Create role-specific namespace for grants #533
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an exclusive-or of the
jrd-security-role-uniqueness
branch, which attempted to constrain users and groups to have distinct names. This branch enables operators to define names that overlap by creating distinct places in core metadata for grants for users vs groups.riak-admin
will (for grant/revoke only, although that list of commands could be extended trivially) supportuser/<user>
andgroup/<group>
syntax to disambiguate grants or revokes when names are not unique. The tool will mandate the use of that syntax when name conflicts occur, although at the moment the tools have not been updated to illustrate the syntax or to explicitly ask for it.The
user/
orgroup/
prefixes have also been used internally when generating a list of permissions so that theprint-user
command can identify which permissions apply to the user vs any group by the same name./cc @Vagabond