This PR is to add a method to enforce owner access for Storage APIs(create/update/purge), we add boolean
hasOwnerAccess(DpsHeaders headers, String ownerList) method in
IEntitlementsAndCacheService interface, this method will be overwritten in Storage-Core module.
Following are the original task's requirements.
- I can see only record owners can update records
- I can see only record owners can delete records
- I can see only record owners can patch records
- I can see record viewer cannot do any of the above operations
- I can see record viewer can read the record
Following are more interpretations:
- Why are we doing this change? what is business/technical reason?
- To enforce that: If a user wants to create/update/purge a record, the user must be in the ACL groups of that record.
- Which core services are impacted/implement this method?
- We only need to change the Storage service.
- How does this impact cloud providers? if they have to implement what should they do?
- This only change storage-core module, files including
IngestionServiceImpl.java, cloud providers do not need to change providers' implementations.
- After the change, if a user wants to create/update/purge a record, the user must be in the ACL groups of that record, so there might be users losing their permission to create/update/purge certain records.