HPCC-22655 Update ESDL auth_feature documentation#21025
Conversation
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
|
Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-22655 Jirabot Action Result: |
There was a problem hiding this comment.
Pull request overview
This PR updates the ESDL auth_feature documentation to provide comprehensive technical specification of feature-level security configuration in ESDL services and methods.
Changes:
- Expanded documentation from basic usage to comprehensive technical reference
- Added formal BNF syntax specification and token semantics
- Included detailed examples demonstrating service and method-level authentication patterns
Comments suppressed due to low confidence (3)
docs/EN_US/DynamicESDL/DESDL-Mods/ESDLauth_feature.xml:10
- DocBook uses
<literal>for code elements, not<code>. Replace<code>ESPservice</code>with<literal>ESPservice</literal>and<code>ESPmethod</code>with<literal>ESPmethod</literal>to match DocBook conventions and maintain consistency with the rest of the document where<literal>is used for similar elements.
The <emphasis>auth_feature</emphasis> attribute configures feature-level security in ESDL by associating features and access levels to <code>ESPservice</code> and <code>ESPmethod</code> elements. This provides fine-grained, declarative access control for ESDL services and methods.
docs/EN_US/DynamicESDL/DESDL-Mods/ESDLauth_feature.xml:19
- DocBook uses
<literal>for code elements, not<code>. Replace all instances of<code>with<literal>in this line:ESPservice,EsdlService,ESPmethod, andEsdlMethod.
<code>ESPservice</code> values take effect at the <code>EsdlService</code> scope, while <code>ESPmethod</code> values are in the <code>EsdlMethod</code> scope and override service scope requirements. If <emphasis>auth_feature</emphasis> is set on both service and method, the resulting security requirement is the union, with method-level tokens taking precedence where conflicts arise.
docs/EN_US/DynamicESDL/DESDL-Mods/ESDLauth_feature.xml:208
- Corrected 'full access-level' to 'full access level' (removed hyphen between 'access' and 'level').
; a new map entry is created that requires full access-level
JamesDeFabia
left a comment
JamesDeFabia
left a comment
There was a problem hiding this comment.
Formatting is almost there
| <para><indexterm> | ||
| "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> | ||
| <sect1 id="ESDL_AuthFeature"> | ||
| <title>ESDL auth_feature: Semantics and Syntax</title> |
There was a problem hiding this comment.
Title should be "auth_feature"
Look at the other attributes in the book. This one should be the same. For example, see max_ver on page 34.
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
JamesDeFabia
left a comment
JamesDeFabia
left a comment
There was a problem hiding this comment.
The formatting is still very different than all the other similar topics. Look at the PDF.
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
JamesDeFabia
left a comment
JamesDeFabia
left a comment
There was a problem hiding this comment.
Couple of comments inline
| service level by its own <emphasis>auth_feature</emphasis> string.</para> | ||
|
|
||
| <para><emphasis role="bold">See Also: </emphasis> <link | ||
| linkend="ESDLESPservice">ESPservice</link>, <link |
There was a problem hiding this comment.
Two of these three links do not work in the rendered PDF.
| ] | ||
| MyMethod2(MyMethod2Request, MyMethod2Response); | ||
| };</programlisting> | ||
| </indexterm> The <emphasis>auth_feature</emphasis> attribute configures |
There was a problem hiding this comment.
This line begins with a space, causing it to appear indented in the PDF
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
JamesDeFabia
left a comment
JamesDeFabia
left a comment
There was a problem hiding this comment.
Still one broken link. See comment inline
|
|
||
| <para><emphasis role="bold">See Also: </emphasis> <link | ||
| linkend="EPservice">ESPservice</link>, <link | ||
| linkend="ESPmethod">ESPmethod</link>, <link linkend="ESDL_Attributes">ESDL |
There was a problem hiding this comment.
The last link (ESDL Attributes) does not work in the rendered PDF. However, I am not sure there needs to be a link to that section from this topic. You can either delete it or fix it.
Signed-off-by: Panagiotatos <greg.panagiotatos+copilot@lexisnexisrisk.com>
🔄 Upmerge Test ResultsStatus: ✅ All branches merged successfully ✅ Successful Branches (1)
|
JamesDeFabia
left a comment
JamesDeFabia
left a comment
There was a problem hiding this comment.
Looks good from my POV
| feature-name ::= ( feature-name-char* '${' variable-name '}' feature-name-char* | feature-name-char+ ) | ||
| ; feature-name-char is any char except whitespace, ',', '"', '!', or ':' | ||
| ; feature-name has the added restrictions of not being a reserved-word | ||
| variable-name ::= ( 'SERVICE' | 'METHOD' ) </programlisting> |
There was a problem hiding this comment.
This is not a program listing. It's a variation of a standard notation describing how the attribute value is assembled/interpreted. No part of it is meant to be copied and pasted by a user as a code sample.
Any line beginning with ';' is a comment. These do not need to be presented in code style, except for text between back ticks. Feel free to format the lines as anything but code and, more importantly, line preservation is not required. Multiple comments are truncated by strictly preserving lines.
| <para><emphasis role="bold">Note:</emphasis> The method scope overtakes the | ||
| service scope: a method may override any or all requirements set at the | ||
| service level by its own <emphasis>auth_feature</emphasis> string.</para> |
There was a problem hiding this comment.
It's an important note but probably not worth repeating.
|
|
||
| <para><code>ESPservice</code> values take effect at the | ||
| <code>EsdlService</code> scope, while <code>ESPmethod</code> values are in | ||
| the <code>EsdlMethod</code> scope and override service scope requirements. |
There was a problem hiding this comment.
... and may either extend or override service scope requirements.
The next sentence does reflect this, but it feels contradictory as written.
| resulting security requirement is the union, with method-level tokens taking | ||
| precedence where conflicts arise.</para> | ||
|
|
||
| <para>See the formal BNF specification and parsing details for precise |
There was a problem hiding this comment.
Similar to BNF, but may be better to not call it that.
| <entry><literal>!X</literal> (where X is any value)</entry> | ||
|
|
||
| <entry>Reserved for future semantics; constraints on X to be | ||
| defined. New syntax.</entry> |
There was a problem hiding this comment.
It is used. If you look in the formal syntax, it can negate all lower precedence settings (X is empty or ::), a lower precedence scope (X is a defined scope name), or a lower precedence feature (X is [ optional scope ] :: feature name).
| };</programlisting> | ||
| </indexterm>The <emphasis>auth_feature</emphasis> attribute configures | ||
| feature-level security in ESDL by associating features and access levels to | ||
| <code>ESPservice</code> and <code>ESPmethod</code> elements. This provides |
There was a problem hiding this comment.
The formal syntax refers to scope-name, which comes into play when discussing overriding settings. It may be good to associate scopes to the elements mentioned.
There was a problem hiding this comment.
add note: that this scope could relate
| ; a new map entry is created specifying the named feature and the given access level | ||
| ; the security state is affirmed | ||
| scope-name ::= ( 'DEFAULT' | 'ESDLSERVICE' | 'ESDLMETHOD' | ... ) | ||
| ; additional names are anticipated resulting from binding integration |
There was a problem hiding this comment.
The defined scopes for ecm defined features are: EsdlServie and EsdlMethod. DESDL adds BindingService and BindingMethod to the list. All values are case insensitive. The DESDL extensions have higher precedence than the ecm values, meaning EsdlService can be overridden by EsdlMethod, which can be overridden by BindingService, which can be overridden by BindingMethod.
There was a problem hiding this comment.
this : The DESDL extensions have higher precedence than the ecm values, meaning EsdlService can be overridden by EsdlMethod, which can be overridden by BindingService, which can be overridden by BindingMethod. : better description
There was a problem hiding this comment.
key is that DESDL introduces 2 additional scopes (and the key is you can 'override' ancestor scopes)
| ESPservice [auth_feature("DataAccess:Full")] DataService | ||
| { | ||
| ESPmethod GetData(GetDataRequest, GetDataResponse); | ||
| ESPmethod [auth_feature("DataAccess:None")] GetPublicData(GetPublicDataRequest, GetPublicDataResponse); |
There was a problem hiding this comment.
Consider splitting into multiple lines to improve appearance. Text extends beyond block background.
Type of change:
Checklist:
Smoketest:
Testing:
Successful Unit Testing: https://github.com/g-pan/github-action-dev-build/actions/runs/22373126789
(formatted PDF files available from the Artifacts there)