Namespaces and Permissions
Overview
Namespaces are containers for array data. The Security Model Overview compares namespaces with Linux directories, and describes how to access arrays in namespaces using qualified and unqualified array names. This section summarizes the AFL operators that manipulate namespaces, and describes how to grant access rights to namespaces and their contents.
Namespace Operators
This table summarizes the AFL operators that manipulate namespaces.
Operator | Description |
---|---|
list('namespaces') | List all namespaces in the database. |
create_namespace | Create a new namespace. |
drop_namespace | Remove a namespace. |
set_namespace | Set current working namespace. |
show_namespace | Show current working namespace. |
move_array_to_namespace | Move an array to a different namespace. |
Granting Namespace Access
Only the scidbadmin user account or a member of the admin or operator role can create new namespaces. Newly created namespaces are empty and cannot be accessed by ordinary user accounts. To allow access, choose an existing role or create a new one, and set the role's permissions for the new namespace.
Namespace Permission Strings
The set_role_permissions operator links a role to a namespace, specifying which access rights members of the role will have for that namespace. Access rights are encoded as strings of the single-character codes in the table below.
Code | Permission | Remarks |
---|---|---|
c | create | Role members can create arrays in the namespace. |
r | read | Role members can read array data in the namespace. |
l (ell) | list | Role members can list the arrays contained in the namespace. |
u | update | Role members can update pre-existing arrays in the namespace. |
d | delete | Role members can remove arrays in the namespace. |
Example
The example below creates a new namespace samples and two roles, uploader and analyst. Users in role uploader can create, list, and update arrays in the samples namespace. Users in role analyst can list and read array data in the samples namespace, but can neither add new array data, nor alter or delete existing data.
AFL% show_user(); {i} name {0} 'scidbadmin' AFL% AFL% create_namespace(samples); Query was executed successfully AFL% AFL% create_role('uploader'); Query was executed successfully AFL% AFL% create_role('analyst'); Query was executed successfully AFL% AFL% -- Without quotes, the operator knows "samples" is a namespace. ; AFL% set_role_permissions('uploader', samples, 'clu'); Query was executed successfully AFL% AFL% -- Here we use the more generic string literal form. ; AFL% set_role_permissions('analyst', 'namespace', 'samples', 'rl'); Query was executed successfully AFL% AFL% show_role_permissions('analyst'); {i} entity,name,permissions {0} 'namespace','samples','lr' AFL% show_role_permissions('uploader'); {i} entity,name,permissions {0} 'namespace','samples','clu' AFL%
The last step is to add members to the uploader and analyst roles:
AFL% add_user_to_role('data-generator-5000', 'uploader'); Query was executed successfully AFL% add_user_to_role('betty', 'analyst'); Query was executed successfully AFL%
Revoking Namespace Access
There are two ways to revoke access to a namespace. You can reduce the permissions that a role has for the namespace, or you can remove a user account from membership in roles that have access to the namespace.
Reducing Role Permissions
Here, the database administrator has decided that the uploader role is too permissive. Really, automated uploads from the Data Generator 5000 lab instrument only need to create new arrays with timestamps in their names. There is no need to list or update existing arrays. The administrator can reduce the permissions held by the uploader role to just c, the create permission:
AFL% show_role_permissions('uploader'); {i} entity,name,permissions {0} 'namespace','samples','clu' AFL% AFL% -- 'ns' is an acceptable shorthand for 'namespace' here ; AFL% set_role_permissions('uploader', 'ns', 'samples', 'c'); Query was executed successfully AFL% AFL% show_role_permissions('uploader'); {i} entity,name,permissions {0} 'namespace','samples','c' AFL%
Dropping User Accounts from Roles
In this example, user betty needed temporary access to the samples namespace to debug a problem, and now that the problem is solved she should no longer have access to the data in samples. Here she is removed from the analyst role.
AFL% show_roles_for_user('betty'); {No} role,id {0} 'betty',429 {1} 'analyst',435 {2} 'developer',439 AFL% AFL% drop_user_from_role('betty', 'analyst'); Query was executed successfully AFL% AFL% show_roles_for_user('betty'); {No} role,id {0} 'betty',429 {1} 'developer',439 AFL%