Permissions

Permissions Specification

A Fusion permission denotes an allowed request to a Fusion REST-API endpoint or endpoints. A permissions specification consists of:

  • HTTP request method or methods allowed. Multiple HTTP methods are separated by commas.

  • REST-API services endpoint, which can contain wildcards or named variables. All calls to the REST-API start "api/apollo", followed by the service name and any methods and parameters. The permissions specification includes everything following "api/apollo". The endpoint can include wildcards. The wildcard symbol '*' matches all possible values for a single path fragment and two wildcards match all possible values for any number of path fragments. A path fragment can be a named variable enclosed in curly braces: "{variable-name}". Variables are used when a wildcard would be too permissive and a single path fragment too restrictive.

  • Optionally, the allowed values for any named variables in the endpoint. The variable specification component specifies the restricted value or values for all named variables in the path. Each specification consists of the variable name, followed by "=" (the equals sign), followed by one or more values which are separated by commas. If the endpoint specification has multiple variable, the semi-colon character ";" is used as the separator between parameter specifications.

Permissions specifications are coded up as a string using the colon character ":" as the separator between the permission elements. Here are some examples of permissions specifications:

  • GET:/query-pipelines/*/collections/*/select - search access to any Fusion collection.

  • GET,PUT:/collections/Collection345/synonyms/** - permission to edit synonyms for collection named "Collection345".

  • GET:/collections/{id}:id=Collection345,Collection346 - read access to collections named "Collection345" and "Collection346".

In ZooKeeper, both User and Roles entries contain a list of Permission specifications. A Permission entry has three attributes: "methods", "path", and "params".

Example Permissions Set

Wildcards make it easy to give wide access to Fusion services. The permissions for the admin user can be written in a single line:

GET,POST,PUT,DELETE,PATCH,HEAD:/**

To restrict access to a single collection and a single Fusion facility requires a set of narrowly defined permissions. For example, the following set of permissions allows a user to run Fusion’s analytics dashboards over a collection named "test":

  • GET:/solr/{id}/*:id=test- read-only access to collection named "test"

  • GET:/solr/{id}/admin/luke:id=test - dashboards require read-only access to Solr utility luke to compile collection metrics

  • GET:/solr/system_banana/* - read-only access to dashboards

  • GET:/collections/system_banana - read-only access to collection where dashboard definitions are stored

Read-only access to the dashboard definitions collection means that the user cannot save the configured dashboard back to Fusion.

The following JSON shows how Fusion stores this list of permissions in ZooKeeper:

"permissions":[
  {"params": {"id":["mdb1"]},
   "path":"/solr/{id}/*",
   "methods":["GET"]},
  {"params":{"id":["mdb1"]},
   "path":"/solr/{id}/admin/luke",
   "methods":["GET"]},
  {"path":"/solr/system_banana/*",
   "methods":["GET"]},
  {"path":"/collections/system_banana",
   "methods":["GET"]}
  ]