Provides the gWork classes for creating and analyzing a MySQL 5 database management system, as an extension of the generic ARoad0.gWork package, in the AcsAddon MySQL. It is responsible for processing the rights at the request of the ARoad0.gWork package. The MySQL ACS are built up by AcsFactoryMySQL in this package.
USING THE GENERIC CLASSES
To simulate the MySQL server, the features are provided first by a configuration of the Access Road generic functions, in the generic gBase package. This is the responsibility of the class ACSFactoryMySQLImpl, after its configuration by the class MySQL.gWork.AcsFactoryMySQL that provides:
modeling of the MySQL server, through the using of UserID, GroupID, GroupID tree, Resource, Directory, VirtualFolder, VirtualFolder tree, AclEntry, conditional AclEntry, inherited AclEntry and hard aliasing,
31 MySQL ACS rights, and no direct use of the metarights,
13 main types of Resources, 13 main types of EligibleParties including 3 types for the standard GroupTree, 3 main types of VirtualFolders,
36 ACS type policies for the GUI and the classes GroupID, Directory, Resource and VirtualFolder,
25 specialized rights for AclEntry,
3 automatic associations for a new MySQL database,
no automatic roots in the ACS MySQL parent.
FEATURES OF THE MySQL ACSADDON
The simulation of the MySQL server is then completed by the way of the MySQL AcsAddon, delivering the following features:
the inherited AclEntries, in MySQL.gBase,
the complex AclEntry sorting to simulate the MySQL account priority rules, in MySQL.gBase and MySQL.gWork,
enforcing one first host per account, in MySQL.gBase,
VirtualFolder to simulate the MySQL view, enforcing to have elements only from the database, in MySQL.gBase,
VirtualFolder hard alias, in MySQL.gBase, as Actor that may run under a VirtualFolder UserID. This UserID is added to the VirtualFolder constructor arguments. The alias is the unique mean to have an access to the view.
conditional overlaying of the received AG context on the VirtualFolder alias, where the condition is a non-null current UserID, in MySQL.gWork,
handling of the '%' and '_' characters to produce the pattern-name groups, and managing the constraints on the membership relations between them, in MySQL.gBase,
BasesSetMySQL to model a set of databases, in MySQL.gBase,
ProxyMySQL to model a proxy account, including the use of the generic property 'SoftAlias' but without managing of the soft aliasing by the ACS, in MySQL.gBase,
specific constraints on the database AclEntry, with simple host groups having rights only on the databases, and the setting of some specific mixed AclEntries from two non-conditional AclEntries, in MySQL.gBase,
access path deleting if there is another path having priority, in MySQL.gWork.
2 properties 'inherited rights list' and 'primary rights map' to help the user to understand the applicable rights, in MySQL.gBase,
about 25 error messages at the creation of a MySQL object, in MySQL.gBase.
subACS 'standard_tree' for 3 standard groups, in MySQL.gBase.
These features are presented mainly in the documentation page of the package MySQL.gBase.
THE MySQL NODERIGHTS AND LINKRIGHTS CLASSES
All the classes in this package are subclasses of the generic gWork package, except for AcsFactoryMySQL which simply implements ARoad0.Pattern.AcsFactoryForAcsAddon. The two classes NodeRightsMySQLImpl and LinkRightsMySQLImpl look for the original MySQL access paths. They add, remove or update the DisplayableLinkImpls of each Access Road view. NodeRightsMySQLImpl is quite complex to handle, because the calling sequence of its methods from the generic gWork classes has to be well understood.
The class NodeRightsMySQLImpl extends NodeRightsImpl. It has the responsability to set the properties of the access paths, and most of its methods come from its super class in the generic gWork package. The main specific methods of this class are presented now. This class overrides the method detectAddonFinalAllNodes() to add the properties AccessControlLink.C_FIST_RATE, AccessControlLink.C_WEAK_LINK and AccessControlLink.C_CONDITIONAL_ACL to some DisplayableLinkImpls. The aim is to precise the effective rights in an Access Road view having MySQL nodes.
The class NodeRightsMySQLImpl overrides the method detectL_aclEntryRights() to get all the rights of the relevant direct AclEntries managed by the ResourceMySQL object for a given EligibleParty, following the ACL sorting and the selection of the first matched ACL. This class overrides also the method getL_accessRightsThroughNodesTree() to return in an AccessControlLink the inherited rights that are given by the directory tree, as inherited rights on a ResourceMySQL. The result sets only the type AccessControlLink.ACL.
This class overrides the method selectAddonNewHiddenNodeForGroupIDMember() to detect the hidden actors that are linked to a GroupIDMember as access source. The aim is to extend the current DisplayableLinkImpls this GroupIDMember ends. This method covers two cases:
Extends AclRightsFactoryImpl.selectDirectHiddenAclBridgeLinksToActorForEP() to the search of the inherited AclEntries, with the argument _withFinalExecute true. With an internal ACL, the AG context is transferred by the core algorithms. The method selectAddonNewHiddenNodeForGroupIDMember() is needed to detect if the second end is running under its current UserID or GroupID. MySQL actors are not ACL sources. There is no need to overread selectForGroupIDMemberItsHiddenActorsWithNextLinks() for detecting actors with inherited AclEntries.
Adds an ALIAS link, when the GroupIDMember is a ProxyMySQL, to its UserIDMySQL proxied account if it is not into the view. To mimic the 'See Why' generic text, it adds the comment '-- All Rights: PROXY'.
The class NodeRightsMySQLImpl contains a new method getConnectionPair(). It returns the first current user of an account, that is the pair (account, simple host or accounts-for-hosts group) under which the connection of an account is done on the MySQL server.
The class LinkRightsMySQLImpl extends LinkRightsImpl. It provides utilities about DisplayableLinkImpls. It operates on DisplayableLinkImpls and on the inherited rights. An important service is the adding of a DisplayableLinkImpl to the view map for these objects, and its filtering to follow the MySQL rules. This is the responsibility of the method addAndRemoveDisplayableLinks() (new in 0.7.3) to reject 7 patterns of DisplayableLinkImpls. 6 patterns are detected by isFirstStepForbiddenDLink(), called by addAndRemoveDisplayableLinks() with simply the DisplayableLinkImpl as argument.
The proper Actor AG context is required in the MySQL ACS, for any type of Actor as intermediate node in an access path, each time there is a non-null current UserID and there is an executing right on the Actor. This is the responsability of the method setNextNodeAGrunningContext().
To find the local UserID or GroupIDs a context switch has to run, the method getL_localAGfromContextSwitch() returns the default UserID 'anonymous' if the super method returns null.
Each node in a view and each intermediate node has one LinkRights instance for each view it belongs to. The implementation classes of this interface have properties that depend only on the class of the node ACS, then 2 nodes of the same view should use the same LinkRights instance, even if it is not the actual behavior in all cases. But there is an exception for the methods that detects the Account and AcsAddon priorities over all the links. They use RightsMediatorImpl.getAllLinkRights() which returns only one LinkRights instance per implied gWork package, and not one instance per view node.
EXEMPLE OF MySQL ACCESS PATH IN ACCESS ROAD 0.7.3
The use of the new 0.7.3 generic classes ExchangePointImpl and ContextSwitchImpl is demonstrated in the following 7-nodes access path. The default state of two ACS are used. one is an Ubuntu ACS and the second one is a MySQL ACS, as child of the first one. It shows how the Ubuntu account 'lp' has the MySQL rights UPDATE/SELECT/EXECUTE on the MySQL table column 'sales_amount column'. It is presented like in the 'See why' text, including some added comments:
FROM A RIGHT USER TO AN ACCESS TARGET
FROM IO:: two:: bb:: <U>:: lp
TO IO:: two:: bb:: my:: MySQL server:: BASE One:: Products table:: sales_amount column.
-- PATH NUMBER 1:
Link number 1:
Comment: The Ubuntu program 'mysqld' is executed by the Ubuntu account 'lp' through the Ubuntu AG Other rights:
AGO Other rights <inherited AG rights> <should limit rights> <Sets Owner>
Intermediate node:
IO:: two:: bb:: <files_tree>:: usr:: sbin:: mysqld
Link number 2:
Data Exchange -- AGO Other rights <inherited AG rights>
Comment: This creates a call through the ExchangePoint 'mysqld.sock' which is a Linux socket, as the conceptual calling point to the MySQL server by the way of a bridge ('lp' may also directly calls 'mysqld.sock'):
Intermediate node:
IO:: two:: bb:: <files_tree>:: var:: run:: mysqld:: mysqld.sock
Link number 3:
Bridge (<Sets Owner>)
Comment: The path enters now into the MySQL server ACS. '<entrance_gate>', as entry point of the ACS, is the ContextSwitch able to select the applicable MySQL account, taking account the calling Ubuntu account 'lp':
Intermediate node:
IO:: two:: bb:: my:: <connection_subacs>:: <entrance_gate>
Link number 4:
Runs Under
Intermediate node:
IO:: two:: bb:: my:: <U>:: lp
Comment: The ContextSwitch selects the ProxyMySQL 'lp' which is an image of the account 'jerry':
Link number 5:
Is alias (<modify owner>)
Intermediate node:
IO:: two:: bb:: my:: <U>:: jerry
Comment: The MySQL account 'jerry' under the MySQL group 'localhost' has some direct ACL rights and some inherited ACL rights on the MySQL target 'sales_amount column':
Link number 6:
ACL (UPDATE Current User: (jerry, localhost) <inherited ACL> USAGE SELECT EXECUTE <conditional ACL> through localhost) -- All Rights: UPDATE/SELECT /EXECUTE
GENERAL INFORMATION
Like any AcsAddon, this package offers classes which may be used by an ACS from another AcsAddon. Nonetheless, the classes in this package are designed to work together. A single class may be reused after a careful study of its code.
The limitations of the MySQL server simulation are described into the documentation of the MySQL.gBase package.
Ease-of-use: medium. There are simple algorithms in the rights processing, but the calling sequence from the generic gWork classes has to be well understood.
Reliability: high. There are no known bugs.