TechTip: Analyzing Object Security Policies

Last updated January 8, 2020
Applies to all Versions of GemStone/S and GemStone/S 64 Bit

GemStone’s Object Security Policies (formerly known as Segments), control read and write access to objects in the GemStone repository. By defining the permissions for an Object Security Policy, and associating an object with that Policy, the object’s access is controlled by these permissions.

For historical reasons, Object Security Policies are Array slots within the singleton instance of Repository, SystemRepository. Certain upgrade paths, particularly through v2.2, made changes to the Object Security Policy layout within this Array. The following code may be useful to get a report of the object security policy layout.

The Smalltalk code below should be executed in topaz as DataCurator or SystemUser. It produces a report that includes lines such as:

Segment #2 [208641] false 2 [240641] DataCurator anIdentitySet( ‘GlobalsModificationGroup’)-anIdentitySet( ‘DataCuratorGroup’) 2-1 DataCuratorSegment DataCurator-default

Specifically, the line includes:
Index into SystemRepository
[Oop of seg]
if segment isInvariant
id (normally same as index)
[Oop of this segment’s containing Repository (SystemRepository)]
owner of this segment
groups authorized to read-groups authorized to write
owner authorization-world authorization
if a named segment, the name
if the default segment of a user, who it’s default for

run
"Print out all information about the segments in SystemRepository, to 
verify upgrade/conversion is correct.  Should run on all versions of 
GS64 and GS. "
| str namedSegs defaultSegs |
namedSegs := Dictionary new.
#(#GsTimeZoneSegment #GsIndexingSegment
       #PublishedSegment #DataCuratorSegment
       #SystemSegment #SecurityDataSegment) do:
   [:sym |
   (Globals at: sym otherwise: false) == false
      ifFalse: [namedSegs at: sym put: (SystemRepository indexOf: 
(Globals at: sym))].
   ].
defaultSegs := Dictionary new.
(AllUsers collect: [:ea | ea userId]) do:
   [:name |
   defaultSegs at: name put:
     (SystemRepository indexOf: ((AllUsers userWithId: name) 
defaultSegment))].


str := String new.
1 to: SystemRepository size do: [:i | | seg |
   seg := SystemRepository at: i.
   str add: 'Segment #',i printString, ' ['.
   str add: seg asOop printString, '] '.
   str add: (seg isInvariant asString), ' '.
   (seg == nil) ifFalse: [
      str add: (seg instVarAt: 7) asString; tab.  "id"
      str add: '[', (seg instVarAt: 1) asOop asString, ']'; 
tab.  "repository"

      (seg instVarAt: 2) isNil "owner"
          ifTrue: [str add: 'nil owner  ']
          ifFalse: [str add: (seg instVarAt: 2) userId asString, '  '].
      str add: (seg instVarAt: 3) printString, '-', (seg instVarAt: 
4) printString, '  '.
      str add: (seg instVarAt: 5) asString, '-', (seg instVarAt: 
6) asString, '  '.
      namedSegs keysAndValuesDo:
          [:key :value |
          value = i ifTrue: [str add: key asString, ' '].
          ].
      defaultSegs keysAndValuesDo:
          [:key :value |
          value = i ifTrue: [str add: key asString, '-default '].
          ].

      ].
    str lf.
].
str
%