-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
118 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
# permission | ||
|
||
The permission module implements basic permission control management for Greenfield. | ||
|
||
The data resources, including the objects, buckets, payment accounts, and groups, all have permissions related. These | ||
permissions define whether each account can perform particular actions. | ||
|
||
Group is a list of accounts that can be treated in the same way as a single account. | ||
|
||
Examples of permissions are: | ||
|
||
* Put, List, Get, Delete, Copy, and Execute data objects; | ||
* Create, Delete, and List buckets | ||
* Create, Delete, ListMembersOf, Leave groups | ||
* Create, Associate payment accounts | ||
* Grant, Revoke the above permissions | ||
|
||
These permissions are associated with the data resources and accounts/groups, and the group definitions are stored on | ||
the Greenfield blockchain publicly. Now they are in plain text. Later a privacy mode will be introduced based on Zero | ||
Knowledge Proof technology. | ||
|
||
One thing that makes the permission operation more interesting is that they can be operated from BSC directly, either | ||
through smart contracts or by an EOA. | ||
|
||
The basic interface semantics of permission module are similar to those of S3. | ||
|
||
## Concepts | ||
|
||
- **Principal**: The greenfield users or groups that can grant permission to. | ||
- **Action**: The operations that can execute in greenfield storage network. | ||
- **Statement**: | ||
- **Resource**: | ||
|
||
## State | ||
|
||
|
||
|
||
|
||
|
||
The permission module keeps state of the following primary objects: | ||
|
||
* Policy | ||
* BucketPolicyToAccount: `0x11 | BigEndian(BucketID) | AccAddress -> BigEndian(PolicyID)` | ||
* ObjectPolicyToAccount: `0x12 | BigEndian(ObjectID) | AccAddress -> BigEndian(PolicyID)` | ||
* GroupPolicyToAccount: `0x13 | BigEndian(GroupID) | AccAddress -> BigEndian(PolicyID)` | ||
* PolicyGroup | ||
* BucketPolicyToGroup: `0x21 | BigEndian(BucketID) -> ProtoBuf(PolicyGroup)` | ||
* ObjectPolicyToGroup: `0x22 | BigEndian(ObjectID) -> ProtoBuf(PolicyGroup)` | ||
* PolicyByID: `0x31 | BigEndian(PolicyID) -> ProtoBuf(Policy)` | ||
|
||
These primary objects should be primarily stored and accessed by the `ID` which is a auto-incremented sequence. An | ||
additional indices are maintained per primary objects in order to compatibility with the S3 object storage. | ||
|
||
### Policy | ||
|
||
```protobuf | ||
message Policy { | ||
string id = 1 [ | ||
(cosmos_proto.scalar) = "cosmos.Uint", | ||
(gogoproto.customtype) = "Uint", | ||
(gogoproto.nullable) = false | ||
]; | ||
permission.Principal principal = 2; | ||
resource.ResourceType resource_type = 3; | ||
string resource_id = 4 [ | ||
(cosmos_proto.scalar) = "cosmos.Uint", | ||
(gogoproto.customtype) = "Uint", | ||
(gogoproto.nullable) = false | ||
]; | ||
repeated permission.Statement statements = 5; | ||
permission.Statement member_statement = 6; | ||
} | ||
``` | ||
|
||
### PolicyGroup | ||
|
||
Each resource can only grant permissions to a limited number of groups and limited number is defined by | ||
`MaximumGroupNum` in module params. | ||
|
||
```protobuf | ||
message PolicyGroup { | ||
message Item { | ||
string policy_id = 1 [ | ||
(cosmos_proto.scalar) = "cosmos.Uint", | ||
(gogoproto.customtype) = "Uint", | ||
(gogoproto.nullable) = false | ||
]; | ||
string group_id = 2 [ | ||
(cosmos_proto.scalar) = "cosmos.Uint", | ||
(gogoproto.customtype) = "Uint", | ||
(gogoproto.nullable) = false | ||
]; | ||
} | ||
repeated Item items = 1; | ||
} | ||
``` | ||
|
||
### params | ||
```protobuf | ||
// Params defines the parameters for the module. | ||
message Params { | ||
option (gogoproto.goproto_stringer) = false; | ||
uint64 maximum_statements_num = 1; | ||
uint64 maximum_group_num = 2; | ||
} | ||
``` | ||
|
||
## Message | ||
|
||
## Events | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters