Policy

This section provides an architectural overview of the Mega policy system.

We Use Cedar as our Policy Management, find more at Cedar

Initialization

When initializing Mega’s default directory, the system generates a .mega_cedar.json file, which by default defines resources such as user, repo, and usergroup.

In the Saturn project, there are two Cedar configuration files,

mega_policies.cedar: Define principal, action and resource relations. mega.cedarschema: Define entity structure of principal, action and resource.

Cedar Json File

{
  "users": {
    "User::\"admin\"": {
      "euid": "User::\"admin\"",
      "parents": [
        "UserGroup::\"admin\""
      ]
    }
  },
  "repos": {
    "Repository::\"/project\"": {
      "euid": "Repository::\"/project\"",
      "is_private": true,
      "admins": "UserGroup::\"admin\"",
      "maintainers": "UserGroup::\"matainer\"",
      "readers": "UserGroup::\"reader\"",
      "parents": []
    }
  },
  "user_groups": {
    "UserGroup::\"admin\"": {
      "euid": "UserGroup::\"admin\"",
      "parents": [
        "UserGroup::\"matainer\""
      ]
    },
    "UserGroup::\"matainer\"": {
      "euid": "UserGroup::\"matainer\"",
      "parents": [
        "UserGroup::\"reader\""
      ]
    },
    "UserGroup::\"reader\"": {
      "euid": "UserGroup::\"reader\"",
      "parents": []
    }
  },
  "merge_requests": {},
  "issues": {}
}

Custom Permissions

When performing permission checks on sub-level files, the configurations of the parent directory are inherited.

If custom permissions are required for a subdirectory, a new .mega_cedar.json file needs to be created in the subdirectory. This file should include the corresponding user euid, select the appropriate user group in parents field, and modify the repo path euid. Once configured, this file should be committed along with the code.

How to check Permission

Currently, since only the API involves permission checks, the check_permissions function is temporarily placed in the mono module. This function can be used to perform permission checks by passing in the Principal, Action, and Resource.

Principal: User Gihub Login Name.
Action: Defined Operation Enums to resources.
Resource: Path of Repo.

Mega Permission Loading Process

For the entire path from the root directory to the target directory, all .mega.json entity files need to be read. These files are then parsed into entities, which are subsequently merged. (This means that the administrators of a parent directory are also administrators of its subdirectories.)