HPPR Repository Access Control
Tags: repo, auth, policy
© R.A.Sol
ACL rules are defined per repository identity.
Each rule targets a coordinate prefix and controls three operations:
readwritelist
Rule evaluation uses longest-prefix match with per-operation inheritance.
Operations
read: fetch packet data- commands:
🖧GET,🖧HEADERS,🖧MEMBERS
- commands:
write: store or mutate repository state- commands:
🖧STORE,🖧ADD,🖧DETACH
- commands:
list: enumerate or subscribe to coordinate trees- commands:
🖧LIST,🖧WATCH,🖧TIPS
- commands:
Rule Format
Rule syntax:
<ops> <coordinate-prefix>
<ops> is exactly three characters:
[r|d|.][w|d|.][l|d|.]
Meaning:
r,w,l: explicit allow for that operationd: explicit deny for that operation.: inherit from the next-longest matching rule
Examples:
ACL-Rule: rwl //u/chess//
ACL-Rule: r.l //u/mail//
ACL-Rule: rdl //u/market//
ACL-Rule: .w. //u/market//nl/eindhoven/Common patterns:
rwl: full accessr.l: read and list, inherit writeddd: deny allrwd: read and write, deny list
Prefix Forms
ACL prefixes are parsed coordinates or coordinate-tree prefixes. They are not raw string prefixes. Matching compares group, API segments, the API/Key boundary, Key segments, and version-selector components as coordinate tree components.
Common forms:
| Prefix | Meaning |
|---|---|
//g/ |
all APIs in group g |
//g/chat/ |
API subtree under chat |
//g/chat// |
all Keys in exact API chat |
//g/chat//rooms/ |
Key subtree under rooms |
//g/chat//rooms/7/| |
exact Key version root |
//g/chat//x does not match
//g/chatty//x. //g/a//b does not match
//g/a/b//c.
Rule Ordering
Rules MUST be stored in canonical sorted order.
Sort by parsed coordinate-prefix components:
- group
- API segments
- API/Key boundary marker
- Key segments
- version selector components
Within each component list, sort bytewise by UTF-8 bytes. A version boundary sorts before a child segment at the same Key.
Resolution
Given a request coordinate:
- Parse the request coordinate.
- Find the longest matching parsed rule prefix.
- For each operation, apply explicit allow or deny when present.
- For
.values, continue to the next-longest matching rule. - If no explicit decision is found, deny.
For read and write checks, evaluate against the packet versioned coordinate.
Prefix examples:
| Prefix | Matches |
|---|---|
//u/a//README.md/| |
exact README.md Key version root |
//u/a//README.md/ |
README.md and children |
//u/a//README.md |
also README.md-draft |
Policy Storage
Rules are stored as ACL-Rule headers in policy
packets.
Policy coordinate depends on identity scheme:
- Ring1 (051-RING1.md):
//repo/admin/ring1//<name>/policy/|
- Ring2 (052-RING2.md):
//<group>/admin/ring2//policy/|/seal/<repo-verifier>
Policy packets carry only ACL-Rule headers.
Auth-config headers and member headers are invalid in policy
packets.