-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathriak_core_security.html
625 lines (582 loc) · 66.5 KB
/
riak_core_security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Riak Core Security — Little Riak Core Book 1.0 documentation</title>
<link rel="stylesheet" href="_static/alabaster.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '1.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Ring Resize Operations" href="riak_core_resize.html" />
<link rel="prev" title="Riak Core Metadata" href="riak_core_metadata.html" />
<link rel="stylesheet" href="_static/custom.css" type="text/css" />
<meta name="viewport" content="width=device-width, initial-scale=0.9, maximum-scale=0.9" />
</head>
<body role="document">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="riak-core-security">
<h1>Riak Core Security<a class="headerlink" href="#riak-core-security" title="Permalink to this headline">¶</a></h1>
<p>riak_core_security is a module in riak_core that provides facilities to
implement user/group management, authentication and authorization.</p>
<p>Here we will see an overview of it.</p>
<div class="section" id="implementation">
<h2>Implementation<a class="headerlink" href="#implementation" title="Permalink to this headline">¶</a></h2>
<p>riak_core_security is implemented on top of riak_core_metadata, it uses the
following keys to store its information:</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"users"</span><span class="o">>></span><span class="p">}</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"groups"</span><span class="o">>></span><span class="p">}</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"sources"</span><span class="o">>></span><span class="p">}</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"usergrants"</span><span class="o">>></span><span class="p">}</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"groupgrants"</span><span class="o">>></span><span class="p">}</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"status"</span><span class="o">>></span><span class="p">}</span> <span class="o">-></span> <span class="n">enabled</span>
<span class="p">{</span><span class="o"><<</span><span class="s">"security"</span><span class="o">>></span><span class="p">,</span> <span class="o"><<</span><span class="s">"config"</span><span class="o">>></span><span class="p">}</span> <span class="o">-></span> <span class="n">ciphers</span>
</pre></div>
</div>
<p>How they are stored should be an implementation detail but sometimes you may
need to fold over values to get information if it’s not supported by
riak_core_security’s API.</p>
</div>
<div class="section" id="vocabulary">
<h2>Vocabulary<a class="headerlink" href="#vocabulary" title="Permalink to this headline">¶</a></h2>
<div class="section" id="context">
<h3>Context<a class="headerlink" href="#context" title="Permalink to this headline">¶</a></h3>
<p>Opaque information you get back from authentication, you have to pass it back
in to other operations.</p>
<p>At the moment it’s a record with three fields:</p>
<ul class="simple">
<li>username</li>
<li>grants</li>
<li>epoch</li>
</ul>
<p>But notice that this is an implementation detail and you should handle it
as an opaque value.</p>
<p>Contexts are only valid until the GRANT epoch changes, and it will change
whenever a GRANT or a REVOKE is performed. This rule may change in the future.</p>
</div>
<div class="section" id="permission">
<h3>Permission<a class="headerlink" href="#permission" title="Permalink to this headline">¶</a></h3>
<p>A string that represents some action in a given application, for example
tanodb.get, tanodb.put.</p>
<p>A permission muy be listed as valid in the environment variable {riak_core, permissions}:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="nd">@127</span><span class="o">.</span><span class="mf">0.0</span><span class="o">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">1</span><span class="o">></span> <span class="n">application</span><span class="p">:</span><span class="n">get_env</span><span class="p">(</span><span class="n">riak_core</span><span class="p">,</span> <span class="n">permissions</span><span class="p">)</span><span class="o">.</span>
<span class="p">{</span><span class="n">ok</span><span class="p">,[{</span><span class="n">riak_core</span><span class="p">,[</span><span class="n">get_bucket</span><span class="p">,</span><span class="n">set_bucket</span><span class="p">,</span><span class="n">get_bucket_type</span><span class="p">,</span> <span class="n">set_bucket_type</span><span class="p">]}]}</span>
</pre></div>
</div>
<p>You can list your permissions in config/advanced.config uncommenting the line:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">%</span> <span class="p">{</span><span class="n">permissions</span><span class="p">,</span> <span class="p">[{</span> <span class="n">tanodb</span><span class="p">,</span> <span class="p">[</span><span class="n">put</span><span class="p">,</span> <span class="n">get</span><span class="p">,</span> <span class="nb">list</span><span class="p">,</span> <span class="n">grant</span><span class="p">,</span> <span class="n">delete</span><span class="p">]}]}</span>
</pre></div>
</div>
<p>And changing the permissions inside the list.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">tanodb is the name of your app</p>
</div>
</div>
<div class="section" id="role">
<h3>Role<a class="headerlink" href="#role" title="Permalink to this headline">¶</a></h3>
<p>Something you assign permissions to, it can be a user or a group, there are
some reserved roles:</p>
<ul class="simple">
<li>all</li>
<li>on</li>
<li>to</li>
<li>from</li>
<li>any</li>
</ul>
</div>
<div class="section" id="source">
<h3>Source<a class="headerlink" href="#source" title="Permalink to this headline">¶</a></h3>
<p>The source where the user is authenticating, it can be an ip or something else,
you can allow a user to authenticate from a source but not another.</p>
</div>
</div>
<div class="section" id="extra-features">
<h2>Extra Features<a class="headerlink" href="#extra-features" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Certificate Authentication</li>
<li>Plugable Authentication</li>
</ul>
</div>
<div class="section" id="api-overview">
<h2>API Overview<a class="headerlink" href="#api-overview" title="Permalink to this headline">¶</a></h2>
<div class="section" id="check-permission">
<h3>check_permission<a class="headerlink" href="#check-permission" title="Permalink to this headline">¶</a></h3>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="c">% Check a Global permission, one that is not tied to a bucket</span>
<span class="nf">check_permission</span><span class="p">({</span><span class="nv">Permission</span><span class="p">},</span> <span class="nv">Context</span><span class="p">)</span>
<span class="c">% Check a permission for a specific bucket</span>
<span class="nf">check_permission</span><span class="p">({</span><span class="nv">Permission</span><span class="p">,</span> <span class="nv">Bucket</span><span class="p">},</span> <span class="nv">Context</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="check-permissions">
<h3>check_permissions<a class="headerlink" href="#check-permissions" title="Permalink to this headline">¶</a></h3>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="c">% Check that all permissions are valid</span>
<span class="nf">check_permissions</span><span class="p">(</span><span class="nv">List</span><span class="p">,</span> <span class="nv">Ctx</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="get-username">
<h3>get_username<a class="headerlink" href="#get-username" title="Permalink to this headline">¶</a></h3>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="c">% return username from context</span>
<span class="nf">get_username</span><span class="p">(</span><span class="nv">Context</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="authenticate">
<h3>authenticate<a class="headerlink" href="#authenticate" title="Permalink to this headline">¶</a></h3>
<p>If successful it will return {ok, Context}</p>
<p>A username can be tied to specific sources from which he can login, if you
don’t need this feature specify a generic source for all your users.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">authenticate</span><span class="p">(</span><span class="nv">Username</span><span class="p">,</span> <span class="nv">Password</span><span class="p">,</span> <span class="nv">ConnInfo</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-user">
<h3>add_user<a class="headerlink" href="#add-user" title="Permalink to this headline">¶</a></h3>
<p>Valid options:</p>
<ul class="simple">
<li>password</li>
<li>groups</li>
</ul>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">add_user</span><span class="p">(</span><span class="nv">Username</span><span class="p">,</span> <span class="nv">Options</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-group">
<h3>add_group<a class="headerlink" href="#add-group" title="Permalink to this headline">¶</a></h3>
<p>Valid options:</p>
<ul class="simple">
<li>password</li>
</ul>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">add_group</span><span class="p">(</span><span class="nv">Groupname</span><span class="p">,</span> <span class="nv">Options</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="alter-user">
<h3>alter_user<a class="headerlink" href="#alter-user" title="Permalink to this headline">¶</a></h3>
<p>Options passed will override options already in user’s details, this means if
you pass a password it will be changed, if you pass groups the new groups will
be set and the old removed.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">alter_user</span><span class="p">(</span><span class="nv">Username</span><span class="p">,</span> <span class="nv">Options</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="alter-group">
<h3>alter_group<a class="headerlink" href="#alter-group" title="Permalink to this headline">¶</a></h3>
<p>Options passed will override options already in groups’s details, if you pass
groups the new groups will be set and the old removed.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">alter_group</span><span class="p">(</span><span class="nv">Groupname</span><span class="p">,</span> <span class="nv">Options</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="del-user">
<h3>del_user<a class="headerlink" href="#del-user" title="Permalink to this headline">¶</a></h3>
<p>Deletes user and associated grants</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">del_user</span><span class="p">(</span><span class="nv">Username</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="del-group">
<h3>del_group<a class="headerlink" href="#del-group" title="Permalink to this headline">¶</a></h3>
<p>Deletes group and associated grants</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">del_group</span><span class="p">(</span><span class="nv">Groupname</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-grant">
<h3>add_grant<a class="headerlink" href="#add-grant" title="Permalink to this headline">¶</a></h3>
<p>Add Grants to RoleList on Bucket, RoleList can be the atom <strong>all</strong> to asign
Grants to all roles in that Bucket.</p>
<p>Bucket can be a binary to assign to the whole bucket or {binary(), binary()},
to assign to a key in the bucket.</p>
<p>The call will merge previous grants with the new ones.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">add_grant</span><span class="p">(</span><span class="nv">RoleList</span><span class="p">,</span> <span class="nv">Bucket</span><span class="p">,</span> <span class="nv">Grants</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-revoke">
<h3>add_revoke<a class="headerlink" href="#add-revoke" title="Permalink to this headline">¶</a></h3>
<p>Revoke Grants to RoleList on Bucket, RoleList can be the atom <strong>all</strong> to revoke
Grants to all roles in that Bucket.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">add_revoke</span><span class="p">(</span><span class="nv">RoleList</span><span class="p">,</span> <span class="nv">Bucket</span><span class="p">,</span> <span class="nv">Revokes</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="add-source">
<h3>add_source<a class="headerlink" href="#add-source" title="Permalink to this headline">¶</a></h3>
<p>Users is a list of users or the atom <strong>all</strong> to apply to all users.
CIDR is a tuple with an IP address and a mask in bits.
Source is an atom:</p>
<ul class="simple">
<li>trust: no password required</li>
<li>password: password authentication</li>
<li>certificate: certificate authentication</li>
<li>Atom: Atom will be used as a custom authentication module, on auth Atom will
be looked up on the env key {riak_core, auth_mods} if found the returned
value will be used as a module to call
AuthMod:auth(Username, Password, UserData, SourceOptions)</li>
</ul>
<p>Options are options for the source that will be passed during auth</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">add_source</span><span class="p">(</span><span class="nv">Users</span><span class="p">,</span> <span class="nv">CIDR</span><span class="p">,</span> <span class="nv">Source</span><span class="p">,</span> <span class="nv">Options</span><span class="p">)</span>
</pre></div>
</div>
<p>Example calls:</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_source</span><span class="p">(</span><span class="n">all</span><span class="p">,</span> <span class="p">{{</span><span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">},</span> <span class="mi">32</span><span class="p">},</span> <span class="n">trust</span><span class="p">,</span> <span class="p">[])</span>
<span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_source</span><span class="p">(</span><span class="n">all</span><span class="p">,</span> <span class="p">{{</span><span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">},</span> <span class="mi">32</span><span class="p">},</span> <span class="n">password</span><span class="p">,</span> <span class="p">[])</span>
</pre></div>
</div>
</div>
<div class="section" id="del-source">
<h3>del_source<a class="headerlink" href="#del-source" title="Permalink to this headline">¶</a></h3>
<p>Delete source identified by CIDR for Users, Users can be the atom <strong>all</strong> to
remove the source from all users. This won’t apply to sources added for each
users, only if the source was added explicitly for the <strong>all</strong> atom.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">del_source</span><span class="p">(</span><span class="nv">Users</span><span class="p">,</span> <span class="nv">CIDR</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="is-enabled">
<h3>is_enabled<a class="headerlink" href="#is-enabled" title="Permalink to this headline">¶</a></h3>
<p>Returns <strong>true</strong> if riak_core_security is enabled, <strong>false</strong> otherwise.</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">is_enabled</span><span class="p">()</span>
</pre></div>
</div>
</div>
<div class="section" id="enable">
<h3>enable<a class="headerlink" href="#enable" title="Permalink to this headline">¶</a></h3>
<p>Enables riak_core_security</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">enable</span><span class="p">()</span>
</pre></div>
</div>
</div>
<div class="section" id="disable">
<h3>disable<a class="headerlink" href="#disable" title="Permalink to this headline">¶</a></h3>
<p>Disabled riak_core_security</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">disable</span><span class="p">()</span>
</pre></div>
</div>
</div>
<div class="section" id="status">
<h3>status<a class="headerlink" href="#status" title="Permalink to this headline">¶</a></h3>
<p>Returns an atom representing the status of riak_core_security:</p>
<ul class="simple">
<li>enabled</li>
<li>enabled_but_no_capability</li>
<li>disabled</li>
</ul>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="nf">status</span><span class="p">()</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="playing-in-the-repl">
<h2>Playing in the REPL<a class="headerlink" href="#playing-in-the-repl" title="Permalink to this headline">¶</a></h2>
<p>First we will need to uncomment the permissions for our app in config/advanced.config</p>
<p>TODO: commit hash here</p>
<p>Then we build again and run it:</p>
<div class="highlight-shell"><div class="highlight"><pre><span></span>rebar3 release
rebar3 run
</pre></div>
</div>
<p>First let’s setup some variables</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">1</span><span class="o">></span> <span class="nv">User1</span> <span class="o">=</span> <span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">.</span>
<span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">2</span><span class="o">></span> <span class="nv">Pass1</span> <span class="o">=</span> <span class="o"><<</span><span class="s">"secret"</span><span class="o">>></span><span class="p">.</span>
<span class="o"><<</span><span class="s">"secret"</span><span class="o">>></span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">3</span><span class="o">></span> <span class="nv">ConnInfo</span> <span class="o">=</span> <span class="p">[{</span><span class="n">ip</span><span class="p">,</span> <span class="p">{</span><span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">}}].</span>
<span class="p">[{</span><span class="n">ip</span><span class="p">,{</span><span class="mi">127</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">}}]</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">4</span><span class="o">></span> <span class="nv">Source1</span> <span class="o">=</span> <span class="p">{{</span><span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">},</span> <span class="mi">32</span><span class="p">}.</span>
<span class="p">{{</span><span class="mi">127</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">},</span><span class="mi">32</span><span class="p">}</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">5</span><span class="o">></span> <span class="nv">Bucket1</span> <span class="o">=</span> <span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">.</span>
<span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">6</span><span class="o">></span> <span class="nv">PermGet</span> <span class="o">=</span> <span class="s">"tanodb.get"</span><span class="p">.</span>
<span class="s">"tanodb.get"</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">7</span><span class="o">></span> <span class="nv">PermPut</span> <span class="o">=</span> <span class="s">"tanodb.put"</span><span class="p">.</span>
<span class="s">"tanodb.put"</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">8</span><span class="o">></span> <span class="nv">PermList</span> <span class="o">=</span> <span class="s">"tanodb.list"</span><span class="p">.</span>
<span class="s">"tanodb.list"</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">9</span><span class="o">></span> <span class="nv">GroupWriter</span> <span class="o">=</span> <span class="o"><<</span><span class="s">"writers"</span><span class="o">>></span><span class="p">.</span>
<span class="o"><<</span><span class="s">"writers"</span><span class="o">>></span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">10</span><span class="o">></span> <span class="nv">GroupReader</span> <span class="o">=</span> <span class="o"><<</span><span class="s">"readers"</span><span class="o">>></span><span class="p">.</span>
<span class="o"><<</span><span class="s">"readers"</span><span class="o">>></span>
</pre></div>
</div>
<p>We didn’t add the user yet, so the following should fail</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">11</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">authenticate</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="nv">Pass1</span><span class="p">,</span> <span class="nv">ConnInfo</span><span class="p">).</span>
<span class="p">{</span><span class="n">error</span><span class="p">,</span><span class="n">unknown_user</span><span class="p">}</span>
</pre></div>
</div>
<p>Let’s add the user</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">12</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="p">[{</span><span class="s">"password"</span><span class="p">,</span> <span class="nb">binary_to_list</span><span class="p">(</span><span class="nv">Pass1</span><span class="p">)}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Adding it twice should fail</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">13</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="p">[{</span><span class="s">"password"</span><span class="p">,</span> <span class="nb">binary_to_list</span><span class="p">(</span><span class="nv">Pass1</span><span class="p">)}]).</span>
<span class="p">{</span><span class="n">error</span><span class="p">,</span><span class="n">role_exists</span><span class="p">}</span>
</pre></div>
</div>
<p>We didn’t add the source for the user so the following should fail</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">14</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">authenticate</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="nv">Pass1</span><span class="p">,</span> <span class="nv">ConnInfo</span><span class="p">).</span>
<span class="p">{</span><span class="n">error</span><span class="p">,</span><span class="n">no_matching_sources</span><span class="p">}</span>
</pre></div>
</div>
<p>Add a local source that requires password for all users</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">15</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_source</span><span class="p">(</span><span class="n">all</span><span class="p">,</span> <span class="nv">Source1</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="p">[]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Now it should work</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">16</span><span class="o">></span> <span class="p">{</span><span class="n">ok</span><span class="p">,</span> <span class="nv">Ctx1</span><span class="p">}</span> <span class="o">=</span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">authenticate</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="nv">Pass1</span><span class="p">,</span> <span class="nv">ConnInfo</span><span class="p">).</span>
<span class="p">{</span><span class="n">ok</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,[],{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">765253</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Checking permissions should fail, since we didn’t granted any permissions yet</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">17</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermGet</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">false</span><span class="p">,</span><span class="o"><<</span><span class="s">"Permission denied: User 'sandy' does not have 'tanodb.get' on bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,[],{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">765253</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s grant PermGet to User1</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">18</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_grant</span><span class="p">([</span><span class="nv">User1</span><span class="p">],</span> <span class="nv">Bucket1</span><span class="p">,</span> <span class="p">[</span><span class="nv">PermGet</span><span class="p">]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>And try again</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">19</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermGet</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">779759</span><span class="p">}}}</span>
</pre></div>
</div>
<p>cReate some groups, each group belongs to the previous one</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">20</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_group</span><span class="p">(</span><span class="nv">GroupReader</span><span class="p">,</span> <span class="p">[]).</span>
<span class="nf">ok</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">21</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_group</span><span class="p">(</span><span class="nv">GroupWriter</span><span class="p">,</span> <span class="p">[{</span><span class="s">"groups"</span><span class="p">,</span> <span class="p">[</span><span class="nv">GroupReader</span><span class="p">]}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Let’s grant permissions to each group</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">22</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_grant</span><span class="p">([</span><span class="nv">GroupReader</span><span class="p">],</span> <span class="nv">Bucket1</span><span class="p">,</span> <span class="p">[</span><span class="nv">PermGet</span><span class="p">]).</span>
<span class="nf">ok</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">23</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_grant</span><span class="p">([</span><span class="nv">GroupWriter</span><span class="p">],</span> <span class="nv">Bucket1</span><span class="p">,</span> <span class="p">[</span><span class="nv">PermPut</span><span class="p">]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Now let’s join User1 to some groups and try permissions</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">24</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">alter_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="p">[{</span><span class="s">"groups"</span><span class="p">,</span> <span class="p">[</span><span class="nv">GroupReader</span><span class="p">]}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>We can see User1 is a member of the group</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">25</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">print_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">).</span>
<span class="n">ok</span>
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
<span class="o">|</span> <span class="n">username</span> <span class="o">|</span> <span class="n">member</span> <span class="n">of</span> <span class="o">|</span> <span class="n">password</span> <span class="o">|</span> <span class="n">options</span> <span class="o">|</span>
<span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
<span class="o">|</span> <span class="n">sandy</span> <span class="o">|</span> <span class="n">readers</span> <span class="o">|</span><span class="mi">9</span><span class="n">c8984b176e07eb7ba9ff1e3ada5a43ecb8a812e</span><span class="o">|</span> <span class="p">[]</span> <span class="o">|</span>
<span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
</pre></div>
</div>
<p>She can do PermGet on Bucket1, but she could before since she has the
permission explicitly set</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">26</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermGet</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">837358</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s revoke it</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">27</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_revoke</span><span class="p">([</span><span class="nv">User1</span><span class="p">],</span> <span class="nv">Bucket1</span><span class="p">,</span> <span class="p">[</span><span class="nv">PermGet</span><span class="p">]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Still can</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">28</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermGet</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">847161</span><span class="p">}}}</span>
</pre></div>
</div>
<p>But can’t put on that bucket</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">29</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermPut</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">false</span><span class="p">,</span><span class="o"><<</span><span class="s">"Permission denied: User 'sandy' does not have 'tanodb.put' on bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">848204</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Now let’s join User1 to some groups and try permissions</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">30</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">alter_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">,</span> <span class="p">[{</span><span class="s">"groups"</span><span class="p">,</span> <span class="p">[</span><span class="nv">GroupWriter</span><span class="p">]}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>We can see User1 is a member of the group, but no more of GroupReader</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">31</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">print_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">).</span>
<span class="n">ok</span>
</pre></div>
</div>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
<span class="o">|</span> <span class="n">username</span> <span class="o">|</span> <span class="n">member</span> <span class="n">of</span> <span class="o">|</span> <span class="n">password</span> <span class="o">|</span> <span class="n">options</span> <span class="o">|</span>
<span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
<span class="o">|</span> <span class="n">sandy</span> <span class="o">|</span> <span class="n">writers</span> <span class="o">|</span><span class="mi">9</span><span class="n">c8984b176e07eb7ba9ff1e3ada5a43ecb8a812e</span><span class="o">|</span> <span class="p">[]</span> <span class="o">|</span>
<span class="o">+----------+---------------+----------------------------------------+------------------------------+</span>
</pre></div>
</div>
<p>User1 can now put on that bucket</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">32</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermPut</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">,</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">859448</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Still can get since GroupWriter is member of the group GroupReader</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">33</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermGet</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.get"</span><span class="p">,</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">860961</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Now let’s add a new grant to GroupReader so they can list the bucket</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">34</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">add_grant</span><span class="p">([</span><span class="nv">GroupReader</span><span class="p">],</span> <span class="nv">Bucket1</span><span class="p">,</span> <span class="p">[</span><span class="nv">PermList</span><span class="p">]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Now User1 has the list permission since she is a member of GroupWriter
which is a member of GroupReader who has permissions to list Bucket1</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">35</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermList</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[</span><span class="s">"tanodb.get"</span><span class="p">,</span><span class="s">"tanodb.list"</span><span class="p">,</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">872565</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s remove GroupReader membership from GroupWriter</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">36</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">alter_group</span><span class="p">(</span><span class="nv">GroupWriter</span><span class="p">,</span> <span class="p">[{</span><span class="s">"groups"</span><span class="p">,</span> <span class="p">[]}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>Now User1 can’t list on Bucket1 anymore</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">37</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermList</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">false</span><span class="p">,</span><span class="o"><<</span><span class="s">"Permission denied: User 'sandy' does not have 'tanodb.list' on bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">881585</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s try one more thing, add GroupWriter to GroupReader</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">38</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">alter_group</span><span class="p">(</span><span class="nv">GroupWriter</span><span class="p">,</span> <span class="p">[{</span><span class="s">"groups"</span><span class="p">,</span> <span class="p">[</span><span class="nv">GroupReader</span><span class="p">]}]).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>This works again</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">39</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermList</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">true</span><span class="p">,{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[</span><span class="s">"tanodb.get"</span><span class="p">,</span><span class="s">"tanodb.list"</span><span class="p">,</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">890698</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s now remove GroupReader completely</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">40</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">del_group</span><span class="p">(</span><span class="nv">GroupReader</span><span class="p">).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>This should fail again</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">41</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">check_permission</span><span class="p">({</span><span class="nv">PermList</span><span class="p">,</span> <span class="nv">Bucket1</span><span class="p">},</span> <span class="nv">Ctx1</span><span class="p">).</span>
<span class="p">{</span><span class="n">false</span><span class="p">,</span><span class="o"><<</span><span class="s">"Permission denied: User 'sandy' does not have 'tanodb.list' on bucket_sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">{</span><span class="n">context</span><span class="p">,</span><span class="o"><<</span><span class="s">"sandy"</span><span class="o">>></span><span class="p">,</span>
<span class="p">[{</span><span class="o"><<</span><span class="s">"bucket_sandy"</span><span class="o">>></span><span class="p">,[</span><span class="s">"tanodb.put"</span><span class="p">]}],</span>
<span class="p">{</span><span class="mi">1444</span><span class="p">,</span><span class="mi">659568</span><span class="p">,</span><span class="mi">914573</span><span class="p">}}}</span>
</pre></div>
</div>
<p>Let’s clean everything up</p>
<div class="highlight-erlang"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">42</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">del_group</span><span class="p">(</span><span class="nv">GroupWriter</span><span class="p">).</span>
<span class="nf">ok</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">43</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">del_user</span><span class="p">(</span><span class="nv">User1</span><span class="p">).</span>
<span class="nf">ok</span>
<span class="p">(</span><span class="n">tanodb</span><span class="p">@</span><span class="mi">127</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="mi">1</span><span class="p">)</span><span class="mi">44</span><span class="o">></span> <span class="nn">riak_core_security</span><span class="p">:</span><span class="nf">del_source</span><span class="p">(</span><span class="n">all</span><span class="p">,</span> <span class="nv">Source1</span><span class="p">).</span>
<span class="n">ok</span>
</pre></div>
</div>
<p>If you want to retry from scratch removing all state you can do the following:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">rm</span> <span class="o">-</span><span class="n">rf</span> <span class="n">_build</span><span class="o">/</span><span class="n">default</span><span class="o">/</span><span class="n">rel</span>
<span class="n">rebar3</span> <span class="n">release</span>
<span class="n">rebar3</span> <span class="n">run</span>
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h1 class="logo"><a href="index.html">Little Riak Core Book</a></h1>
<h3>Navigation</h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="starting.html">Starting</a></li>
<li class="toctree-l1"><a class="reference internal" href="riak_core_metadata.html">Riak Core Metadata</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Riak Core Security</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#implementation">Implementation</a></li>
<li class="toctree-l2"><a class="reference internal" href="#vocabulary">Vocabulary</a></li>
<li class="toctree-l2"><a class="reference internal" href="#extra-features">Extra Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="#api-overview">API Overview</a></li>
<li class="toctree-l2"><a class="reference internal" href="#playing-in-the-repl">Playing in the REPL</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="riak_core_resize.html">Ring Resize Operations</a></li>
</ul>
<div class="relations">
<h3>Related Topics</h3>
<ul>
<li><a href="index.html">Documentation overview</a><ul>
<li>Previous: <a href="riak_core_metadata.html" title="previous chapter">Riak Core Metadata</a></li>
<li>Next: <a href="riak_core_resize.html" title="next chapter">Ring Resize Operations</a></li>
</ul></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="footer">
©2017, Mariano Guerra, Heinz N. Gies.
|
Powered by <a href="http://sphinx-doc.org/">Sphinx 1.5.3</a>
& <a href="https://github.com/bitprophet/alabaster">Alabaster 0.7.8</a>
|
<a href="_sources/riak_core_security.rst.txt"
rel="nofollow">Page source</a>
</div>
</body>
</html>