Apply unix style permission management

Author: ningyougang

common/scala/src/main/scala/org/apache/openwhisk/core/entity/WhiskAction.scala

@@ -56,8 +56,7 @@ case class WhiskActionPut(exec: Option[Exec] = None,
                           limits: Option[ActionLimitsOption] = None,
                           version: Option[SemVer] = None,
                           publish: Option[Boolean] = None,
-                          annotations: Option[Parameters] = None,
-                          unlock: Option[Boolean] = None) {
+                          annotations: Option[Parameters] = None) {
 
   protected[core] def replace(exec: Exec) = {
     WhiskActionPut(Some(exec), parameters, limits, version, publish, annotations)
@@ -76,6 +75,16 @@ case class WhiskActionPut(exec: Option[Exec] = None,
       case _ => this
     } getOrElse this
   }
+
+  protected[core] def getPermissions(): Option[String] = {
+    annotations match {
+      case Some(value) =>
+        value
+          .get(WhiskAction.permissionsFieldName)
+          .map(value => value.convertTo[String])
+      case None => None
+    }
+  }
 }
 
 abstract class WhiskActionLike(override val name: EntityName) extends WhiskEntity(name, "action") {
@@ -350,7 +359,31 @@ object WhiskAction extends DocumentFactory[WhiskAction] with WhiskEntityQueries[
   import WhiskActivation.instantSerdes
   val execFieldName = "exec"
   val requireWhiskAuthHeader = "x-require-whisk-auth"
-  val lockFieldName = "lock"
+
+  // annotation permission key name
+  val permissionsFieldName = "permissions"
+
+  val defaultPermissions = "rwxr-x"
+
+  // notes on users, just have 2 type users,
+  // 1. the action's owner
+  // 2. the user (not the owner) who used the shared action directly(e.g. get, invoke)
+  //
+  // Notes on permission control
+  // 1. the action's read permission should open forever, because under invoke action or update action and so on,
+  //    need to use `fetch` api to get the action to judge it whether exist.
+  // 2. the user(not the owner) can't update/delete the action forever.
+  // 3. the owner's permission can affect other user's permission, e.g
+  //    if the owner is not given execute permission, the user(not the owner) can't have execute permission as well.
+  //
+  // Notes on permission values, include below permission value
+  // 1. permission code:rwxr-x: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:read(yes)/write(no)/execute(yes), this is default
+  // 2. permission code:rwxr--: owner:read(yes)/write(yes)/execute(yes)|the shared action's user:read(yes)/write(no)/execute(no)
+  // 3. permission code:r-xr-x: owner:read(yes)/write(no)/execute(yes)|the shared action's user:read(yes)/write(no)/execute(yes)
+  // 4. permission code:r-xr--: owner:read(yes)/write(no)/execute(yes)|the shared action's user:read(yes)/write(no)/execute(no)
+  // 5. permission code:r--r--: owner:read(yes)/write(no)/execute(no)|the shared action's user:read(yes)/write(no)/execute(no)
+  // 6. permission code:rw-r--: owner:read(yes)/write(yes)/execute(no)|the shared action's user:read(yes)/write(no)/execute(no)
+  val permissionList = List(defaultPermissions, "rwxr--", "r-xr-x", "r-xr--", "r--r--", "rw-r--")
 
   override val collectionName = "actions"
   override val cacheEnabled = true
@@ -645,5 +678,5 @@ object ActionLimitsOption extends DefaultJsonProtocol {
 }
 
 object WhiskActionPut extends DefaultJsonProtocol {
-  implicit val serdes = jsonFormat7(WhiskActionPut.apply)
+  implicit val serdes = jsonFormat6(WhiskActionPut.apply)
 }

common/scala/src/main/scala/org/apache/openwhisk/http/ErrorResponse.scala

@@ -20,23 +20,16 @@ package org.apache.openwhisk.http
 import scala.concurrent.duration.Duration
 import scala.concurrent.duration.FiniteDuration
 import scala.util.Try
-
 import akka.http.scaladsl.model.StatusCode
 import akka.http.scaladsl.model.StatusCodes.Forbidden
 import akka.http.scaladsl.model.StatusCodes.NotFound
 import akka.http.scaladsl.model.MediaType
 import akka.http.scaladsl.server.Directives
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport.sprayJsonMarshaller
 import akka.http.scaladsl.server.StandardRoute
-
 import spray.json._
-
 import org.apache.openwhisk.common.TransactionId
-import org.apache.openwhisk.core.entity.SizeError
-import org.apache.openwhisk.core.entity.ByteSize
-import org.apache.openwhisk.core.entity.Exec
-import org.apache.openwhisk.core.entity.ExecMetaDataBase
-import org.apache.openwhisk.core.entity.ActivationId
+import org.apache.openwhisk.core.entity.{ActivationId, ByteSize, Exec, ExecMetaDataBase, SizeError}
 
 object Messages {
 

core/controller/src/main/scala/org/apache/openwhisk/core/controller/Actions.scala

@@ -209,13 +209,25 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
         val checkAdditionalPrivileges = entitleReferencedEntities(user, Privilege.READ, request.exec).flatMap {
           case _ => entitlementProvider.check(user, content.exec)
         }
-        val unlock = content.unlock.getOrElse(false)
 
         onComplete(checkAdditionalPrivileges) {
           case Success(_) =>
-            putEntity(WhiskAction, entityStore, entityName.toDocId, overwrite, update(user, request) _, () => {
-              make(user, entityName, request)
-            }, unlock = unlock)
+            val operation = if (overwrite) "update" else "create"
+            onComplete(
+              entitlementProvider
+                .checkActionPermissions(
+                  operation,
+                  user,
+                  entityStore,
+                  entityName,
+                  WhiskAction.get,
+                  content.getPermissions())) {
+              case Success(_) =>
+                putEntity(WhiskAction, entityStore, entityName.toDocId, overwrite, update(user, request) _, () => {
+                  make(user, entityName, request)
+                })
+              case Failure(f) => super.handleEntitlementFailure(f)
+            }
           case Failure(f) =>
             super.handleEntitlementFailure(f)
         }
@@ -236,37 +248,43 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
    */
   override def activate(user: Identity, entityName: FullyQualifiedEntityName, env: Option[Parameters])(
     implicit transid: TransactionId) = {
-    parameter(
-      'blocking ? false,
-      'result ? false,
-      'timeout.as[FiniteDuration] ? controllerActivationConfig.maxWaitForBlockingActivation) {
-      (blocking, result, waitOverride) =>
-        entity(as[Option[JsObject]]) { payload =>
-          getEntity(WhiskActionMetaData.resolveActionAndMergeParameters(entityStore, entityName), Some {
-            act: WhiskActionMetaData =>
-              // resolve the action --- special case for sequences that may contain components with '_' as default package
-              val action = act.resolve(user.namespace)
-              onComplete(entitleReferencedEntitiesMetaData(user, Privilege.ACTIVATE, Some(action.exec))) {
-                case Success(_) =>
-                  val actionWithMergedParams = env.map(action.inherit(_)) getOrElse action
-
-                  // incoming parameters may not override final parameters (i.e., parameters with already defined values)
-                  // on an action once its parameters are resolved across package and binding
-                  val allowInvoke = payload
-                    .map(_.fields.keySet.forall(key => !actionWithMergedParams.immutableParameters.contains(key)))
-                    .getOrElse(true)
-
-                  if (allowInvoke) {
-                    doInvoke(user, actionWithMergedParams, payload, blocking, waitOverride, result)
-                  } else {
-                    terminate(BadRequest, Messages.parametersNotAllowed)
-                  }
+    onComplete(
+      entitlementProvider
+        .checkActionPermissions("invoke", user, entityStore, entityName, WhiskAction.get)) {
+      case Success(_) =>
+        parameter(
+          'blocking ? false,
+          'result ? false,
+          'timeout.as[FiniteDuration] ? controllerActivationConfig.maxWaitForBlockingActivation) {
+          (blocking, result, waitOverride) =>
+            entity(as[Option[JsObject]]) { payload =>
+              getEntity(WhiskActionMetaData.resolveActionAndMergeParameters(entityStore, entityName), Some {
+                act: WhiskActionMetaData =>
+                  // resolve the action --- special case for sequences that may contain components with '_' as default package
+                  val action = act.resolve(user.namespace)
+                  onComplete(entitleReferencedEntitiesMetaData(user, Privilege.ACTIVATE, Some(action.exec))) {
+                    case Success(_) =>
+                      val actionWithMergedParams = env.map(action.inherit(_)) getOrElse action
+
+                      // incoming parameters may not override final parameters (i.e., parameters with already defined values)
+                      // on an action once its parameters are resolved across package and binding
+                      val allowInvoke = payload
+                        .map(_.fields.keySet.forall(key => !actionWithMergedParams.immutableParameters.contains(key)))
+                        .getOrElse(true)
+
+                      if (allowInvoke) {
+                        doInvoke(user, actionWithMergedParams, payload, blocking, waitOverride, result)
+                      } else {
+                        terminate(BadRequest, Messages.parametersNotAllowed)
+                      }
 
-                case Failure(f) =>
-                  super.handleEntitlementFailure(f)
-              }
-          })
+                    case Failure(f) =>
+                      super.handleEntitlementFailure(f)
+                  }
+              })
+            }
         }
+      case Failure(f) => super.handleEntitlementFailure(f)
     }
   }
 
@@ -328,7 +346,13 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
    * - 500 Internal Server Error
    */
   override def remove(user: Identity, entityName: FullyQualifiedEntityName)(implicit transid: TransactionId) = {
-    deleteEntity(WhiskAction, entityStore, entityName.toDocId, (a: WhiskAction) => Future.successful({}))
+    onComplete(
+      entitlementProvider
+        .checkActionPermissions("remove", user, entityStore, entityName, WhiskAction.get)) {
+      case Success(_) =>
+        deleteEntity(WhiskAction, entityStore, entityName.toDocId, (a: WhiskAction) => Future.successful({}))
+      case Failure(f) => super.handleEntitlementFailure(f)
+    }
   }
 
   /**
@@ -554,9 +578,7 @@ trait WhiskActionsApi extends WhiskCollectionAPI with PostActionActivation with
       content.version getOrElse action.version.upPatch,
       content.publish getOrElse action.publish,
       WhiskActionsApi
-        .amendAnnotations(content.annotations getOrElse action.annotations, exec, create = false) ++ content.unlock
-        .map(u => Parameters(WhiskAction.lockFieldName, JsBoolean(!u)))
-        .getOrElse(Parameters()))
+        .amendAnnotations(content.annotations getOrElse action.annotations, exec, create = false))
       .revision[WhiskAction](action.docinfo.rev)
   }
 

core/controller/src/main/scala/org/apache/openwhisk/core/controller/ApiUtils.scala

@@ -25,22 +25,18 @@ import scala.util.Failure
 import scala.util.Success
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
 import akka.http.scaladsl.model.StatusCode
-import akka.http.scaladsl.model.StatusCodes._
+import akka.http.scaladsl.model.StatusCodes.Conflict
+import akka.http.scaladsl.model.StatusCodes.InternalServerError
+import akka.http.scaladsl.model.StatusCodes.NotFound
+import akka.http.scaladsl.model.StatusCodes.OK
 import akka.http.scaladsl.server.{Directives, RequestContext, RouteResult}
 import spray.json.DefaultJsonProtocol._
 import spray.json.{JsObject, JsValue, RootJsonFormat}
 import org.apache.openwhisk.common.Logging
 import org.apache.openwhisk.common.TransactionId
 import org.apache.openwhisk.core.controller.PostProcess.PostProcessEntity
 import org.apache.openwhisk.core.database._
-import org.apache.openwhisk.core.entity.{
-  ActivationId,
-  ActivationLogs,
-  DocId,
-  WhiskAction,
-  WhiskActivation,
-  WhiskDocument
-}
+import org.apache.openwhisk.core.entity.{ActivationId, ActivationLogs, DocId, WhiskActivation, WhiskDocument}
 import org.apache.openwhisk.http.ErrorResponse
 import org.apache.openwhisk.http.ErrorResponse.terminate
 import org.apache.openwhisk.http.Messages._
@@ -314,8 +310,7 @@ trait WriteOps extends Directives {
                                                                   update: A => Future[A],
                                                                   create: () => Future[A],
                                                                   treatExistsAsConflict: Boolean = true,
-                                                                  postProcess: Option[PostProcessEntity[A]] = None,
-                                                                  unlock: Boolean = false)(
+                                                                  postProcess: Option[PostProcessEntity[A]] = None)(
     implicit transid: TransactionId,
     format: RootJsonFormat[A],
     notifier: Option[CacheChangeNotification],
@@ -340,24 +335,8 @@ trait WriteOps extends Directives {
     } flatMap {
       case (old, a) =>
         logging.debug(this, s"[PUT] entity created/updated, writing back to datastore")
-        if (overwrite && !unlock && old.getOrElse(None).isInstanceOf[WhiskAction]) {
-          val oldWhiskAction = old.getOrElse(None).asInstanceOf[WhiskAction]
-          oldWhiskAction.annotations.get(WhiskAction.lockFieldName) match {
-            case Some(value) if (value.convertTo[Boolean]) => {
-              Future failed RejectRequest(
-                MethodNotAllowed,
-                s"this action can't be updated until ${WhiskAction.lockFieldName} annotation is updated to false")
-            }
-            case _ => {
-              factory.put(datastore, a, old) map { _ =>
-                a
-              }
-            }
-          }
-        } else {
-          factory.put(datastore, a, old) map { _ =>
-            a
-          }
+        factory.put(datastore, a, old) map { _ =>
+          a
         }
     }) {
       case Success(entity) =>
@@ -411,30 +390,11 @@ trait WriteOps extends Directives {
     notifier: Option[CacheChangeNotification],
     ma: Manifest[A]) = {
     onComplete(factory.get(datastore, docid) flatMap { entity =>
-      if (entity.isInstanceOf[WhiskAction]) {
-        val whiskAction = entity.asInstanceOf[WhiskAction]
-        whiskAction.annotations.get(WhiskAction.lockFieldName) match {
-          case Some(value) if (value.convertTo[Boolean]) => {
-            Future failed RejectRequest(
-              MethodNotAllowed,
-              s"this action can't be deleted until ${WhiskAction.lockFieldName} annotation is updated to false")
+      confirm(entity) flatMap {
+        case _ =>
+          factory.del(datastore, entity.docinfo) map { _ =>
+            entity
           }
-          case _ => {
-            confirm(entity) flatMap {
-              case _ =>
-                factory.del(datastore, entity.docinfo) map { _ =>
-                  entity
-                }
-            }
-          }
-        }
-      } else {
-        confirm(entity) flatMap {
-          case _ =>
-            factory.del(datastore, entity.docinfo) map { _ =>
-              entity
-            }
-        }
       }
     }) {
       case Success(entity) =>