NDN refactor for new ACL and load logic

[lurenpluto]

Loading logic of dir+inner-path

dir is the same as objectmap, the loading is changed to the full local protocol stack, that is, dir+inner_path is loaded from the target protocol stack, and the subdir, chunk and file that a dir depends on must be completely in the same protocol stack, and the internal nodes are no longer support complicated search across protocol stacks (consistent with objectmap loading and operation behavior)

NDN

ndn loads data, supports three types

• chunk_id
• file_id
• dir_id+inner-path

The new ACL needs to match the following fields

• referer_object
• req_path

Several key designs

• The minimum granularity of permission control is the file_id/dir_id corresponding to the referer_object, or the chunk_id/file_id/dir_id in the direct request (if the referer_object is empty), finer granularity is not supported
• A request supports at most one referer_object to specify the association with the request target; or if no referer_object is specified, multiple referer_objects are no longer supported
• Bridge target_object_id and req_path through referer_object to determine the permission of target_object_id, so the permission determination is basically the following two modes
  • referer_object + target_object_id + req_path triple
  • target_object_id + req_path 2-tuple

for chunk-id

Load a chunk data directly, check the permissions as follows

1. referer_object is empty
   Then use req_path+chunk_id directly for verification, that is, require chunk_id to be linked to root_state
2. referer_object = file_id
   First check if chunk_id exists in file.chunklist
   Then use req_path+file_id for verification, that is, the referenced file_id is required to be linked to root_state
3. referer_object = dir_id + inner_path
   First get the corresponding file_id/dir_id through dir_id + inner_path
   Check if chunk_id is in file.chunklist or embedded chunk in dir
   Then use req_path+file_id or req_path + dir_id for verification, that is, the referenced file_id/dir_id is required to be linked to root_state

for file_id

Load a file data directly, verify the permissions as follows

1. referer_object is empty
   Then use req_path+file_id directly for verification, that is, file_id is required to be linked to root_state
2. referer_object = dir_id + inner_path
   First get the corresponding file_id through dir_id + inner_path
   Check if chunk_id is in file.chunklist
   Then use req_path + dir_id for verification, that is, the referenced dir_id is required to be linked to root_state and meet the permission requirements

For dir_id+inner_path

Load a file corresponding to the internal path of dir, and the permission check is as follows
The referer_object parameter is not accepted in this mode, and the dir_id itself is used directly
Use req_path + dir_id for verification, that is, the referenced dir_id is required to be linked to root_state and meet the permission requirements

[lurenpluto]

NDN acl is basically completed 22b47a5