|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.ObjectARoad0.gWork.LinkRightsImpl
ARoad0.AcsAddon.Accbee.MySQL.gWork.LinkRightsMySQLImpl
public class LinkRightsMySQLImpl
This class provides utilities about DisplayableLinkImpls on the MySQL server. It operates on DisplayableLinkImpls and on the inherited rights. An important service is the adding of a DisplayableLinkImpl to the view map for these objects, and its filtering to follow the MySQL rules. This is the responsibility of the method addDisplayableLink() to reject 6 cases of DisplayableLinkImpls about the AclEntry sorting, the allowed targets and the DEFINER mode of a VirtualFolder alias.
The proper Actor AG context is required in the MySQL ACS, for any type of Actor as intermediate node in an access path, each time there is a non-null current UserID and there is an executing right on the Actor. This is the responsability of the method setNextNodeAGrunningContext().
Each node in a view and each intermediate node has one LinkRights instance for each view it belongs to. The implementation classes of this interface have properties that depend only on the class of the node ACS, then 2 nodes of the same view should use the same LinkRights instance, even if it is not the actual behavior in all cases. But there is an exception for the methods that detects the Account and AcsAddon priorities over all the links. They use RightsMediatorImpl.getAllLinkRights() which returns only one LinkRights instance per implied gWork package, and not one instance per view node.
Each instance of LinkRights is used by only one thread. A node may be in several DisplayableLinks of the same view, but it has only one LinkRights instance for the view. The association between a node and its LinkRights instance is managed by the RightsMediatorImpl instance of the view.
> There is no direct call to the ACS. This class is used by the gWork packages.
NodeRightsMySQLImpl
Field Summary |
---|
Fields inherited from class ARoad0.gWork.LinkRightsImpl |
---|
interpreter_, linkUtil_, utility_ |
Fields inherited from interface ARoad0.gWorkInterface.LinkRights |
---|
INITIAL_CAPACITY |
Constructor Summary | |
---|---|
LinkRightsMySQLImpl(AlgorithmInterpreter _interpreter)
only one public constructor |
Method Summary | |
---|---|
DisplayableLinkImpl |
addDisplayableLink(DisplayableLinkImpl _dLink,
java.util.Map _upd_m_l_DisplayableLinks)
This important method adds a DisplayableLinkImpl in the access paths map, if it does not exist, or adds the rights of each AccessControlLink in the link, to the matched link in the map, only if there is no collision between the new link and the previous ones. |
protected java.util.HashSet<ImmutableGroupIDMember> |
setNextNodeAGrunningContext(DisplayableLinkImpl _upd_dLink,
int _nodeIndex)
This method increments the Account/Groups context position, updates the AG context set in the DisplayableLinkImpl and returns this context. |
Methods inherited from class java.lang.Object |
---|
clone, finalize, getClass, notify, notifyAll, wait, wait, wait |
Constructor Detail |
---|
public LinkRightsMySQLImpl(AlgorithmInterpreter _interpreter)
_interpreter
- algorithm interpreter of this viewMethod Detail |
---|
public DisplayableLinkImpl addDisplayableLink(DisplayableLinkImpl _dLink, java.util.Map _upd_m_l_DisplayableLinks)
The two first cases to detect is when the AclEntry sorting is not fulfilled. First, because DisplayableLinkUtilities.getSecondEndAGcontext() returns the accounts-for-hosts groups into the AG context of a link starting from an account, it is necessary to forbid most of the links having such a group. Secondly, it is necessary to forbid the adding of any link that contains the sequence account/member/group/acl.../resource..., while a simple link account/member/group is correct. The reason is because there are different types of links account/acl/resource the NodeRightsMySQLImpl class may produce, implying varied membership relations between the initial account and a group. Theses account/acl/resource links are the only correct use of the membership relations to get MySQL rights on a resource.
This is why an argument _dlink is rejected when one of the following conditions are fulfilled:
- _dLink contains, as intermediate node, an accounts-for-hosts group,
- _dLink contains a sequence ...account/member/group/, then an ACL.
On the other hand, the initial sequence accounts-for-hosts group/acl/actor/run_under... has to be kept since this is a weak but workable link. A routine may call another routine. An argument _dlink is NOT rejected when the following conditions are fulfilled:
- _dLink contains a sequence (Actor routine)/aclink/UserID/, then an Actor.
The third case to detect is for a link containing an Actor trigger from a table T, and having as second end a resource in another table T, or having as first end an actor not from the table T. This is why an argument _dlink is rejected when the following conditions are fulfilled:
- _dLink is not simple, there is a node in _dLink that is a trigger from a table, and the second end is a Resource in another table or the first end is an Actor not from the same table.
The fourth case to detect is like the fourth one; it is for a link containing an Actor view delegate having as first end a resource not in its view. This is why an argument _dlink is rejected when the following conditions are fulfilled:
- _dLink is not simple, there is a node in _dLink that is a view delegate, and the second end is a Resource not in the view.
The fifth case (new in 0.7.1) to detect is about the DEFINER mode of a VirtualFolder alias, because an Actor view delegate having a current UserID has only its view as next node. This is why an argument _dlink is rejected when the following conditions are fulfilled:
- _dLink is not simple, there is a node in _dLink that is a view delegate having a current UserID, and the next node is the delegate current UserID.
The sixth case (new in 0.7.1) to detect is also about the DEFINER mode of a VirtualFolder alias, because an Actor view delegate having a current UserID enforces its view to access only through its current UserID, without direct 'virtual member' link. The unique right access path is 'view delegate'/'view'/'DEFINER account'/'view member'. Unfortunately, the reference to a virtual member relationship disappears in the comment. This is why an argument _dlink is rejected when the following conditions are fulfilled:
- _dLink is not simple, there is a node in _dLink that is a view delegate having a current UserID, and the next two nodes are the view and one of its view element.
Called by AgoRightsFactoryImpl, AclRightsFactoryImpl, PrivilegeRightsFactoryImpl and CompoundRightsFactoryImpl. Calls the overridden method at the end, if the new link is not rejected.
addDisplayableLink
in interface LinkRights
addDisplayableLink
in class LinkRightsImpl
_dLink
- is the new link including some rights and to add to _upd_m_l_DisplayableLinks_upd_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair) to update.
getDisplayableLink()
protected java.util.HashSet<ImmutableGroupIDMember> setNextNodeAGrunningContext(DisplayableLinkImpl _upd_dLink, int _nodeIndex) throws ProcessError
As a generic Access Road rule, the internal AclEntries propagate the direct AG context. The received context overlays the AG context of the target, if it is not null. The overlayed AG context is there the current context of an Actor, as an intermediate node in an access path. In the MySQL ACS, the Actors are stored procedures and stored functions, triggers and view delegates. They may have a current UserID and a current GroupID. This method in this case does not the Actor AG context, and returns it when the Actor is the second end. In all these MySQL 4 cases, letting the Actor be a proxy needs an AclEntry with an executing right on this Actor.
There is a second change on the generic behavior. If this Actor of _nodeIndex is the node before the second end with the same prerequisites, this overriding method resets the proper AG context of the Actor. Otherwise, this method calls the super method. This process allows the generic paths search methods to find the new nodes from the proper AG context of an Actor, then to give to these nodes their complete AG context. Called by LinkRightsImpl.updateAGrunningContext().
setNextNodeAGrunningContext
in class LinkRightsImpl
_upd_dLink
- its second end is the node of this instance. Never null.
Its properties should be updated by this method,
and they are never null after the updating. The AG context position is set to
the node at _nodeIndex._nodeIndex
- index of the node to analyze; is the node of this instance.
Always greater than 0.
ProcessError
- if the position of the node to analyze is lesser than 1,
and varied casesLinkRightsImpl.updateAGrunningContext(ARoad0.CNot.DisplayableLinkImpl)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |