gchqgh-219 Adding AccessControlledResouce documentation to FederatedS…

…tore pages.
m29827 · Jul 13, 2021 · ca4eb5d · ca4eb5d
1 parent c6d1e21
commit ca4eb5d
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 7 deletions.
diff --git a/src/main/java/uk/gov/gchq/gaffer/doc/dev/walkthrough/FederatedStoreWalkThrough.java b/src/main/java/uk/gov/gchq/gaffer/doc/dev/walkthrough/FederatedStoreWalkThrough.java
@@ -18,6 +18,7 @@
 import com.google.common.collect.Lists;
 import org.apache.commons.io.IOUtils;
 
+import uk.gov.gchq.gaffer.access.predicate.AccessPredicate;
 import uk.gov.gchq.gaffer.cache.impl.HashMapCacheService;
 import uk.gov.gchq.gaffer.commonutil.StreamUtil;
 import uk.gov.gchq.gaffer.commonutil.iterable.CloseableIterable;
@@ -41,6 +42,10 @@
 import uk.gov.gchq.gaffer.store.library.HashMapGraphLibrary;
 import uk.gov.gchq.gaffer.store.schema.Schema;
 import uk.gov.gchq.gaffer.user.User;
+import uk.gov.gchq.koryphe.impl.function.CallMethod;
+import uk.gov.gchq.koryphe.impl.predicate.And;
+import uk.gov.gchq.koryphe.impl.predicate.CollectionContains;
+import uk.gov.gchq.koryphe.predicate.AdaptedPredicate;
 
 public class FederatedStoreWalkThrough extends DevWalkthrough {
     public FederatedStoreWalkThrough() {
@@ -232,8 +237,8 @@ public CloseableIterable<? extends Element> run() throws Exception {
                 .graphId("privateGraph")
                 .parentSchemaIds(Lists.newArrayList("roadTraffic"))
                 .parentPropertiesId("mapStore")
-                        //.isPublic(false) <-- not specifying also defaults to false.
-                        //.graphAuths() <-- leave blank/null or do no specify otherwise private access is lost.
+                //.isPublic(false) <-- not specifying also defaults to false.
+                //.graphAuths() <-- leave blank/null or do no specify otherwise private access is lost.
                 .build();
         federatedGraph.execute(privateGraph, user);
         // ---------------------------------------------------------
@@ -249,7 +254,7 @@ public CloseableIterable<? extends Element> run() throws Exception {
                 .parentSchemaIds(Lists.newArrayList("roadTraffic"))
                 .parentPropertiesId("mapStore")
                 .graphAuths("Auth1", "Auth2", "Auth3")
-                        //.isPublic(false) <-- not specifying also defaults to false.
+                //.isPublic(false) <-- not specifying also defaults to false.
                 .build();
         federatedGraph.execute(addSecureGraph, user);
         // ---------------------------------------------------------
@@ -258,6 +263,34 @@ public CloseableIterable<? extends Element> run() throws Exception {
         printJson("ADD_SECURE_GRAPH", addSecureGraph);
 
 
+        // [add access controlled resource secure graph] add a graph to the federated store.
+        // ---------------------------------------------------------
+        AddGraph addAccessControlledResourceSecureGraph = new AddGraph.Builder()
+                .graphId("AccessControlledResourceSecureGraph")
+                .parentSchemaIds(Lists.newArrayList("roadTraffic"))
+                .parentPropertiesId("mapStore")
+                .readAccessPredicate(
+                        new AccessPredicate(
+                                new AdaptedPredicate(
+                                        new CallMethod("getOpAuths"),
+                                        new And(
+                                                new CollectionContains("read-access-auth-1"),
+                                                new CollectionContains("read-access-auth-2")))))
+                .writeAccessPredicate(
+                        new AccessPredicate(
+                                new AdaptedPredicate(
+                                        new CallMethod("getOpAuths"),
+                                        new And(
+                                                new CollectionContains("write-access-auth-1"),
+                                                new CollectionContains("write-access-auth-2")))))
+                .build();
+        federatedGraph.execute(addAccessControlledResourceSecureGraph, user);
+        // ---------------------------------------------------------
+
+        improveReadabilityOfJson(addAccessControlledResourceSecureGraph);
+        printJson("ADD_ACCESS_CONTROLLED_RESOURCE_SECURE_GRAPH", addAccessControlledResourceSecureGraph);
+
+
         // [disallow public access]
         // ---------------------------------------------------------
         FederatedStoreProperties disallowPublicProperties = new FederatedStoreProperties();

diff --git a/src/main/resources/dev/walkthrough/AccessControlledResources.md b/src/main/resources/dev/walkthrough/AccessControlledResources.md
@@ -0,0 +1,4 @@
+${HEADER}
+
+${CODE_LINK}
+
diff --git a/src/main/resources/dev/walkthrough/FederatedStoreWalkThrough.md b/src/main/resources/dev/walkthrough/FederatedStoreWalkThrough.md
@@ -16,6 +16,8 @@ This walkthrough explains how to:
    * [Public Access](#public-access)
    * [Private Access](#private-access)
    * [Secure Access](#secure-access)
+     * [Graph Auths](#graph-auths)
+     * [Access Controlled Resource](#access-controlled-resource)
  * [Disallow Public Access](#disallow-public-access)
  * [Limit Custom Properties](#limit-custom-properties)
 
@@ -170,8 +172,8 @@ ${END_CODE}
 
 ## Limit Access with Authentication
 It is possible to have a `FederatedStore` with many sub-graphs, however you
- may wish to limit the users access. This is possible by using authorisations
-  at the time of adding a graph to the FederatedStore, this limits the graphs users
+ may wish to limit user access to some sub-graphs. This is possible by either using authorisations
+  or configurable read and write access predicates at the time of adding the graph to the FederatedStore, this limits the graphs users
    can perform operations on.
 
 ### Public Access
@@ -200,8 +202,10 @@ ${ADD_PRIVATE_GRAPH_FULL_JSON}
 ${END_CODE}
 
 ### Secure Access
-Within the `AddGraph` operation, do not assign the "isPublic" parameter or assign it to false.
-By assigning the parameter "graphAuths", all users that has one of the listed authorisations will have access to that graph.
+Within the `AddGraph` operation, do not assign the "isPublic" parameter or assign it to false, this ensures the settings described in this section are not ignored.
+
+#### Graph Auths
+By assigning the parameter "graphAuths", all users that have one of the listed authorisations will have access to that graph. Note that "graphAuths" is mutually exclusive with the "readAccessPredicate" and "writeAccessPredicate" settings described in the [Access Controlled Resource](#access-controlled-resource) section.
 
 ${START_JAVA_CODE}
 ${ADD_SECURE_GRAPH_SNIPPET}
@@ -211,6 +215,19 @@ ${FULL_JSON_CODE}
 ${ADD_SECURE_GRAPH_FULL_JSON}
 ${END_CODE}
 
+#### Access Controlled Resource
+Graphs in the Federated Store implement the AccessControlledResource interface and can therefore be configured to apply a customisable Predicate against the User to determine whether they can access the graph.
+This example ensures readers of the graph have both the "read-access-auth-1" and "read-access-auth-2" auths and users attempting to remove the graph have both the "write-access-auth-1" and "write-access-auth-2" auths.
+Note that the "readAccessPredicate" and "writeAccessPredicate" fields are mutually exclusive with the "graphAuths" setting described in the [Graph Auths](#graph-auths) section.
+
+${START_JAVA_CODE}
+${ADD_ACCESS_CONTROLLED_RESOURCE_SECURE_GRAPH_SNIPPET}
+${JSON_CODE}
+${ADD_ACCESS_CONTROLLED_RESOURCE_SECURE_GRAPH_JSON}
+${FULL_JSON_CODE}
+${ADD_ACCESS_CONTROLLED_RESOURCE_SECURE_GRAPH_FULL_JSON}
+${END_CODE}
+
 ## Disallow Public Access
 By default the `FederatedStore` will allow graphs to be added with public access.
 However public access can be disallow by setting the property `gaffer.federatedstore.isPublicAllowed` to false.