2ea555eace
This system is designed to replace the current system that uses AccessPolicy/AccessTag/AppliedTag system. AccessPolicy is getting replaced with an access_control_entry table. Instead of a JSON body with arrays of subjects, actions, and objects, each access control entry has a single subject, action, and object. However, the subject, action, and object can reference a tag, and if so, it will allow access to all subjects/actions/objects that have that tag (we will support tagging tags, allowing for resursive inclusion). Instead of a single AccessTag table that was used for both subject tags and object tags, we will have separate subject_tag and object_tag tables, to avoid the possibility for subject/object confusion. The tag tables will not have a hypertag capability (having the tag itself reference a single object). Instead, access control entries can reference single objects instead of a tag, which implements a hypertag feature with less complexity. This also adds an action_tag table, so that actions can be tagged just like subjects and objects. AppliedTag was used as a join table, and it is being replaced by separated join tables, one each for subjects, actions, and objects. Unlike subjects and objects, which will vary for every Ubicloud project, actions are fixed, and will only be updated when we add new features to Ubicloud. To support the same tagging features, supported actions are now stored in a table named action_type. This is a static table mapping uuid to action name, and will only be updated by migrations. The ubids/uuids for the static action_type/action_tag entries are vanity ubids, to make them easy to recognize in pry.
8.0 KiB
8.0 KiB