Package org.projectnessie.services.authz

Interface BatchAccessChecker

All Known Implementing Classes:
AbstractBatchAccessChecker
public interface BatchAccessChecker
Accept various allowance-checks and retrieve the result of all operations at once.

The purpose of the BatchAccessChecker is to accept all required checks via the can...() methods and return the result of these "can do xyz" checks via check().

The checks make sure that a particular role is allowed to perform an action (such as creation, deletion) on a NamedRef (Branch/Tag). Additionally, this interface also provides checks based on a given ContentKey.

It is safe to call a check method with the same arguments multiple times.

Implementations can expect that either check() or checkAndThrow() are called either once or never.

See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    BatchAccessChecker
    can(Check check)
     
    BatchAccessChecker
    canAssignRefToHash(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.
    BatchAccessChecker
    canCommitChangeAgainstReference(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.
    BatchAccessChecker
    canCreateEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
    Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
    BatchAccessChecker
    canCreateReference(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to create a Branch/Tag.
    BatchAccessChecker
    canDeleteEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
    Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.
    BatchAccessChecker
    canDeleteReference(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to delete a Branch/Tag.
    BatchAccessChecker
    canListCommitLog(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.
    BatchAccessChecker
    canReadContentKey(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
    Called for every content-key about to be returned from, for example, a "get commit log" operation.
    BatchAccessChecker
    canReadEntityValue(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
    Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.
    BatchAccessChecker
    canReadEntries(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.
    BatchAccessChecker
    canReadRepositoryConfig(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)
     
    BatchAccessChecker
    canUpdateEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
    Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.
    BatchAccessChecker
    canUpdateRepositoryConfig(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)
     
    BatchAccessChecker
    canViewReference(org.projectnessie.versioned.NamedRef ref)
    Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
    Map<Check,String>
    check()
    Checks the recorded checks.
    default void
    checkAndThrow()
    Convenience methods that throws an AccessCheckException, if check() returns a non-empty map.
    static void
    throwForFailedChecks(Map<Check,String> failedChecks)
     

  • Method Details

    • check

      Map<Check,String> check()
      Checks the recorded checks.
      Returns:
      map of failed checks or an empty collection, if all checks passed

    • checkAndThrow

      default void checkAndThrow() throws AccessCheckException
      Convenience methods that throws an AccessCheckException, if check() returns a non-empty map.
      Throws:
      AccessCheckException

    • throwForFailedChecks

      static void throwForFailedChecks(Map<Check,String> failedChecks) throws AccessCheckException
      Throws:
      AccessCheckException

    • can

      @CanIgnoreReturnValue BatchAccessChecker can(Check check)

    • canViewReference

      @CanIgnoreReturnValue BatchAccessChecker canViewReference(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to view/list the given Branch/Tag or Detached.
      Parameters:
      ref - The NamedRef to check

    • canCreateReference

      @CanIgnoreReturnValue BatchAccessChecker canCreateReference(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to create a Branch/Tag.
      Parameters:
      ref - The NamedRef to check

    • canAssignRefToHash

      @CanIgnoreReturnValue BatchAccessChecker canAssignRefToHash(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to assign the given Branch/Tag to a commit id.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check not granted.

    • canDeleteReference

      @CanIgnoreReturnValue BatchAccessChecker canDeleteReference(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to delete a Branch/Tag.
      Parameters:
      ref - The NamedRef to check

    • canReadEntries

      @CanIgnoreReturnValue BatchAccessChecker canReadEntries(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to read entries content for the given Branch/Tag or Detached.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check

    • canReadContentKey

      @CanIgnoreReturnValue BatchAccessChecker canReadContentKey(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Called for every content-key about to be returned from, for example, a "get commit log" operation.

      This is an additional check for each content-key. "Early" checks, that run before generating the result, like canReadEntries(NamedRef) or canListCommitLog(NamedRef), run as well.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - current reference
      identifiedKey - content key / ID / type to check

    • canListCommitLog

      @CanIgnoreReturnValue BatchAccessChecker canListCommitLog(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to list the commit log for the given Branch/Tag or Detached.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check

    • canCommitChangeAgainstReference

      @CanIgnoreReturnValue BatchAccessChecker canCommitChangeAgainstReference(org.projectnessie.versioned.NamedRef ref)
      Checks whether the given role/principal is allowed to commit changes against the given Branch/Tag or Detached.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check

    • canReadEntityValue

      @CanIgnoreReturnValue BatchAccessChecker canReadEntityValue(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to read an entity value as defined by the ContentKey for the given Branch/Tag or Detached.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check
      identifiedKey - content key / ID / type to check

    • canCreateEntity

      @CanIgnoreReturnValue BatchAccessChecker canCreateEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to create a new entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check
      identifiedKey - content key / ID / type to check

    • canUpdateEntity

      @CanIgnoreReturnValue BatchAccessChecker canUpdateEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to update an existing entity value as defined by the IdentifiedContentKey for the given Branch, called for a Operation.Put operation in a commit.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check
      identifiedKey - content key / ID / type to check

    • canDeleteEntity

      @CanIgnoreReturnValue BatchAccessChecker canDeleteEntity(org.projectnessie.versioned.NamedRef ref, org.projectnessie.model.IdentifiedContentKey identifiedKey)
      Checks whether the given role/principal is allowed to delete an entity value as defined by the ContentKey for the given Branch, called for a Operation.Delete operation in a commit.

      Adds an implicit canViewReference(NamedRef).

      Parameters:
      ref - The NamedRef to check
      identifiedKey - content key / ID / type to check

    • canReadRepositoryConfig

      @CanIgnoreReturnValue BatchAccessChecker canReadRepositoryConfig(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)

    • canUpdateRepositoryConfig

      @CanIgnoreReturnValue BatchAccessChecker canUpdateRepositoryConfig(org.projectnessie.model.RepositoryConfig.Type repositoryConfigType)