Package org.projectnessie.services.authz

Interface BatchAccessChecker

  • All Known Implementing Classes:
    AbstractBatchAccessChecker
    public interface BatchAccessChecker
    Accept various allowance-checks and retrieve the result of all operations at once.

    The purpose of the BatchAccessChecker is to accept all required checks via the can...() methods and return the result of these "can do xyz" checks via check().

    The checks make sure that a particular role is allowed to perform an action (such as creation, deletion) on a NamedRef (Branch/Tag). Additionally, this interface also provides checks based on a given ContentKey.

    It is safe to call a check method with the same arguments multiple times.

    Implementations can expect that either check() or checkAndThrow() are called either once or never.

    See Also:
    Check, Check.CheckType, AbstractBatchAccessChecker

    • Method Summary

      All Methods Static Methods Instance Methods Abstract Methods Default Methods 
      Modifier and Type Method Description
      BatchAccessChecker can​(Check check)  
      BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.
      BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.
      BatchAccessChecker canCreateEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
      BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to create a Branch/Tag.
      BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.
      BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to delete a Branch/Tag.
      BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.
      BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Called for every content-key about to be returned from, for example, a "get commit log" operation.
      BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.
      BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.
      BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
      BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
      BatchAccessChecker canViewRefLog()
      Checks whether the given role/principal is allowed to view the reflog entries.
      java.util.Map<Check,​java.lang.String> check()
      Checks the recorded checks.
      default void checkAndThrow()
      Convenience methods that throws an AccessCheckException, if check() returns a non-empty map.
      static void throwForFailedChecks​(java.util.Map<Check,​java.lang.String> failedChecks)  

    • Method Detail

      • check

        java.util.Map<Check,​java.lang.String> check()
        Checks the recorded checks.
        Returns:
        map of failed checks or an empty collection, if all checks passed

      • canViewReference

        BatchAccessChecker canViewReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
        Parameters:
        ref - The NamedRef to check

      • canCreateReference

        BatchAccessChecker canCreateReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to create a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canAssignRefToHash

        BatchAccessChecker canAssignRefToHash​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check not granted.

      • canDeleteReference

        BatchAccessChecker canDeleteReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to delete a Branch/Tag.
        Parameters:
        ref - The NamedRef to check

      • canReadEntries

        BatchAccessChecker canReadEntries​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadContentKey

        BatchAccessChecker canReadContentKey​(org.projectnessie.versioned.NamedRef ref,
                                     org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Called for every content-key about to be returned from, for example, a "get commit log" operation.

        This is an additional check for each content-key. "Early" checks, that run before generating the result, like canReadEntries(NamedRef) or canListCommitLog(NamedRef), run as well.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - current reference
        identifiedKey - content key / ID / type to check

      • canListCommitLog

        BatchAccessChecker canListCommitLog​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canCommitChangeAgainstReference

        BatchAccessChecker canCommitChangeAgainstReference​(org.projectnessie.versioned.NamedRef ref)
        Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check

      • canReadEntityValue

        BatchAccessChecker canReadEntityValue​(org.projectnessie.versioned.NamedRef ref,
                                      org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canCreateEntity

        BatchAccessChecker canCreateEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canUpdateEntity

        BatchAccessChecker canUpdateEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canDeleteEntity

        BatchAccessChecker canDeleteEntity​(org.projectnessie.versioned.NamedRef ref,
                                   org.projectnessie.model.IdentifiedContentKey identifiedKey)
        Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.

        Adds an implicit canViewReference(NamedRef).

        Parameters:
        ref - The NamedRef to check
        identifiedKey - content key / ID / type to check

      • canViewRefLog

        BatchAccessChecker canViewRefLog()
        Checks whether the given role/principal is allowed to view the reflog entries.