ARoad0.AcsAddon.Accbee.MySQL.gWork
Class NodeRightsMySQLImpl

java.lang.Object
  extended by ARoad0.gWork.NodeRightsImpl
      extended by ARoad0.AcsAddon.Accbee.MySQL.gWork.NodeRightsMySQLImpl
All Implemented Interfaces:
NodeRights

public class NodeRightsMySQLImpl
extends NodeRightsImpl

This complex class is responsible for getting the rights for an MySQL node in a view, for the AcsAddon MySQL. It provides the proper handling of the ACL inherited rights.

The main methods of this class are presented now. This class overrides the method detectAddonFinalAllNodes() to add the properties AccessControlLink.C_FIST_RATE, AccessControlLink.C_WEAK_LINK and AccessControlLink.C_CONDITIONAL_ACL to some DisplayableLinkImpl. There are 3 cases, and the aim is to precise the effective rights in an Access Road view with MySQL nodes. The wrong access paths are handled by LinkRightsMySQLImpl.addDisplayablelink(), not by this class.

This class overrides the method detectL_aclEntryRights() to get all the rights of the relevant direct AclEntries managed by the MySQL Resource for a given EligibleParty, following the ACL sorting and the selection of the first matched ACL.

This class overrides the method getL_accessRightsThroughNodesTree() to return in an AccessControlLink the inherited rights that are given by the directory tree, as inherited rights on a resource. The result sets only the type AccessControlLink.ACL.

The new method getConnectionPair() returns the first current user, that is the pair (user, simple host or accounts-for-hosts group) under which the connection of _ep is done on the MySQL server. The requirements for the MySQL access controls are described in http://dev.mysql.com/doc/refman/5.6/en/request-access.html and the near pages.

In the ACS MySQL, the effective rights of an user on a resource are selected by a two-steps algorithm, derived from the MySQL specification, that is described hereinafter:

At the first step of access control, only the ACL on the root 'MySQL server' are implied to select the first pair (user, host or accounts-for-hosts group) that the user matches. This pair (user, host or accounts-for-hosts group) is called the current user by MySQL. It may be the initial pair (user, host) or not. For instance, all the effective rights of a pair (jerry, localhost) may be provided by the current user ('jerry', '%'). One may notes that the MySQL term of current user includes the current group. The AclEntries on the root 'MySQL server', for this first step of access control, may be:

- conditional user/host ACL on the root 'MySQL server' EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on the root 'MySQL server'.

The ACL list is not totally ordered, since the accounts conditional ACL are not sorted if the accounts are not 'anomymous'. If a right is granted at this first step (at least the 'USAGE' right), some complementary rights may be added, for the SAME current user, at each parent level from the database to the resource direct parent, as inherited ACL, then other complementary rights may be added from the direct ACLs of the resource. At each of these parent levels, and for the resource itself, into the sorted list of inherited or direct ACLs, the FIRST ACL or the FIRST couple of ACL for the current user, if any, defines the effective rights, at this level, for the pair (user, host) on the resource. This is the sens of the 'EXCLUSIVE OR' into each description of the two-steps algorithm. This first-selected-single-output rule is also applied into each category of ACL, like into the sorted list of the non-conditional 'accounts-for-hosts group' ACL for a resource. On the other hand, the current user may change along a given access path.

As we have seen, if a right is granted at the first step on the root 'MySQL server', some complementary rights may be added from the other levels:

first from the database ACL or from an bases set ACL (both are called 'database-specific target'):

- AND ((conditional user/host ACL on a database-specific target EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on a database-specific target) EXCLUSIVE OR (user non-conditional ACL on a database-specific target AND host non-conditional ACL on the database-specific target)),

and secondly, some complementary rights may be also added, for the SAME current user (user, host or group of hosts), from the rights on all the database children which are parents of the resource or which is the resource itself:

- AND (conditional user/host ACL on a table EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this table),

- AND (conditional user/host ACL on a column EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this column),

- AND (conditional user/host ACL on a routine EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this routine),

- AND (conditional user/host ACL on a view delegate EXCLUSIVE OR non-conditional 'accounts-for-hosts group' ACL on this view delegate),

Routines are the stored functions and the stored procedures. Of course, the rights on a resource amy use the rights on itself and any direct or indirect parent. The rights on a database are more complex, since they use the ACL on the root, on the related bases sets and on this database. At each parent level (since there is the 'AND' logical operator between all of them), including the root 'MySQL server' level for instance, only the first applicable ACL is selected. This is why the ACL sorting into each ACL list is so important. The only exception is at the database level. Two so-called to-be-mixed ACL are used into the sentence (user non-conditional ACL on a database-specific target AND host non-conditional ACL on the database-specific target) to produce the effective rights from the database level. This is true only if the previous ACL at this level do not match, because the ACL sorting puts first the conditional user/host ACL, then the non-conditional 'accounts-for-hosts group' ACL, and so, the to-be-mixed ACL are at the end of the sorted list.

The following comments are about all the NodeRights in the AcsAddon framework. The specialized methods of an AcsAddon are in a NodeRightsImpl subclass, and they are called by an overriden NodeRights AcsAddon method; there is no name pattern for these methods; they use the generic properties of a node and its environment, but they also handle the original properties of the AcsAddon node. Since an AcsAddon may be based on another AcsAddon, a NodeRightsImpl subclass may have another NodeRightsImpl subclass has super class.

The only direct calls to the MySQL ACS in this class are .... Upper-level methods begin by get...(), with...() and detect...(), middle-level methods begin by select...().

See Also:
NodeRightsImpl, LinkRightsMySQLImpl.addDisplayableLink(ARoad0.CNot.DisplayableLinkImpl, java.util.Map)

Field Summary
 java.lang.String CURRENT_USER
          The current user to add in the AccessControlLink comments.
protected  RightsFactory_Facade facade_
          From the AlgorithmInterpreter
 java.util.List<UserIDMySQL> l_accounts_
          List of the accounts in the view
(package private)  java.util.List<AclEntry> l_acl_for_one_level_
           
 java.util.List<ActorMySQL> l_actors_
          List of the actors in the view
 java.util.List<GroupIDMySQL> l_hosts_
          List of the hosts in the view
(package private)  java.util.Set<StringRight> l_inheritedRightsResult_
          For getL_accessRightsThroughNodesTree().
 java.util.List<VirtualFolderMySQL> l_vfolders_
          List of the groups in the view
 
Fields inherited from class ARoad0.gWork.NodeRightsImpl
aclFact_, interpreter_, link_, linkUtil_, priFact_, utility_
 
Fields inherited from interface ARoad0.gWorkInterface.NodeRights
INITIAL_CAPACITY
 
Constructor Summary
NodeRightsMySQLImpl(AlgorithmInterpreter _interpreter, LinkRightsImpl _utility)
          Only one constructor, called by RightsMediatorImpl.
 
Method Summary
 java.util.Map detectAddon2Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
          Adds and removes the AcsAddon specific rights: (1) adds a simple link to a MySQL proxied account having one or several proxy accounts as a non-generic alias.
 java.util.Map detectAddonFinal3Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks)
          Removes some 3-nodes DisplayableLinkImpls: (1) from an Actor which is a view delegate (then has a VirtualFolder alias), to a Resource the same VirtualFolder does not have as element.
 java.util.Map detectAddonFinalAllNodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights)
          This method adds 4 types of GLOBAL comments on some access paths.
 java.util.List<StringRight> detectL_aclEntryRights(ImmutableResource _res, ImmutableEligibleParty _ep, boolean _onlyNonConditionalACLs)
          Gets all the rights of the relevant direct AclEntries managed by the MySQL Resource for a given EligibleParty, following the ACL sorting and the selection of the first matched ACL.
protected  java.util.List<StringRight> detectL_aclEntryRightsForDatabaseForToBeMixedAcl(ImmutableResource _res, UserIDMySQL _usr, GroupIDMySQL _grp, java.util.List<AclEntry> _l_resAcl)
          Gets the applicable rights from the first applicable direct or inherited ACL on a Resource which is a database, but without reading of the non-mixed ACL of this database.
protected  java.util.List<StringRight> detectL_aclEntryRightsNOTForToBeMixedAcl(ImmutableResource _res, UserIDMySQL _usr, GroupIDMySQL _grp, java.util.List<AclEntry> _l_resAcl)
          Gets the applicable rights from the first applicable direct or inherited ACL on a Resource which is not a database, or for the database rights not from the to-be-mixed ACL.
 void finalizeForProcess()
          Finalizes the instance.
 java.util.List<GroupIDMember> getConnectionPair(UserIDMySQL _ep)
          Gets the first current user, that is the pair (user, simple host or accounts-for-hosts group) under which the connection of _ep is done on the MySQL server.
 boolean getDetectAddon2Nodes()
          Called by RightsFactory_Facade.
 boolean getDetectAddonFinal3Nodes()
          Called by RightsFactory_Facade.
 boolean getDetectAddonFinalAllNodes()
          Called by RightsFactory_Facade.
 AccessControlLinkImpl getL_accessRightsThroughNodesTree(ImmutableLeaf _res, ImmutableEligibleParty _ep, ImmutableGroupID _grp)
          This important method returns in an AccessControlLink the inherited rights that are given by the directory tree, as inherited rights on a resource.
 AccessControlLinkImpl getMergedInheritedAclPriRightsAndComments(ImmutableSource _so, ImmutableLeaf _targ, AccessControlLinkImpl _upd_acLink, StringRight[] _l_transientInheritedRights)
          Gets the effective ACL rights of the source on the target when there are non-null inherited rights through the nodes tree, adds the current user as comment, and adds the comment 'database mixed ACL' for the direct AclEntries on databases.
 boolean getSelectAddonLastViewNodeAfterGroupIDMember()
          Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilege().
 boolean getSelectAddonNewHiddenNodeForGroupIDMember()
          Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes, and by ThreeNodesRightsFactoryImpl.addPathsFromGroupIDMemberAcsAddonRelationActor() and addPathsFromGroupIDMemberAcsAddonRelationNoActor().
 DisplayableLinkImpl selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase, ImmutableTarget _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
          Detects the view target that is linked to a GroupIDMember, to extend the current DisplayableLink ended by this GroupIDMember.
 java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase, ImmutableGroupIDMember _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
          Detects the hidden actors that are linked to a GroupIDMember as access source, to extend the current DisplayableLinkImpls this GroupIDMember ends.
 java.lang.String toString()
           
 boolean withAccessThroughNodesTreeFromEP(ImmutableSource _ep, ImmutableLeaf _res, ImmutableGroupIDMember _ep_2)
          This method is designed to be fast, and to returns true if the resource tree allows the source to access through the inherited ACL rights to the leaf.
protected  boolean withAclAccessThroughNodesTree(ImmutableResource _res, ImmutableEligibleParty _ep, ImmutableGroupID _grp)
          Returns true if the AclEntry inherited rights in the resources tree allows to access to the resource for the EligibleParty _ep.
 
Methods inherited from class ARoad0.gWork.NodeRightsImpl
detectAddon3Nodes, detectAddonFinal2Nodes, detectL_linkedPrivilegeRights, getDetectAddon3Nodes, getDetectAddonFinal2Nodes, getSelectAddonLastViewNodeAfterActor, getSelectAddonLastViewNodeAfterVirtualFolder, getSelectAddonNewHiddenNodeForActor, getSelectAddonNewHiddenNodeForVirtualFolder, selectAddonLastViewNodeAfterActor, selectAddonLastViewNodeAfterVirtualFolder, selectAddonNewHiddenNodeForActor, selectAddonNewHiddenNodeForVirtualFolder, selectDirectOwnerContainGlobalForActorAsEP, selectForGroupIDMemberItsHiddenActorsWithNextLinks, selectHiddenButNoDirectGroupLinks, selectHiddenDirectGroupIDForGroupIDMember, selectHiddenDirectOwnerContainForActorAsResource, selectHiddenDirectOwnerContainForTarget, selectHiddenDirectOwnerContainGlobalForActorAsEP, withAgoAccessThroughNodesTree, withPriAccessThroughNodesTree
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

CURRENT_USER

public java.lang.String CURRENT_USER
The current user to add in the AccessControlLink comments.


l_accounts_

public java.util.List<UserIDMySQL> l_accounts_
List of the accounts in the view


l_actors_

public java.util.List<ActorMySQL> l_actors_
List of the actors in the view


l_hosts_

public java.util.List<GroupIDMySQL> l_hosts_
List of the hosts in the view


l_vfolders_

public java.util.List<VirtualFolderMySQL> l_vfolders_
List of the groups in the view


facade_

protected RightsFactory_Facade facade_
From the AlgorithmInterpreter


l_inheritedRightsResult_

java.util.Set<StringRight> l_inheritedRightsResult_
For getL_accessRightsThroughNodesTree().


l_acl_for_one_level_

java.util.List<AclEntry> l_acl_for_one_level_
Constructor Detail

NodeRightsMySQLImpl

public NodeRightsMySQLImpl(AlgorithmInterpreter _interpreter,
                           LinkRightsImpl _utility)
Only one constructor, called by RightsMediatorImpl. Calls the superclass constructor.

Parameters:
_interpreter - algorithm interpreter of this view
_utility - LinkRightsImpl or one of its subclass, to use for processing this node
Method Detail

getSelectAddonLastViewNodeAfterGroupIDMember

public boolean getSelectAddonLastViewNodeAfterGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilege().

Specified by:
getSelectAddonLastViewNodeAfterGroupIDMember in interface NodeRights
Overrides:
getSelectAddonLastViewNodeAfterGroupIDMember in class NodeRightsImpl
Returns:
true if the selectAddonLastViewNodeAfterGroupIDMember method provides some work in this class.

getSelectAddonNewHiddenNodeForGroupIDMember

public boolean getSelectAddonNewHiddenNodeForGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes, and by ThreeNodesRightsFactoryImpl.addPathsFromGroupIDMemberAcsAddonRelationActor() and addPathsFromGroupIDMemberAcsAddonRelationNoActor().

Specified by:
getSelectAddonNewHiddenNodeForGroupIDMember in interface NodeRights
Overrides:
getSelectAddonNewHiddenNodeForGroupIDMember in class NodeRightsImpl
Returns:
true since the selectAddonNewHiddenNodeForGroupIDMember method provides some work in this class.

getDetectAddon2Nodes

public boolean getDetectAddon2Nodes()
Called by RightsFactory_Facade.

Specified by:
getDetectAddon2Nodes in interface NodeRights
Overrides:
getDetectAddon2Nodes in class NodeRightsImpl
Returns:
true since the detectAddon2Nodes method provides some work in this class.

getDetectAddonFinal3Nodes

public boolean getDetectAddonFinal3Nodes()
Called by RightsFactory_Facade.

Specified by:
getDetectAddonFinal3Nodes in interface NodeRights
Overrides:
getDetectAddonFinal3Nodes in class NodeRightsImpl
Returns:
true since the detectAddonFinal3Nodes method provides some work in this class.

getDetectAddonFinalAllNodes

public boolean getDetectAddonFinalAllNodes()
Called by RightsFactory_Facade.

Specified by:
getDetectAddonFinalAllNodes in interface NodeRights
Overrides:
getDetectAddonFinalAllNodes in class NodeRightsImpl
Returns:
true since the detectAddonFinalAllNodes method provides some work in this class.

selectAddonNewHiddenNodeForGroupIDMember

public java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase,
                                                                                    ImmutableGroupIDMember _node,
                                                                                    java.util.Set<DisplayableLinkImpl> _l_dLinks,
                                                                                    java.util.Map _m_l_DisplayableLinks,
                                                                                    java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden actors that are linked to a GroupIDMember as access source, to extend the current DisplayableLinkImpls this GroupIDMember ends. Two lists are returned to separate the executing right-proxy nodes. The last argument may be updated to provide the second returned value, and it contains only the nodes on which the property changes have to be listened.

This method covers two cases:

(1) Extends AclRightsFactoryImpl.selectDirectHiddenAclBridgeLinksToActorForEP() to the search of the inherited AclEntries, with the argument _withFinalExecute true. With an internal ACL, the AG context is transferred by the core algorithms. The method selectAddonNewHiddenNodeForGroupIDMember() is needed to detect if the second end is running under its current UserID or GroupID. MySQL actors are not ACL sources. There is no need to override selectForGroupIDMemberItsHiddenActorsWithNextLinks() for detecting actors with inherited AclEntries.

(2) Adds an ALIAS link, when the GroupIDMember is a ProxyMySQL, to its UserIDMySQL proxied account if it is not into the view. To mimic the 'See Why' generic text, it adds the comment '-- All Rights: PROXY'.

Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the starting and central loops, to analyze the inherited ACLs. Overrides and calls first the super method.

Specified by:
selectAddonNewHiddenNodeForGroupIDMember in interface NodeRights
Overrides:
selectAddonNewHiddenNodeForGroupIDMember in class NodeRightsImpl
Parameters:
_viewInBase - EPRViewInBase. Never null.
_node - node of this instance. Never null.
_l_dLinks - list of links with _node as second end. May be null.
_m_l_DisplayableLinks - immutabke Map of DisplayableLinks lists (one per pair) to never update in this method.
_upd_l_NoProxyOrNoExecuteNodes - updated by the adding of the hidden nodes without executing right or which are not right-proxy nodes, if any. This list is only extended if necessary, as a complement of the returned value of the method. This argument is usually empty at the call of this method, but this is not mandatory. Never null.
Returns:
new DisplayableLinkImpls that are extensions or updatings of some DisplayableLinkImpls in _l_dLinks with an Actor or an UserID as the second end, or null. If _l_dLinks is null, returns only simple links. May be null but never empty.

selectAddonLastViewNodeAfterGroupIDMember

public DisplayableLinkImpl selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase,
                                                                     ImmutableTarget _target,
                                                                     DisplayableLinkImpl _dLink,
                                                                     java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to a GroupIDMember, to extend the current DisplayableLink ended by this GroupIDMember. Adds an ALIAS link, when the GroupIDMember is a ProxyMySQL, if its UserIDMySQL proxied account is into the view. To mimic the 'See Why' generic text, add the comment '-- All Rights: PROXY'. Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRighsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilegeAlias().

Specified by:
selectAddonLastViewNodeAfterGroupIDMember in interface NodeRights
Overrides:
selectAddonLastViewNodeAfterGroupIDMember in class NodeRightsImpl
Parameters:
_viewInBase - EPRViewInBase. Never null.
_target - view node, not the node of this instance. Never null.
_dLink - with a GroupIDMember as second end and node of this instance. Never null.
_m_l_DisplayableLinks - immutabke Map of DisplayableLinks lists (one per pair) to never update in this method.
Returns:
new DisplayableLinkImpl that is an extension of _dlink with _target as the second node, or null. Never empty.

detectAddon2Nodes

public java.util.Map detectAddon2Nodes(EPRViewInBase _viewInBase,
                                       ImmutableTarget _node,
                                       java.util.Map _m_l_DisplayableLinks,
                                       BaseObject _center)
Adds and removes the AcsAddon specific rights:

(1) adds a simple link to a MySQL proxied account having one or several proxy accounts as a non-generic alias.

(2) removes a simple link from an account when the current host for the connection is an accounts-for-hosts group, and when this group is into the view, since there is already a link from the account to this group, and another link from this group to the target of the simple link to remove.

Caution: if the current host for the connection is the simple host of the account, this means the indirect path through the accounts-for-hosts group is not an effective path. In this case, the method detectAddonFinalAllNodes() sets an AccessControlLink.C_FIRST_RATE as GLOBAL comment on the direct path.

The specific rights are searching for all sources in the view. For a sketch view, this method may return new DisplayableLinks from _center to _node, if any, but also, new DisplayableLinks from the view sources to _center when _node is _center. Synchronized to _viewInBase by RightsFactory_Facade.

Specified by:
detectAddon2Nodes in interface NodeRights
Overrides:
detectAddon2Nodes in class NodeRightsImpl
Parameters:
_viewInBase - EPRViewInBase
_node - node of this instance
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
_center - is the central object of a sketch view. Null if it is not a sketch view.
Returns:
Map of DisplayableLinks, with 'other' links associated to every pair (EP,Resource).
See Also:
NodeRightsImpl.detectAddonFinal2Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map, ARoad0.gBaseInterface.BaseObject)

detectAddonFinal3Nodes

public java.util.Map detectAddonFinal3Nodes(EPRViewInBase _viewInBase,
                                            ImmutableTarget _node,
                                            java.util.Map _m_l_DisplayableLinks)
                                     throws java.lang.InterruptedException
Removes some 3-nodes DisplayableLinkImpls:

(1) from an Actor which is a view delegate (then has a VirtualFolder alias), to a Resource the same VirtualFolder does not have as element. This case occurs only when the Actor has a current UserID (the MySQL DEFINER account of the view).

(2) from an Actor which is a trigger, to a Resource that is not a child of the Actor parent, that is the MySQL table of the trigger.

The stored procedures and the stored functions may have access to any MySQL Resource outside their database. Called by RightsFactory_Facade. Synchronized to _viewInBase by RightsFactory_Facade.

Specified by:
detectAddonFinal3Nodes in interface NodeRights
Overrides:
detectAddonFinal3Nodes in class NodeRightsImpl
Parameters:
_viewInBase - EPRViewInBase
_node - node of this instance
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
Returns:
Map of DisplayableLinks
Throws:
java.lang.InterruptedException
See Also:
NodeRightsImpl.detectAddon3Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map)

detectAddonFinalAllNodes

public java.util.Map detectAddonFinalAllNodes(EPRViewInBase _viewInBase,
                                              ImmutableTarget _node,
                                              java.util.Map _m_l_DisplayableLinks,
                                              java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights)
                                       throws java.lang.InterruptedException
This method adds 4 types of GLOBAL comments on some access paths.

(1) Detecting when the user/target path 'overrides' or 'underrides' all the other paths, this method puts AccessControlLink.C_FIRST_RATE as GLOBAL comment in the simple DisplayableLinkImpl for the couple (user, target). The aim is to display the user/target arrow with a double width, while there is also a link for the couple (accounts-for-hosts group, target).

(2) Detecting when the actor/target path 'overrides' or 'underrides' all the other paths, this method puts AccessControlLink.C_FIRST_RATE as GLOBAL comment of the last link into the non-simple DisplayableLinkImpl for the couple (actor, target). The aim is to display the user/target arrow with a double width, while there is also a link for the couple (accounts-for-hosts group, target).

(3) This method puts AccessControlLink.C_WEAK_LINK as GLOBAL comment in the first DisplayableLinkImpl for each couple (accounts-for-hosts group, target), while there is no couple (host, target) or (hosts group, target).

(4) This method puts AccessControlLink.C_WEAK_LINK as GLOBAL comment in the first DisplayableLinkImpl for each couple (virtual folder, virtual member) if the alias of the virtual folder runs under an account into the view. This is the MySQL DEFINER mode, where the account defines the effective rights on the virtual folder member. There is then a direct path from the account to the member, and the path (virtual folder, member) is weak.

The 3 cases are detailled hereinafter.

For the MySQL ACS only, the simple access paths user/resource may be misunderstood. The MySQL algorithm includes the access rule '(one user privilege on database AND one host privilege on database)'. The case to handle is when an Access Road view contains an UserID, some host GroupIDs and, as target, a database or one of its child. The dadabase child inherits the database ACLs. The path user/(database or database child) may have to be processed if the user is (indirect or not) member of a host, while the host has non-conditional ACL rights on the database. The usual reading of the Access Road view tells us the user has some rights on the target through the host(s). But this reading may be wrong, since the host non-conditional ACL is fully applicable for the user only if there is another non-conditional ACL, with at least the same rights, from the user to the target. If it is not the case, it is necessary to indicate that the user/target arrow 'overrides' the multiple-arrows path user/host(s)/target, in the Access Road view. The user/target arrow must then be displayed with a double-width arrow. This is the generic way to avoid a wrong reading of the view. If this occurs for a MySQL target in an Access Road view, the method detectAddonFinalAllNodes() provides the following actions:

- if there is a simple DisplayablelinkImpl from the user to the target, the property AccessControlLink.C_FIST_RATE is set on it,

- otherwise, this simple DisplayablelinkImpl is added with a desabled right, that is the MySQL USAGE right.

This method adds the constant AccessControlLink.C_WEAK_LINK as GLOBAL comment in the first DisplayableLinkImpl for the couples (host, target) and (user, target), when the rights are weak since they are not considered in the context of an user or they are not effective MySQL rights.

Note: to speed up this method, the argument _m_effectiveRights is set from the initial argument _m_l_DisplayableLinks before the first call to this method, and for a given EPR view. _m_effectiveRights is then immutable while _m_l_DisplayableLinks may be updated by this method. This is not the case for the NoThan views. For the EPR views, this behavior implies this method provides independant changes for each _node for which it is called, so that the initial _m_effectiveRights remains usable. Called by RightsFactory_Facade.

Specified by:
detectAddonFinalAllNodes in interface NodeRights
Overrides:
detectAddonFinalAllNodes in class NodeRightsImpl
Parameters:
_viewInBase - EPRViewInBase
_node - node of this instance
_m_effectiveRights - non-null Map where the keys are the _m_l_DisplayableLinks keys where rights are activated, and the value is a set of StringRights. May be an empty set.
_m_l_DisplayableLinks - Map of DisplayableLinks lists (one per pair) associated to the view, and to update.
Returns:
Map of DisplayableLinks
Throws:
java.lang.InterruptedException

detectL_aclEntryRights

public java.util.List<StringRight> detectL_aclEntryRights(ImmutableResource _res,
                                                          ImmutableEligibleParty _ep,
                                                          boolean _onlyNonConditionalACLs)
Gets all the rights of the relevant direct AclEntries managed by the MySQL Resource for a given EligibleParty, following the ACL sorting and the selection of the first matched ACL. Inherited AclEntries are not covered. For an accounts-for-hosts group, this method calls detectL_aclEntryRightsNOTForToBeMixedAcl() with a null UserIDMySQL argument. The selection of the ACL is explained in the documentation of DirectoryMySQLImpl. These AclEntries cannot be managed by different ACSs, and there is no negative rights in MySQL. Note: this method is sensible since it is indirectly used for both the one-link method, the two-link method and a multiple-links method. Called by AclRightsFactoryImpl.addAclInAccessControlLink(). Calls getConnectionPair(), detectL_aclEntryRightsNOTForToBeMixedAcl(), detectL_aclEntryRightsForDatabaseNOTForToBeMixedAcl() and detectL_aclEntryRightsForDatabaseForToBeMixedAcl().

Specified by:
detectL_aclEntryRights in interface NodeRights
Overrides:
detectL_aclEntryRights in class NodeRightsImpl
Parameters:
_res - of this instance, with some AclEntries to filter
_ep - must be an account or an accounts-for-hosts group
_onlyNonConditionalACLs - true to read only the non-conditional AclEntries. Always false and unused into the MySQL AcsAddon.
Returns:
list of positive or negative rights from different ACSs, or null.
See Also:
DirectoryMySQLImpl

withAccessThroughNodesTreeFromEP

public boolean withAccessThroughNodesTreeFromEP(ImmutableSource _ep,
                                                ImmutableLeaf _res,
                                                ImmutableGroupIDMember _ep_2)
This method is designed to be fast, and to returns true if the resource tree allows the source to access through the inherited ACL rights to the leaf. The Resources root 'MySQL server' has no inherited AclEntries but it may have some access. This is why this method overrides the super method. The AGO and PRI inherited rights are not processed.

In the ACS MySQL, the effective rights on a resource are selected by a two-steps algorithm, derived from the MySQL specification. Only the AclEntries of the root 'MySQL server' are considered by this method, with the bases sets ACL. An Actor has no inherited rights.

Called by AclRightsFactoryImpl.addAclInAccessControlLink(), ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilegeMemberOwnContain(), CompoundRightsFactoryImpl.detectHiddenCompoundEpRights(). Calls withAclAccessThroughNodesTree() to do the main job.

Specified by:
withAccessThroughNodesTreeFromEP in interface NodeRights
Overrides:
withAccessThroughNodesTreeFromEP in class NodeRightsImpl
Parameters:
_ep - Actor, UserID or GroupID to test. If null, returns true. If its ACS does not manage any rights inheritance, returns true.
_res - Resource or VirtualFolder of this instance, which may be accessed or not through its parent tree. Never null.
_ep_2 - the group member which may be accessed by _ep. Never ridden there.
Returns:
true if the resource parent tree allows _ep to go through down to the resource, if _ep is null.
See Also:
getL_accessRightsThroughNodesTree(ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.ImmutableGroupID)

getL_accessRightsThroughNodesTree

public AccessControlLinkImpl getL_accessRightsThroughNodesTree(ImmutableLeaf _res,
                                                               ImmutableEligibleParty _ep,
                                                               ImmutableGroupID _grp)
This important method returns in an AccessControlLink the inherited rights that are given by the directory tree, as inherited rights on a resource. The result sets only the type AccessControlLink.ACL. If there is at least one conditional ACL, the result contains in the comment 'conditional ACL' for the relevant type. Furthermore, the conditional group names are added in the comment, like in AclRightsFactoryImpl.addAclInAccessControlLink() for the direct ACLs. This method has to be called only on the NodeRightsImpl instance of the argument _res. There is never bottom-up search in the resource tree to find the applicable rights. The default algorithm in NodeRightsImpl is overridden and unused.

The set of applicable rights on a target are derived from the direct AclEntries on this target, or, as inherited AclEntries, from one of its (in)direct parent or from a matched bases set. The database is a special parent, having the most complex rights. A first, but not unique, difference is that it may have complementary copied ACL from the bases sets for which this database matches. For instance, the bases set named 'on%' matches the database named 'one', and all the 'on%' direct ACL are then copied by the class BasesSetMySQLImpl into the 'one' direct ACL list.

In the ACS MySQL, the effective rights of an user on a resource are selected by a two-steps algorithm, derived from the MySQL specification, that is described in the documentation of the class DirectoyMySQLImpl. All the ACL sorting for a given parent level is the responsibility of the method BaseUtilityMySQLImpl.addInSortedAclList() and the related methods in the same class, like addAclNOTForDatabase().

If the argument _ep is a MySQL user, this method may return its inherited rights through an accounts-for-hosts group or a host group the account belongs to. In the second case, to comment the returned AccessControlLink for the 'See Why' text, this method adds is 'implies two database inherited to-be-mixed ACL'. On the other hand, the comment 'implies two direct to-be-mixed ACL' is added by getMergedInheritedAclPriRightsThroughNodesTree() for the direct ACLs.

The user groups may have conditional ACLs, but they are never passed on as the argument _grp, since the group to use is in the cuurent user for the argument _ep. This is why the argument _grp is unused in this method.

In all cases, the method getMergedInheritedAclPriRightsThroughNodesTree() is responsible to set the effective ACL rights, from the inheritance or not. To have effective rights, the array of inherited rights has to not be null, but it may be empty. It is used to get the rights for the initial pair (user, host) at each parent level. If the current user has only an USAGE right on the root and if, for a given Resource, the current user has no other inherited ACL on the target, then no right is granted. This method is strongly coupled to withAccessThroughNodesTreeFromEP() and withAclAccessThroughNodesTree(). It is designed to be fast.

Calls Resource.getEorImmutableL_TargetInheritedAclEntries(), getConnectionPair() and, for doing the main job, detectL_aclEntryRightsNOTForToBeMixedAcl() and detectL_aclEntryRightsForDatabaseForToBeMixedAcl(). Called only by AclRightsFactoryImpl.addAclInAccessControlLink().

Specified by:
getL_accessRightsThroughNodesTree in interface NodeRights
Overrides:
getL_accessRightsThroughNodesTree in class NodeRightsImpl
Parameters:
_res - Resource or VirtualFolder of this instance may be accessed or not through its parent tree. May be null.
_ep - the UserID of _res or another UserID. Null only if _grp is not null.
_grp - an accounts-for-hosts group. Null only if _ep is not null.
Returns:
link with the AccessControlLink.ACL rights given by the parents tree, and the comments. Null only when an error occurs, if _res or its ACS is null, the ACS are not the same, the group is forbidden. Empty if _res has no parent, no inherited rights, or if it is a bases set.
See Also:
DirectoryMySQLImpl, withAccessThroughNodesTreeFromEP(ARoad0.gBaseInterface.ImmutableSource, ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableGroupIDMember), getMergedInheritedAclPriRightsAndComments(ARoad0.gBaseInterface.ImmutableSource, ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.CNot.AccessControlLinkImpl, ARoad0.gBaseInterface.StringRight[])

getMergedInheritedAclPriRightsAndComments

public AccessControlLinkImpl getMergedInheritedAclPriRightsAndComments(ImmutableSource _so,
                                                                       ImmutableLeaf _targ,
                                                                       AccessControlLinkImpl _upd_acLink,
                                                                       StringRight[] _l_transientInheritedRights)
Gets the effective ACL rights of the source on the target when there are non-null inherited rights through the nodes tree, adds the current user as comment, and adds the comment 'database mixed ACL' for the direct AclEntries on databases. The argument _l_transientInheritedRights contains the inherited rights getL_accessRightsThroughNodesTree() has found.

In this MySQL AcsAddon class, the inherited rights are simply added to the direct rights already set in the argument _upd_aclink. This method adds the CURRENT_USER, calls the super method to do its work, then adds 'conditional ACL' in the ACL comment, with the condition group names, for each non-inherited conditional ACL when the leaf is a database.

For a database, it adds also a second comment 'implies two direct to-be-mixed ACL' which is proper to this MySQL AcsAddon, since it is used to give the group in a couple of two non-conditional non-inherited ACLs on a database. For a bases set, it adds a GLOBAL comment AccessControlLink.C_WEAK_LINK. The comment 'implies two database inherited to-be-mixed ACL' is added by getL_accessRightsThroughNodesTree().

This method is derived from detectL_aclEntryRights() and the super method. Calls detectL_aclEntryRightsNOTForToBeMixedAcl() and detectL_aclEntryRightsForDatabaseForToBeMixedAcl(). Called by AclRightsFactoryImpl.addAclInAccessControlLink().

Specified by:
getMergedInheritedAclPriRightsAndComments in interface NodeRights
Overrides:
getMergedInheritedAclPriRightsAndComments in class NodeRightsImpl
Parameters:
_so - source for which the rights on _targ has to be set
_targ - Resource or VirtualFolder of this instance. May be null.
_upd_acLink - contains the direct ACL or LPRI rights, if any. Never null. May be empty.
_l_transientInheritedRights - has to be from getL_accessRightsThroughNodesTree(). Never null. May be empty.
Returns:
_upd_acLink with the effective ACL or LPRI rights of the source on the target. May be null.

finalizeForProcess

public void finalizeForProcess()
Finalizes the instance. Called by RightsMediatorImpl.finalizeForProcess().

Specified by:
finalizeForProcess in interface NodeRights
Overrides:
finalizeForProcess in class NodeRightsImpl

toString

public java.lang.String toString()
Overrides:
toString in class NodeRightsImpl
Returns:
a descriptor

getConnectionPair

public java.util.List<GroupIDMember> getConnectionPair(UserIDMySQL _ep)
Gets the first current user, that is the pair (user, simple host or accounts-for-hosts group) under which the connection of _ep is done on the MySQL server. The proxy account is an exception. This method does not find its current user that is always its proxied acccount. The result depends uniquely on the direct ACL of the root 'MySQL server', and their sorting in the relevant list. The returned group cannot be an hosts group. The direct ACL of the root 'MySQL server' are used to state if there is an authorization for accessing the server, with at least the right 'USAGE'. This conection pair is indeed the MySQL 'current user' for analyzing the rights on any first node, in the access paths. If an intermediate node is an Actor in a MySQL DEFINER mode, the 'current user' may change into the access path. Called by detectL_aclEntryRights(), getL_accessRightsThroughNodesTree() and, first of all, by withAclAccessThroughNodesTree().

Parameters:
_ep - the userID for which there is a connection request to the MySQL Server. May be null.
Returns:
the current user (user, simple host or accounts-for-hosts group). Null if there is no access to the server, or if _ep is null. The returned account may be 'anonymous'.

withAclAccessThroughNodesTree

protected boolean withAclAccessThroughNodesTree(ImmutableResource _res,
                                                ImmutableEligibleParty _ep,
                                                ImmutableGroupID _grp)
Returns true if the AclEntry inherited rights in the resources tree allows to access to the resource for the EligibleParty _ep. For an account, this method calls simply getConnectionPair() to see if there is a connection. For an accounts-for-hosts group, it returns true if the group has a non-null-rights ACL on the root 'MySQL server', and at least one account as member. Otherwise, it returns false for any group.

A MySQL Actor cannot have some direct access on the MySQL resources through AclEntries. An accounts-for-hosts group is not a true self-defined accessors (SDA) and a bases set is not a true access target, since the MySQL server does not deliver effective access in theses cases. However, the properties of the MySQL objects has to be complete. An Access Road view must display, as weak links, the access paths involving an accounts-for-hosts group or a bases set. This method, for these two cases, may return 'true'. It is 'true' for a bases set when a bases set ACL produce a database ACL which is copied into the root 'MySQL server'. If there is no database to match the bases set, this method returns 'false' and the bases set ACL is not workable. If there is no ACL on the bases set, it also returns 'false'.

Caution: to follow the AcsAddon pattern, withAccessThroughNodesTreeFromEP() should be the single caller of this method in the generic gWork package. This method is not private to let the subclasses override it, but it is necessary to call it through the same way, that is to never jump the method withAccessThroughNodesTreeFromEP() which chooses the arguments of this method.

Called by withAccessThroughNodesTreeFromEP(). Calls getConnectionPair().

Overrides:
withAclAccessThroughNodesTree in class NodeRightsImpl
Parameters:
_res - Resource of this instance; may be accessed or not through its parent tree
_ep - an userID or an Actor. Null if _grp is not null.
_grp - an accounts-for-hosts group or a simple host or a hosts group. Null if _ep is not null. May return 'true' only for an accounts-for-hosts group.
Returns:
true if the resource parent tree allows to go through down to the leaf.

detectL_aclEntryRightsNOTForToBeMixedAcl

protected java.util.List<StringRight> detectL_aclEntryRightsNOTForToBeMixedAcl(ImmutableResource _res,
                                                                               UserIDMySQL _usr,
                                                                               GroupIDMySQL _grp,
                                                                               java.util.List<AclEntry> _l_resAcl)
Gets the applicable rights from the first applicable direct or inherited ACL on a Resource which is not a database, or for the database rights not from the to-be-mixed ACL. This is also the good method to use when the Resource is a bases set. This method does not use the _res rights maps on the inherited and primary ACL rights. When the argument _res is the root 'MySQL server', this is the single case where the right 'USAGE' may be returned if it is alone. Called by detectL_aclEntryRights() and getL_accessRightsThroughNodesTree(). Calls BaseUtilityMySQLImpl.isAfterAsPatternNameHostsGroup().

Parameters:
_res - of this instance, with some direct AclEntries
_usr - user of the current user. May be null only when _grp is an accounts-for-hosts group.
_grp - group of the current user. May be a simple host or an accounts-for-hosts group, but not another group. Never null.
_l_resAcl - immutable list of direct or inherited AclEntries getL_accessRightsThroughNodesTree() has selected. Never null. May be the instance variable l_acl_for_one_level_.
Returns:
applicable direct-ACL rights, or null.
See Also:
DirectoryMySQLImpl

detectL_aclEntryRightsForDatabaseForToBeMixedAcl

protected java.util.List<StringRight> detectL_aclEntryRightsForDatabaseForToBeMixedAcl(ImmutableResource _res,
                                                                                       UserIDMySQL _usr,
                                                                                       GroupIDMySQL _grp,
                                                                                       java.util.List<AclEntry> _l_resAcl)
Gets the applicable rights from the first applicable direct or inherited ACL on a Resource which is a database, but without reading of the non-mixed ACL of this database. Then, this method has to be called only if the near method detectL_aclEntryRightsForDatabaseNOTForToBeMixedAcl() returns null, since the mixed ACL are sorted after the non-mixed ACL.

The argument _grp may be an accounts-for-hosts group, and then, the host part of its name cannot match the hosts group of any non-conditional ACL. Furthermore, there is no multi-level wildcard matching in MySQL, since for instance, '192.168.1.%' never matches '192.168.%'. The single matching in this case may be when the groups are not equals, but equivalent, like the accounts-for-hosts group 'jerry§@192.168.1.%' as _grp argument, and the hosts group '192.168.1.%' in a non-conditional to-be-mixed ACL.

This method does not use the _res rights maps on the inherited and primary ACL rights. Called by detectL_aclEntryRights() and getL_accessRightsThroughNodesTree().

Parameters:
_res - of this instance,as a database with some direct AclEntries
_usr - user of the current user
_grp - group of the current user. May be an accounts-for-hosts group, but not an hosts group.
_l_resAcl - immutable list of all the direct AclEntries or the AclEntries of the database-specific target getL_accessRightsThroughNodesTree() has selected. Never null. May be the variable l_acl_for_one_level_.
Returns:
applicable ACL rights, and they may be null, or also null if there is no rights while there is a matching for two to-be-mixed ACL.
See Also:
DirectoryMySQLImpl