Permission Statements
A Statement grants permissions to execute Action
s on ResourceName
s.
Actions and Resources
ResourceName
s are simply namespaced Identifier
s. An example could be: "bonsaidb".*."khonsulabs-admin.users".1
. Each segment can be a string, an integer, or a wildcard (*
).
In BonsaiDb
, nearly everything has a resource name. The example above refers to a document with ID 1
in the khonsulabs-admin.users
collection in any database. The bonsaidb::core::permissions::bonsai
module contains functions to create properly formatted ResourceName
s.
Also within the same module are the built-in Action
s. The base enum for all actions used within BonsaiDb
is BonsaiAction
Below is an overview of the resource names and actions by category.
Server
The ServerAction
enum contains the actions that are related to StorageConnection
. For APIs that accept a database name parameter, the resource name will be database_resource_name(database)
. For all other actions, the resource name is bonsaidb_resource_name()
.
For actions that operate upon users (e.g., creating a user), the resource name is user_resource_name(username).
At-rest Encryption
Access to encrypted information can be controlled by limiting access to the encryption key used. Currently, BonsaiDb
only has support for a shared master key, but in the future additional keys will be able to be created. Because Encrypt
and Decrypt
are separate actions, access to read and write can be controlled independently.
The resource name for an encryption key is encryption_key_resource_name(key_id)
.
Database
The DatabaseAction
enum contains the actions that are related to a specific database. Actions that act on the database directly will use the resource name database_resource_name(database)
.
For Collection
s, there are three resource names used. For actions that operate on the collection directly, the resource name is collection_resource_name(database, collection)
. For actions that operate on a document, the resource name is document_resource_name(database, collection, id)
. Finally, for actions that operate on a View
, the resource name is view_resource_name(database, view)
.
For actions that operate upon the key-value entry, the resource name is keyvalue_key_resource_name(database, namespace, key)
.
For actions that operate on a PubSub
topic, the resource name is pubsub_topic_resource_name(database, topic)
.
Statement Examples
Coming Soon.