unrecords the relevant aclEntry in _ep, in this resource,
and in the relevant ACS. The ACS of the aclEntry may be unrecorded in this
resource if there are no other aclEntry owned by this ACS in this resource._positiveRight
- is true if the rights are oriented to authorize,
and false if they are oriented to forbid._conditionGroup
- first condition group. May be null.
UpDateError
- if _ep is null, unknown, if _aclAcs is closed or unknown,
or if the type does not allow this operation.addAclEntry(ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.StringRight[], java.lang.Boolean, ARoad0.gBaseInterface.ImmutableGroupID)
protected DirectoryMySQLImpl copyOwnVariables(DirectoryMySQLImpl _result, boolean _withoutInternalAcl) throws CreateError
_result
- to update with this instance variables copies._withoutInternalAcl
- true if the internal aclEntries
- that is with a resource having the same ACS - must not be copied
if
- super throws it
CreateError
protected void finalizeFromDeserialization()
finalizeFromDeserialization
in class DirectoryImpl
protected void setEorL_TargetInheritedAclEntries(java.util.ArrayList<AclEntry> _l_acl, boolean _withFiring)
_l_acl
- list of AclEntries. May be empty, but never null._withFiring
- true to fire 'InheritedTargetAclEntries'. False only
when called by removeAclEntryWithoutFiring().addAclEntry(ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.StringRight[], java.lang.Boolean, ARoad0.gBaseInterface.ImmutableGroupID)
protected void setM_TargetInheritedACLRights(java.util.List<AclEntry> _l_acl)
_l_acl
- new list of inherited AclEntries. May be empty, but never null.addAclEntry(ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.StringRight[], java.lang.Boolean, ARoad0.gBaseInterface.ImmutableGroupID)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |