Enforce owner access in Storage APIs
This PR is to add a method to enforce owner access for Storage APIs(create/update/purge), we add boolean hasOwnerAccess(DpsHeaders headers, String[] ownerList)
method in IEntitlementsAndCacheService
interface, this method will be overwritten in Storage-Core module.
Following are the original task's requirements.
- I can see only record owners can update records
- I can see only record owners can delete records
- I can see only record owners can patch records
- I can see record viewer cannot do any of the above operations
- I can see record viewer can read the record
Following are more interpretations:
- Why are we doing this change? what is business/technical reason?
- To enforce that: If a user wants to create/update/purge a record, the user must be in the ACL groups of that record.
- Which core services are impacted/implement this method?
- We only need to change the Storage service.
- How does this impact cloud providers? if they have to implement what should they do?
- This only change storage-core module, files including
RecordServiceImpl.java
andIngestionServiceImpl.java
, cloud providers do not need to change providers' implementations. - After the change, if a user wants to create/update/purge a record, the user must be in the ACL groups of that record, so there might be users losing their permission to create/update/purge certain records.