Skip to content

shv access control2

Jump to bottom
Fanda Vacek edited this page Apr 18, 2023 · 5 revisions

Shv access control v2

RPC call authorization

  1. Each user has list of groups defined.
  2. Every group should match one of roles defined.
  3. When shvbroker receive client request, then it finds grant or list of grants for this request.
  4. Each SHV method defines its accessLevel as a number > 0 or string which must be convertible to access level int by node, see method ShvNode::grantToAccessLevel(...). accessLevel == 0 means no-access.
  5. If device gets request, then it converts grant or [grant, ...] set by shvbroker to accessLevel. If accessLevel for specific grant is lower than accessLevel specified by called method, then request is refused.

Access Grant find algorithm

  1. shvbroker takes list of groups of current client user
  2. groups should be mapped to the roles defined.
  3. shvbroker creates flatten list of all roles defined for this user
  4. Roles flattening proces traverse roles definition tree in order of their definition, level by level. image

Flatten roles will be found as A,B,C,D,G,E,F

  1. For role in flatten roles
    1. For access-rule in acces-rules in order of their definition
      1. if request matches access-rule
        1. assign grant defined in rule to RpcRequest. Stop searching with success

Access rule

Access rule consist of:

  • path-pattern can contain wildcards * for single dir and ** for and number of dirs (including zero)
  • method-pattern, which might have form:
    1. method-name
    2. (empty string)

Access rule matches if path-pattern matches and method-pattern matches.

Clone this wiki locally