C Client API: as_admin.h Source File

Go to the documentation of this file.
/*
 * Copyright 2008-2022 Aerospike, Inc.
 *
 * Portions may be licensed to Aerospike, Inc. under one or more contributor
 * license agreements.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
#pragma once 
 
/**
 * @defgroup admin_operations Admin Operations
 * @ingroup client_operations
 *
 * User administration operations.
 */
 
#include <aerospike/aerospike.h>
#include <aerospike/as_config.h>
#include <aerospike/as_key.h>
 
#ifdef __cplusplus
extern "C" {
#endif
 
/******************************************************************************
 * MACROS
 *****************************************************************************/
 
/**
 * Maximum size of role string including null byte.
 * @ingroup admin_operations
 */
#define AS_ROLE_SIZE 64
 
/******************************************************************************
 * TYPES
 *****************************************************************************/
 
/**
 * Permission codes define the type of permission granted for a user's role.
 * @ingroup admin_operations
 */
typedef enum as_privilege_code_e {
    /**
     * User can edit/remove other users.  Global scope only.
     */
    AS_PRIVILEGE_USER_ADMIN = 0,
    
    /**
     * User can perform systems administration functions on a database that do not involve user
     * administration.  Examples include setting dynamic server configuration.
     * Global scope only.
     */
    AS_PRIVILEGE_SYS_ADMIN = 1,
    
    /**
     * User can perform UDF and SINDEX administration actions. Global scope only.
     */
    AS_PRIVILEGE_DATA_ADMIN = 2,
 
    /**
     * User can perform user defined function(UDF) administration actions.
     * Examples include create/drop UDF. Global scope only.
     * Requires server version 6.0+
     */
    AS_PRIVILEGE_UDF_ADMIN = 3,
 
    /**
     * User can perform secondary index administration actions.
     * Examples include create/drop index. Global scope only.
     * Requires server version 6.0+
     */
    AS_PRIVILEGE_SINDEX_ADMIN = 4,
 
    /**
     * User can read data only.
     */
    AS_PRIVILEGE_READ = 10,
    
    /**
     * User can read and write data.
     */
    AS_PRIVILEGE_READ_WRITE = 11,
    
    /**
     * User can read and write data through user defined functions.
     */
    AS_PRIVILEGE_READ_WRITE_UDF = 12,
 
    /**
     * User can write data only.
     */
    AS_PRIVILEGE_WRITE = 13,
 
    /**
     * User can truncate data only.
     * Requires server version 6.0+
     */
    AS_PRIVILEGE_TRUNCATE = 14
} as_privilege_code;
 
/**
 * User privilege.
 * @ingroup admin_operations
 */
typedef struct as_privilege_s {
    /**
     * Namespace scope.  Apply permission to this null terminated namespace only.
     * If string length is zero, the privilege applies to all namespaces.
     */
    as_namespace ns;
    
    /**
     * Set name scope.  Apply permission to this null terminated set within namespace only.
     * If string length is zero, the privilege applies to all sets within namespace.
     */
    as_set set;
    
    /**
     * Privilege code.
     */
    as_privilege_code code;
} as_privilege;
 
/**
 * Role definition.
 * @ingroup admin_operations
 */
typedef struct as_role_s {
    /**
     * Role name.
     */
    char name[AS_ROLE_SIZE];
 
    /**
     * Maximum reads per second limit.
     */
    int read_quota;
 
    /**
     * Maximum writes per second limit.
     */
    int write_quota;
 
    /**
     * Array of allowable IP address strings.
     */
    char** whitelist;
 
    /**
     * Length of whitelist array.
     */
    int whitelist_size;
 
    /**
     * Length of privileges array.
     */
    int privileges_size;
    
    /**
     * Array of assigned privileges.
     */
    as_privilege privileges[];
} as_role;
 
/**
 * User and assigned roles.
 * @ingroup admin_operations
 */
typedef struct as_user_s {
    /**
     * User name.
     */
    char name[AS_USER_SIZE];
 
    /**
     * Array of read statistics. Array may be null.
     * Current statistics by offset are:
     * <ul>
     * <li>0: read quota in records per second</li>
     * <li>1: single record read transaction rate (TPS)</li>
     * <li>2: read scan/query record per second rate (RPS)</li>
     * <li>3: number of limitless read scans/queries</li>
     * </ul>
     * Future server releases may add additional statistics.
     */
    uint32_t* read_info;
 
    /**
     * Array of write statistics. Array may be null.
     * Current statistics by offset are:
     * <ul>
     * <li>0: write quota in records per second</li>
     * <li>1: single record write transaction rate (TPS)</li>
     * <li>2: write scan/query record per second rate (RPS)</li>
     * <li>3: number of limitless write scans/queries</li>
     * </ul>
     * Future server releases may add additional statistics.
     */
    uint32_t* write_info;
 
    /**
     * Length of read info array.
     */
    int read_info_size;
 
    /**
     * Length of write info array.
     */
    int write_info_size;
 
    /**
     * Number of currently open connections.
     */
    int conns_in_use;
 
    /**
     * Length of roles array.
     */
    int roles_size;
 
    /**
     * Array of assigned role names.
     */
    char roles[][AS_ROLE_SIZE];
} as_user;
 
struct as_node_s;
struct as_socket_s;
 
/******************************************************************************
 * FUNCTIONS
 ******************************************************************************/
 
/**
 * Create user with password and roles.  Clear-text password will be hashed using bcrypt before 
 * sending to server.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_create_user(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    const char* password, const char** roles, int roles_size
    );
 
/**
 * Remove user from cluster.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_drop_user(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name
    );
 
/**
 * Set user's password by user administrator.  Clear-text password will be hashed using bcrypt
 * before sending to server.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_set_password(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    const char* password
    );
 
/**
 * Change user's password by user.  Clear-text password will be hashed using bcrypt before
 * sending to server.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_change_password(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    const char* password
    );
 
/**
 * Add role to user's list of roles.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_grant_roles(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    const char** roles, int roles_size
    );
 
/**
 * Remove role from user's list of roles.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_revoke_roles(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    const char** roles, int roles_size
    );
 
/**
 * Create user defined role.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_create_role(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    as_privilege** privileges, int privileges_size
    );
 
/**
 * Create user defined role with optional privileges and whitelist.
 * Whitelist IP addresses can contain wildcards (ie. 10.1.2.0/24).
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_create_role_whitelist(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    as_privilege** privileges, int privileges_size, const char** whitelist, int whitelist_size
    );
 
/**
 * Create user defined role with optional privileges, whitelist and quotas.
 * Whitelist IP addresses can contain wildcards (ie. 10.1.2.0/24).
 * Quotas are maximum reads/writes per second limit, pass in zero for no limit.
 * Quotas require server security configuration "enable-quotas" to be set to true.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_create_role_quotas(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    as_privilege** privileges, int privileges_size, const char** whitelist, int whitelist_size,
    int read_quota, int write_quota
    );
 
/**
 * Delete user defined role.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_drop_role(aerospike* as, as_error* err, const as_policy_admin* policy, const char* role);
 
/**
 * Add specified privileges to user.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_grant_privileges(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    as_privilege** privileges, int privileges_size
    );
 
/**
 * Remove specified privileges from user.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_revoke_privileges(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    as_privilege** privileges, int privileges_size
    );
 
/**
 * Set IP address whitelist for a role.
 * If whitelist is NULL or empty, remove existing whitelist from role.
 * IP addresses can contain wildcards (ie. 10.1.2.0/24).
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_set_whitelist(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    const char** whitelist, int whitelist_size
    );
 
/**
 * Set maximum reads/writes per second limits for a role. If a quota is zero, the limit is removed.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_set_quotas(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role,
    int read_quota, int write_quota
    );
 
/**
 * Retrieve roles for a given user.
 * When successful, as_user_destroy() must be called to free resources.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_query_user(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* user_name,
    as_user** user
    );
 
/**
 * Release as_user_roles memory.
 * @ingroup admin_operations
 */
AS_EXTERN void
as_user_destroy(as_user* user);
 
/**
 * Retrieve all users and their roles.
 * When successful, as_users_destroy() must be called to free resources.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_query_users(
    aerospike* as, as_error* err, const as_policy_admin* policy, as_user*** users, int* users_size
    );
 
/**
 * Release memory for as_user_roles array.
 * @ingroup admin_operations
 */
AS_EXTERN void
as_users_destroy(as_user** users, int users_size);
 
/**
 * Retrieve role definition for a given role name.
 * When successful, as_role_destroy() must be called to free resources.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_query_role(
    aerospike* as, as_error* err, const as_policy_admin* policy, const char* role_name,
    as_role** role
    );
 
/**
 * Release as_role memory.
 * @ingroup admin_operations
 */
AS_EXTERN void
as_role_destroy(as_role* role);
 
/**
 * Retrieve all roles and their privileges.
 * When successful, as_roles_destroy() must be called to free resources.
 * @ingroup admin_operations
 */
AS_EXTERN as_status
aerospike_query_roles(
    aerospike* as, as_error* err, const as_policy_admin* policy, as_role*** roles, int* roles_size
    );
 
/**
 * Release memory for as_role array.
 * @ingroup admin_operations
 */
AS_EXTERN void
as_roles_destroy(as_role** roles, int roles_size);
 
struct as_cluster_s;
struct as_node_info_s;
struct as_session_s;
 
/**
 * @private
 * Login to node on node discovery.  Do not use this method directly.
 */
as_status
as_cluster_login(
    struct as_cluster_s* cluster, as_error* err, struct as_socket_s* sock, uint64_t deadline_ms,
    struct as_node_info_s* node_info
    );
 
/**
 * @private
 * Authenticate user with a server node.  This is done automatically after socket open.
 * Do not use this method directly.
 */
as_status
as_authenticate(
    struct as_cluster_s* cluster, as_error* err, struct as_socket_s* sock, struct as_node_s* node,
    struct as_session_s* session, uint32_t socket_timeout, uint64_t deadline_ms
    );
 
/**
 * @private
 * Write authentication command to buffer.  Return buffer length.
 */
uint32_t
as_authenticate_set(struct as_cluster_s* cluster, struct as_session_s* session, uint8_t* buffer);
 
#ifdef __cplusplus
} // end extern "C"
#endif