Description
To translate a set of compiled roles' permissions to memcached_privileges, we:
- Iterate over each bucket, scope, collection and [] and use them as a collection param.
- For each collection param, we check whether any of the memcached privileges are allowed (using menelaus_roles:is_allowed)
In doing so:
- We assume each collection param can be iterated over independent of the other
- [] translates to collection [any, any, any]
It appears that in the set of permissions for each role:
- we rely on ordering to determine the first object match and the list of allowed permissions
- we usually designate [] at the end, it looks like a catch-all for objects that do not match any previously listed object pattern
Given the above, is it possible to: specify a smaller subset of a previously mentioned collection param using either [] or
{collection, [bucket, scope, collection]}i.e. is it possible to specify permissions for a proper subset of previous object patterns using [] (or a particular sequence of {collection, ...})? If so, it isn't sufficient to iterate over each collection param independently. It would be a correctness issue.
For optimization purposes, do we need to consider ordering? Currently, we use lists:usort which may not translate to the smallest set of memcached privileges.