SECURITY

AGENT

Every Wave that is sent from one Particle to another references an Agent which is just a Point that access rules can be applied to. Usually a Particle sends itself as the Agent, but there are cases where It can use other Agents if the Hyperverse allows it.

HYPERUSER

The HyperUser is the only user that access is not checked on. It can do anything (just like the Root user in unix OS.)

GRANT PERMISSION

to grant permission on a particle to a particle:

grant perm +csd-Rwx on my-domain.com:** to my-domain.com:**<User>

Above we are granting READ access to all users under my-domain.com on every particle under my-domain.com.

Let’s examine this part: +csd-Rwx The letters stand for Create, Select, Delete, Read, Write and Execute. if the letter is capitalized then the permission is flagged as on, if lowercase it is off.

Also note the leading + operator. That is saying to OR these permissions with existing permissions. You can also choose to AND the permissions via the & operator which would have looked like this:

grant perm &csd-Rwx on my-domain.com:** to my-domain.com:**<User>

NOTE: The rules of how the Ands and the Ors are combined are consistent but a bit tricky and I will expand on it in a later iteration of this document – uberscott

CSD

First let’s break down CSD:

RWX

Let’s break down the RWX:

PRIVILEGES

Sometimes security has to be a little more fine-grained that broad permissions. For this we have Privileges.

One built in Privilege in the system is the User email property. Even if a Particle has full CSD-RWX access to a User Particle it cannot get the value of the email property unless it has been granted privilege to do so.

To grant a privilege:

grant priv prop:email<Read> on my-domain.com:users:**<User> to my-domain.com:my-app:mechtrons:emailer

As you can see above we are giving only one mechtron in our application, the emailer mecthtron the privilege to see the email addresses, all other mechtrons are untrusted.

LISTING GRANTS

You can list the grants on a particular Pattern:

grant list on my-domain.com:my-app+:**;

And that will result in a list with a numbered id with every grant. You can then revoke the grant using the number:

grant revoke 1

OWNERSHIP & CHOWN

When a Particle creates another Particle that Particle owns it and perform any action upon it full permissions and full privileges. To change ownership:

chown localhost:users:uberscott localhost:something;

CAPTURE MAPPING

There are times when you may want to capture and reuse a segment to make more complicated permission rules

grant perm +CSR-RWX on my-domain.com:profiles:$(user) to my-domain.com:users:${user}

Above the variable user is captured in profiles and filled in the UserBase giving each user complete access to his or her own profile.

SUPER

The HyperUser has complete access to the entire Cosmos, however it is also desirable to have SuperUsers which have complete access to only a portion of the overall cosmos. To accomplish this we can grant another user SuperUser access:

grant super on my-domain.com:** to my-domain.com:users:what-a-great-guy<User>

Above you can see that what-a-great-guy has been granted superuser access to everything under the my-domain, and he will have full access to anything that matches that pattern,

The use of SuperUser can be particularly useful for Apps which may need to control every aspect of their children:

grant super on my-domain.com:app:+** to my-domain.com:app<App>

above the App can now administer itself and its children with full access.

NEXT

Docs