Disallow multiple access control list entries for the same role

Description

Currently, it is possible to have multiple access control entries for the same role in the same access control list, e.g.

ROLE_USER read=true write=false
ROLE_USER read=false write=true

While it is possible to implement strategies for resolving contradicting ACEs (e.g. depending on order of occurence, more restrictive wins, etc.), there does not seem a valid use case where it would make any sense to actually allow multiple ACEs for a single role within the same ACL.

The goal of this task is ensure that there can be at most one ACE per role so that we don't need any strategies to handle and resolve conflicts that can occur when allowing multiple ACEs per role.

  • Don't allow this in Admin UI

  • Don't allow this via External API (or implement a merge strategy, but preferably disallow)

  • Don't allow this via any other endpoint that can ingest ACLs (or implement merge strategy)

  • Detection and migration of existing ACLs containing multiple ACE per role

Steps to reproduce

None

Status

Assignee

Unassigned

Reporter

Sven Stauber

Criticality

None

Tags (folksonomy)

None

Fix versions

Affects versions

5.1

Priority

Major
Configure