Skip to content

Commit ad84104

Browse files
committed
PR(DOCS): Update ACP README.md
1 parent 4456872 commit ad84104

1 file changed

Lines changed: 61 additions & 14 deletions

File tree

acp/README.md

Lines changed: 61 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,7 @@ defradb client ... --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b
172172

173173
### Adding a Policy:
174174

175-
We have in `examples/dpi_policy/user_dpi_policy.yml`:
175+
We have in `examples/policy/dac_policy.yml`:
176176
```yaml
177177
name: An Example Policy
178178

@@ -208,7 +208,7 @@ resources:
208208
209209
CLI Command:
210210
```sh
211-
defradb client acp policy add -f examples/dpi_policy/user_dpi_policy.yml --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
211+
defradb client acp dac policy add -f examples/policy/dac_policy.yml --identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
212212
```
213213

214214
Result:
@@ -440,7 +440,7 @@ Error:
440440
### Sharing Private Documents With Others
441441

442442
To share a document (or grant a more restricted access) with another actor, we must add a relationship between the
443-
actor and the document. Inorder to make the relationship we require all of the following:
443+
actor and the document. In order to make the relationship we require all of the following:
444444

445445
1) **Target DocID**: The `docID` of the document we want to make a relationship for.
446446
2) **Collection Name**: The name of the collection that has the `Target DocID`.
@@ -457,7 +457,7 @@ Note:
457457
and a relationship is formed, the subject/actor will still not be able to access (read or update or delete) the resource.
458458
- If the relationship already exists, then it will just be a no-op.
459459

460-
Consider the following policy that we have under `examples/dpi_policy/user_dpi_policy_with_manages.yml`:
460+
Consider the following policy that we have under `examples/policy/dac_policy_with_manages.yml`:
461461

462462
```yaml
463463
name: An Example Policy
@@ -516,7 +516,7 @@ resources:
516516
517517
Add the policy:
518518
```sh
519-
defradb client acp policy add -f examples/dpi_policy/user_dpi_policy_with_manages.yml \
519+
defradb client acp dac policy add -f examples/policy/dac_policy_with_manages.yml \
520520
--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
521521
```
522522

@@ -611,7 +611,7 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
611611

612612
Now let's make the other actor a reader of the document by adding a relationship:
613613
```sh
614-
defradb client acp relationship add \
614+
defradb client acp dac relationship add \
615615
--collection Users \
616616
--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
617617
--relation reader \
@@ -656,7 +656,7 @@ Sometimes we might want to give a specific access (i.e. form a relationship) not
656656
any identity (includes even requests with no-identity).
657657
In that case we can specify "*" instead of specifying an explicit `actor`:
658658
```sh
659-
defradb client acp relationship add \
659+
defradb client acp dac relationship add \
660660
--collection Users \
661661
--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
662662
--relation reader \
@@ -676,7 +676,7 @@ Result:
676676
### Revoking Access To Private Documents
677677

678678
To revoke access to a document for an actor, we must delete the relationship between the
679-
actor and the document. Inorder to delete the relationship we require all of the following:
679+
actor and the document. In order to delete the relationship we require all of the following:
680680

681681
1) Target DocID: The docID of the document we want to delete a relationship for.
682682
2) Collection Name: The name of the collection that has the Target DocID.
@@ -695,7 +695,7 @@ how to share the document with other actors.
695695

696696
We made the document accessible to an actor by adding a relationship:
697697
```sh
698-
defradb client acp relationship add \
698+
defradb client acp dac relationship add \
699699
--collection Users \
700700
--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
701701
--relation reader \
@@ -710,9 +710,9 @@ Result:
710710
}
711711
```
712712

713-
Similarly, inorder to revoke access to a document we have the following command to delete the relationship:
713+
Similarly, in order to revoke access to a document we have the following command to delete the relationship:
714714
```sh
715-
defradb client acp relationship delete \
715+
defradb client acp dac relationship delete \
716716
--collection Users \
717717
--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
718718
--relation reader \
@@ -740,7 +740,7 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
740740
We can also revoke the previously granted implicit relationship which gave all actors access using the "*" actor.
741741
Similarly we can just specify "*" to revoke all access given to actors implicitly through this relationship:
742742
```sh
743-
defradb client acp relationship delete \
743+
defradb client acp dac relationship delete \
744744
--collection Users \
745745
--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
746746
--relation reader \
@@ -780,8 +780,55 @@ The signed token must be set on the `Authorization` header of the HTTP request w
780780

781781
If authentication fails for any reason a `403` forbidden response will be returned.
782782

783-
## _AAC DPI Rules (coming soon)_
784-
## _AAC Usage: (coming soon)_
783+
## Admin ACP (AAC)
784+
In addition to document access control (DAC) we have another type of access control to gate a node's operations.
785+
786+
## AAC Usage:
787+
788+
### Starting AAC:
789+
In order, to start admin acp the user needs to specify an "owner" identity at node startup and indicate they
790+
want to enable admin acp for the node.
791+
792+
This can be done like this:
793+
```sh
794+
defradb start --no-keyring --aac-enable true \
795+
--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
796+
```
797+
798+
Note: The owner will by default have access to all the permissions.
799+
800+
### Temporarily Disable AAC:
801+
While we do have an option to purge the entire admin acp state to delete all relationships and reset the owner,
802+
sometimes you want to preserve the entire state of the admin acp while temporarily disabling it. This can be
803+
done using the `disable` command like so:
804+
805+
This can be done like this:
806+
```sh
807+
defradb client acp aac disable \
808+
--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
809+
```
810+
811+
Note: The identity *MUST* have the permission to be able to disable admin acp.
812+
813+
### Re-enable AAC:
814+
To re-enable admin acp when it is temporarily disabled, use the `re-enable` command like so:
815+
```sh
816+
defradb client acp aac re-enable \
817+
--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
818+
```
819+
820+
Note: The identity *MUST* have the permission to be able to re-enable admin acp.
821+
822+
### Check AAC Status
823+
Admin ACP could be in various states, for example it could be `enabled`, `temporarily disabled`,
824+
or never configured (`clean` state).
825+
To check the status of admin acp, we have a utility `status` command:
826+
827+
This can be done like this:
828+
```sh
829+
defradb client acp aac status
830+
```
831+
785832

786833
## _FAC DPI Rules (coming soon)_
787834
## _FAC Usage: (coming soon)_

0 commit comments

Comments
 (0)