-
Notifications
You must be signed in to change notification settings - Fork 57
Permissions
All DSLs provide annotations to bind access to objects in your code with permissions granting on the side of the cloud provider.
Resource annotations are, basically, annotations for classes, Kotlin static
object-s, functions, and properties, which state that access to this particular
element in Kotlin requires permissions to a cloud provider resource stated in the annotation.
Here is a simple code snippet defining Kotlin static object that accesses DynamoDB's
table with resource annotations permitting such access on the AWS side:
//Storage have read and write access, so we grant both
@DynamoDBTable("example-table", PermissionLevel.ReadWrite)
object Storage {
private val table = DynamoTable("example-table")
fun add(id: String, value: String) {
table.add(id = id, value = mapOf("value" to value))
}
fun get(id: String): String {
return table.get(id = id)["value"]
}
}Each usage of Storage object will grant the permission to code in which it was used.
This means that if you use Storage object in an HTTP route, the lambda serving this route
will have all permissions defined by the annotation.
Using resource annotations wisely in your code will allow you not to worry about the permissions at all.
Permissions are granted for one of three groups of operations: Read, Write and ReadWrite. Each group's name gives a pretty clear idea of the operations in it.
Note that all modification/configuration operations are also covered by the Write permission. Batch operations are included in the same group as the single call operations.
Permissions were grouped for two reasons. First of all, we wanted to make the permission abstract and not relying on a single cloud provider. Secondly, permissions in AWS (and in other cloud providers) are very complex — we wanted to hide this complexity from the end user, sacrificing granularity in favour of simplicity.