Permissions
Permissions determine the actions a client session can take in Diffusion®.
Permissions are granted through roles. Thus, a session gets its permissions based on the roles it is assigned.
Permissions are broadly categorised into:
-
Global permissions
-
Path permissions
Global Permissions
These are permissions that apply to the whole Diffusion® server.
For example, a session can have permission to list all other sessions, or to restart the Diffusion® server.
Name | Description |
---|---|
|
List or listen to client sessions. |
|
Alter a client session. |
|
Register any handler with the Diffusion® server. |
|
Register an authentication handler. |
|
Read administrative information about the Diffusion® server. |
|
Shut down the Diffusion® server. |
|
View the security policy. |
|
Change the security policy. |
|
View the topic views. |
|
Change the topic views. |
Path Permissions
These are permissions that apply to a topic path or request-response message path.
A path permission grants the ability to perform an action on topics/messages on a certain path.
Name | Description |
---|---|
|
Acquire a session lock. |
|
Use a topic selector that selects the topic path. |
|
Grant read access to the topics. |
|
Evaluate a query on a time series topic, that can potentially return a non-current view of all or part of a time series. |
|
Submit edit events to a time series topic. |
|
Submit edit events to a time series topic, where the event author is the same as the principal of the calling session. |
|
Update topics, at or below a topic branch. |
|
Create or modify topics, at or below a topic branch. |
|
Send a message to the Diffusion® server through a message path. |
|
Send a message to a client session through a message path. |
Path permissions with a single role
A path permission is associated with a path.
For example, if a client session has read_topic
permission for the topic path telemetry/gps
(and no other permissions) it can read that topic and all descendant topics, such as telemetry/gps/ships
.
If a session has multiple path permissions from the same role, the most specific permission is applied, i.e. the permission with the longest matching path.
So, if the same session is granted update_topic
permission for telemetry/gps/ships/titanic
by the same role, it will have update_topic
for telemetry/gps/ships/titanic
and descendant topics - but not read_topic
.
Path permissions from multiple roles
A session can have more than one role.
A session has a permission if any of its assigned roles has that permission
For example, if a session is granted read_topic
on path a/b
by the READER
role, and update_topic
on path a/b
by the UPDATER
role, it will have both the permissions on that path.
Default path permissions
You can define default path permissions.
These are used if there are no matching path permissions and the path is not isolated.
For example, if you want anonymous clients to be able to read any topic by default, you can set a default read_topic
permission to the ANONYMOUS
role.
Isolating paths
Path permissions are normally inherited from higher path levels.
For example, if a client session has read_topic
permission for the path telemetry/gps
, it can also read descendants like telemetry/gps/ships
.
However, in some cases, you may have a branch that you want to manage separately.
For example, you have sensitive data in telemetry/gps/ships/secret/
.
You still want to be able to grant read_topic for telemetry/gps
to normal client, but you don’t want them to be able to read the secret branch.
To handle this, you can use the client API to isolate the path.
This disables the usual inheritance rules and any default path permissions.
You can then use a separate role to grant permissions to the specific path (or its descendants).