Clarify docs for multiple access controls

[mosabua]

Description

Centralize and clarify usage with multiple access control systems.

Additional context and related issues

See #20152

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.

[mosabua]

I am not sure about this .. also would be good to explain more with an example.

[ksobolew]

I believe this is true, but ordering shouldn't matter. Each access control is independent from the others.

[mosabua]

well.. if they are independent.. what does that mean .. are the evaluted in order . what if the first on does a deny .. but the second one would be granting access ..

[ksobolew]

Any individual deny results in deny as the final result. So it doesn't really matter which does this first :)

[ksobolew]

I believe this is true, but ordering shouldn't matter. Each access control is independent from the others.

[ksobolew]

This is actually "access is granted if none of the access controls denies it" - or: all access controls must allow. But if there are no access controls at all, all access is allowed. That's at the engine level (which is of interest here) and not to be confused with how each individual access control works.

[mosabua]

So .. isnt that terrible for performance .. that kinda means all access controls are evaluated all the time .. is there some advice on how to order them better in terms of performance impact .. e.g. the most restrictive should be first? Or just the fastest should be first? Or any other better idea? Like .. dont use multiple system unless you have a real good reason like ???

[ksobolew]

that kinda means all access controls are evaluated all the time

Yes.

is there some advice on how to order them better in terms of performance impact

I think the assumption is that access control should not have significant impact on performance. If it does, fix your access control, or something like that.

Or any other better idea? Like .. dont use multiple system unless you have a real good reason like ???

I would say, this one. Combining access controls is tricky, especially system (global) access controls. Say you want to control catalog A with access control A, and catalog B with access control B, but both of them are deny-by-default (i.e. deny unless there's an explicit allow grant). This means you have to make access control A effectively allow-all for catalog B and vice versa. This tends to be surprisingly tricky, especially because "allow-all" in this case must be "allow all with grant option" because of SECURITY DEFINER views.

[ksobolew]

Not sure what you mean by "different types"?

[mosabua]

OPA vs file-based vs Ranger vs whatever .. is there a better name for them?

[ksobolew]

I see, thanks. I think I too would call them "types" :) But actually it's not true that they must be different types. The plugins can't register access control factories with the same name, but AFAICT it's perfectly fine to have two access control configuration files using the same access control, e.g. two "ranger"s.

[hashhar]

"different access control plugins" - although this isn't true - it's perfectly fine to have two file-based or two-rangers or any mix you want.