RBAC refactored (pkg renamed, init improved)

75086591 · Denis Arh · d21cd72f · 75086591 · 75086591 · 75086591
Commit 75086591 authored 4 years ago by Denis Arh
20 changed files
--- a/app/boot_levels.go
+++ b/app/boot_levels.go
@@ -17,7 +17,7 @@ import (
 	"github.com/cortezaproject/corteza-server/pkg/logger"
 	"github.com/cortezaproject/corteza-server/pkg/mail"
 	"github.com/cortezaproject/corteza-server/pkg/monitor"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/scheduler"
 	"github.com/cortezaproject/corteza-server/pkg/sentry"
 	"github.com/cortezaproject/corteza-server/provision/compose"
@@ -165,12 +165,12 @@ func (app *CortezaApp) InitServices(ctx context.Context) (err error) {
 	{
 		// Initialize RBAC subsystem
 		// and (re)load rules from the storage backend
-		err = permissions.Initialize(app.Log, app.Store)
+		err = rbac.Initialize(app.Log, app.Store)
 		if err != nil {
 			return
 		}

-		permissions.Global().Reload(ctx)
+		rbac.Global().Reload(ctx)
 	}

 	// Initializes system services
@@ -285,6 +285,8 @@ func (app *CortezaApp) Activate(ctx context.Context) (err error) {
 	cmpService.Watchers(ctx)
 	msgService.Watchers(ctx)

+	rbac.Global().Watch(ctx)
+
 	if err = sysService.Activate(ctx); err != nil {
 		return err
 	}

--- a/compose/commands/exporter.go
+++ b/compose/commands/exporter.go
@@ -11,7 +11,7 @@ import (
 	"github.com/cortezaproject/corteza-server/pkg/cli"
 	"github.com/cortezaproject/corteza-server/pkg/deinterfacer"
 	"github.com/cortezaproject/corteza-server/pkg/handle"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/settings"
 	"github.com/cortezaproject/corteza-server/store"
 	sysExporter "github.com/cortezaproject/corteza-server/system/exporter"
@@ -97,8 +97,8 @@ func nsExporter(ctx context.Context, out *Compose, nsFlag string, args []string)
 	//
 	// Roles are use for resolving access control
 	roles = sysTypes.RoleSet{
-		&sysTypes.Role{ID: permissions.EveryoneRoleID, Handle: "everyone"},
-		&sysTypes.Role{ID: permissions.AdminsRoleID, Handle: "admins"},
+		&sysTypes.Role{ID: rbac.EveryoneRoleID, Handle: "everyone"},
+		&sysTypes.Role{ID: rbac.AdminsRoleID, Handle: "admins"},
 	}

 	modules, _, err := service.DefaultModule.Find(types.ModuleFilter{NamespaceID: ns.ID})
@@ -115,8 +115,8 @@ func nsExporter(ctx context.Context, out *Compose, nsFlag string, args []string)
 	// nsOut.Always = ns.Always
 	// nsOut.Meta = ns.Meta
 	//
-	// nsOut.Allow = sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Allow, ns.PermissionResource())
-	// nsOut.Deny = sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Deny, ns.PermissionResource())
+	// nsOut.Allow = sysExporter.ExportableResourcePermissions(roles, service.DefaultRBAC, permissions.Allow, ns.RBACResource())
+	// nsOut.Deny = sysExporter.ExportableResourcePermissions(roles, service.DefaultRBAC, permissions.Deny, ns.RBACResource())

 	for _, arg := range args {
 		switch arg {
@@ -146,12 +146,12 @@ func settingExporter(ctx context.Context, out *Compose) {

 func permissionExporter(ctx context.Context, out *Compose) {
 	roles := sysTypes.RoleSet{
-		&sysTypes.Role{ID: permissions.EveryoneRoleID, Handle: "everyone"},
-		&sysTypes.Role{ID: permissions.AdminsRoleID, Handle: "admins"},
+		&sysTypes.Role{ID: rbac.EveryoneRoleID, Handle: "everyone"},
+		&sysTypes.Role{ID: rbac.AdminsRoleID, Handle: "admins"},
 	}

-	out.Allow = sysExporter.ExportableServicePermissions(roles, service.DefaultPermissions, permissions.Allow)
-	out.Deny = sysExporter.ExportableServicePermissions(roles, service.DefaultPermissions, permissions.Deny)
+	out.Allow = sysExporter.ExportableServicePermissions(roles, rbac.Global(), rbac.Allow)
+	out.Deny = sysExporter.ExportableServicePermissions(roles, rbac.Global(), rbac.Deny)
 }

 // This is PoC for exporting compose resources
@@ -287,8 +287,8 @@ func expModules(mm types.ModuleSet) (o map[string]Module) {
 			Name:   m.Name,
 			Fields: expModuleFields(m.Fields, mm),

-			Allow: sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Allow, types.ModulePermissionResource),
-			Deny:  sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Deny, types.ModulePermissionResource),
+			Allow: sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Allow, types.ModuleRBACResource),
+			Deny:  sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Deny, types.ModuleRBACResource),
 		}

 		if meta := expModuleMetaCleanup(m.Meta); len(meta) > 0 {
@@ -336,8 +336,8 @@ func expModuleFields(ff types.ModuleFieldSet, modules types.ModuleSet) (o yaml.M
 				Visible:  f.Visible,
 				Multi:    f.Multi,

-				Allow: sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Allow, types.ModuleFieldPermissionResource),
-				Deny:  sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Deny, types.ModuleFieldPermissionResource),
+				Allow: sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Allow, types.ModuleFieldRBACResource),
+				Deny:  sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Deny, types.ModuleFieldRBACResource),
 			},
 		}
 	}
@@ -416,8 +416,8 @@ func expPages(parentID uint64, pages types.PageSet, modules types.ModuleSet, cha
 			Pages:       expPages(child.ID, pages, modules, charts),
 			Visible:     child.Visible,

-			Allow: sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Allow, types.PagePermissionResource),
-			Deny:  sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Deny, types.PagePermissionResource),
+			Allow: sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Allow, types.PageRBACResource),
+			Deny:  sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Deny, types.PageRBACResource),
 		}

 		if child.ModuleID > 0 {
@@ -638,8 +638,8 @@ func expCharts(charts types.ChartSet, modules types.ModuleSet) (o map[string]Cha
 				ColorScheme: c.Config.ColorScheme,
 			},

-			Allow: sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Allow, types.ChartPermissionResource),
-			Deny:  sysExporter.ExportableResourcePermissions(roles, service.DefaultPermissions, permissions.Deny, types.ChartPermissionResource),
+			Allow: sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Allow, types.ChartRBACResource),
+			Deny:  sysExporter.ExportableResourcePermissions(roles, rbac.Global(), rbac.Deny, types.ChartRBACResource),
 		}

 		for i, r := range c.Config.Reports {

--- a/compose/importer/chart.go
+++ b/compose/importer/chart.go
@@ -111,7 +111,7 @@ func (cImp *Chart) Cast(handle string, def interface{}) (err error) {
 			chart.Config, err = cImp.castConfig(chart, val)

 		case "allow", "deny":
-			return cImp.imp.permissions.CastSet(types.ChartPermissionResource.String()+handle, key, val)
+			return cImp.imp.permissions.CastSet(types.ChartRBACResource.String()+handle, key, val)

 		default:
 			return fmt.Errorf("unexpected key %q for chart %q", key, handle)
@@ -215,7 +215,7 @@ func (cImp *Chart) Store(ctx context.Context, k chartKeeper) (err error) {
 		}

 		cImp.dirty[chart.ID] = false
-		cImp.imp.permissions.UpdateResources(types.ChartPermissionResource.String(), handle, chart.ID)
+		cImp.imp.permissions.UpdateResources(types.ChartRBACResource.String(), handle, chart.ID)

 		return
 	})

--- a/compose/importer/default.go
+++ b/compose/importer/default.go
@@ -5,7 +5,7 @@ import (
 	"errors"
 	"github.com/cortezaproject/corteza-server/compose/service"
 	"github.com/cortezaproject/corteza-server/compose/types"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/settings"
 	sysTypes "github.com/cortezaproject/corteza-server/system/types"
 	"gopkg.in/yaml.v2"
@@ -22,7 +22,7 @@ func Import(ctx context.Context, ns *types.Namespace, ff ...io.Reader) (err erro
 			service.DefaultChart.With(ctx),
 			service.DefaultPage.With(ctx),

-			permissions.NewImporter(service.DefaultAccessControl.Whitelist()),
+			rbac.NewImporter(service.DefaultAccessControl.Whitelist()),
 			settings.NewImporter(),
 		)

@@ -31,8 +31,8 @@ func Import(ctx context.Context, ns *types.Namespace, ff ...io.Reader) (err erro
 		//
 		// Roles are use for resolving access control
 		roles = sysTypes.RoleSet{
-			&sysTypes.Role{ID: permissions.EveryoneRoleID, Handle: "everyone"},
-			&sysTypes.Role{ID: permissions.AdminsRoleID, Handle: "admins"},
+			&sysTypes.Role{ID: rbac.EveryoneRoleID, Handle: "everyone"},
+			&sysTypes.Role{ID: rbac.AdminsRoleID, Handle: "admins"},
 		}
 	)


--- a/compose/importer/importer.go
+++ b/compose/importer/importer.go
@@ -6,7 +6,7 @@ import (
 	"github.com/cortezaproject/corteza-server/compose/types"
 	"github.com/cortezaproject/corteza-server/pkg/deinterfacer"
 	"github.com/cortezaproject/corteza-server/pkg/importer"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	sysTypes "github.com/cortezaproject/corteza-server/system/types"
 )

@@ -132,7 +132,7 @@ func (imp *Importer) Store(
 	cStore chartKeeper,
 	pStore pageKeeper,
 	rStore recordKeeper,
-	pk permissions.ImportKeeper,
+	pk rbac.ImportKeeper,
 	roles sysTypes.RoleSet,
 ) (err error) {
 	if imp.namespaces != nil {

--- a/compose/importer/main_test.go
+++ b/compose/importer/main_test.go
@@ -10,7 +10,7 @@ import (

 	"github.com/cortezaproject/corteza-server/compose/service"
 	"github.com/cortezaproject/corteza-server/compose/types"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/pkg/settings"
 )

@@ -23,7 +23,7 @@ var (
 	}

 	// Add namespace to the stack, make sure importer can find it
-	pi *permissions.Importer
+	pi *rbac.Importer
 	st *settings.Importer

 	imp *Importer
@@ -36,7 +36,7 @@ func TestMain(m *testing.M) {

 func resetMocks() {
 	// whitelist = nil, anything can be added
-	pi = permissions.NewImporter(service.AccessControl(nil).Whitelist())
+	pi = rbac.NewImporter(service.AccessControl(nil).Whitelist())
 	st = settings.NewImporter()

 	imp = NewImporter(nil, nil, nil, nil, pi, st)

--- a/compose/importer/module.go
+++ b/compose/importer/module.go
@@ -134,7 +134,7 @@ func (mImp *Module) Cast(handle string, def interface{}) (err error) {
 		// 	return c.resolveRecords(val)

 		case "allow", "deny":
-			return mImp.imp.permissions.CastSet(types.ModulePermissionResource.String()+handle, key, val)
+			return mImp.imp.permissions.CastSet(types.ModuleRBACResource.String()+handle, key, val)

 		default:
 			return fmt.Errorf("unexpected key %q for module %q", key, handle)
@@ -197,7 +197,7 @@ func (mImp *Module) castFields(module *types.Module, def interface{}) (err error
 				})

 			case "allow", "deny":
-				return mImp.imp.permissions.CastSet(types.ModuleFieldPermissionResource.String()+fieldName, key, val)
+				return mImp.imp.permissions.CastSet(types.ModuleFieldRBACResource.String()+fieldName, key, val)

 			default:
 				return fmt.Errorf("unexpected key %q for field %q on module %q", key, fieldName, module.Name)
@@ -247,10 +247,10 @@ func (mImp *Module) Store(ctx context.Context, k moduleKeeper) (err error) {
 		}

 		mImp.dirty[module.ID] = false
-		mImp.imp.permissions.UpdateResources(types.ModulePermissionResource.String(), handle, module.ID)
+		mImp.imp.permissions.UpdateResources(types.ModuleRBACResource.String(), handle, module.ID)

 		err = module.Fields.Walk(func(f *types.ModuleField) error {
-			mImp.imp.permissions.UpdateResources(types.ModuleFieldPermissionResource.String(), f.Name, f.ID)
+			mImp.imp.permissions.UpdateResources(types.ModuleFieldRBACResource.String(), f.Name, f.ID)
 			return nil
 		})
 	}

--- a/compose/importer/namespace.go
+++ b/compose/importer/namespace.go
@@ -137,7 +137,7 @@ func (nsImp *Namespace) Cast(handle string, def interface{}) (err error) {
 			return nsImp.castRecords(handle, val)

 		case "allow", "deny":
-			return nsImp.imp.permissions.CastSet(types.NamespacePermissionResource.String()+namespace.Slug, key, val)
+			return nsImp.imp.permissions.CastSet(types.NamespaceRBACResource.String()+namespace.Slug, key, val)

 		default:
 			return fmt.Errorf("unexpected key %q for namespace %q", key, namespace.Slug)
@@ -247,7 +247,7 @@ func (nsImp *Namespace) Store(ctx context.Context, nsk namespaceKeeper, mk modul
 		spew.Dump(nsImp.dirty, namespace)

 		nsImp.dirty[namespace.ID] = false
-		nsImp.imp.permissions.UpdateResources(types.NamespacePermissionResource.String(), handle, namespace.ID)
+		nsImp.imp.permissions.UpdateResources(types.NamespaceRBACResource.String(), handle, namespace.ID)

 		if _, ok := nsImp.modules[handle]; ok {
 			nsImp.modules[handle].namespace = namespace

--- a/compose/importer/page.go
+++ b/compose/importer/page.go
@@ -158,7 +158,7 @@ func (pImp *Page) cast(parent, handle string, def interface{}) (err error) {
 			return pImp.castSet(handle, val)

 		case "allow", "deny":
-			return pImp.imp.permissions.CastSet(types.PagePermissionResource.String()+handle, key, val)
+			return pImp.imp.permissions.CastSet(types.PageRBACResource.String()+handle, key, val)

 		default:
 			return fmt.Errorf("unexpected key %q for page %q", key, handle)
@@ -358,7 +358,7 @@ func (pImp *Page) storeChildren(ctx context.Context, parent string, k pageKeeper
 			continue
 		}

-		pImp.imp.permissions.UpdateResources(types.PagePermissionResource.String(), page.Handle, page.ID)
+		pImp.imp.permissions.UpdateResources(types.PageRBACResource.String(), page.Handle, page.ID)

 		if err = pImp.storeChildren(ctx, page.Handle, k); err != nil {
 			return err

--- a/compose/rest.yaml
+++ b/compose/rest.yaml
@@ -972,7 +972,7 @@ endpoints:
  - Client ID
  - Session ID
  imports:
-    - github.com/cortezaproject/corteza-server/pkg/permissions
+    - github.com/cortezaproject/corteza-server/pkg/rbac
  apis:
  - name: list
    path: "/"
@@ -1021,7 +1021,7 @@ endpoints:
        title: Role ID
      post:
      - name: rules
-        type: permissions.RuleSet
+        type: rbac.RuleSet
        required: true
        title: List of permission rules to set
 - title: Compose automation scripts

--- a/compose/rest/permissions.go
+++ b/compose/rest/permissions.go
@@ -7,7 +7,7 @@ import (

 	"github.com/cortezaproject/corteza-server/compose/rest/request"
 	"github.com/cortezaproject/corteza-server/compose/service"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 )

 type (
@@ -16,10 +16,10 @@ type (
 	}

 	permissionsAccessController interface {
-		Effective(context.Context) permissions.EffectiveSet
-		Whitelist() permissions.Whitelist
-		FindRulesByRoleID(context.Context, uint64) (permissions.RuleSet, error)
-		Grant(ctx context.Context, rr ...*permissions.Rule) error
+		Effective(context.Context) rbac.EffectiveSet
+		Whitelist() rbac.Whitelist
+		FindRulesByRoleID(context.Context, uint64) (rbac.RuleSet, error)
+		Grant(ctx context.Context, rr ...*rbac.Rule) error
 	}
 )

@@ -47,9 +47,9 @@ func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete
 		return nil, err
 	}

-	_ = rr.Walk(func(rule *permissions.Rule) error {
+	_ = rr.Walk(func(rule *rbac.Rule) error {
 		// Setting access to "inherit" will make Grant remove the rule
-		rule.Access = permissions.Inherit
+		rule.Access = rbac.Inherit
 		return nil
 	})

@@ -58,7 +58,7 @@ func (ctrl Permissions) Delete(ctx context.Context, r *request.PermissionsDelete

 func (ctrl Permissions) Update(ctx context.Context, r *request.PermissionsUpdate) (interface{}, error) {
 	rr := r.Rules
-	_ = rr.Walk(func(rule *permissions.Rule) error {
+	_ = rr.Walk(func(rule *rbac.Rule) error {
 		// Make sure everything is properly set
 		rule.RoleID = r.RoleID
 		return nil

--- a/compose/rest/request/permissions.go
+++ b/compose/rest/request/permissions.go
@@ -12,7 +12,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/cortezaproject/corteza-server/pkg/payload"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/go-chi/chi"
 	"io"
 	"mime/multipart"
@@ -63,7 +63,7 @@ type (
 		// Rules POST parameter
 		//
 		// List of permission rules to set
-		Rules permissions.RuleSet
+		Rules rbac.RuleSet
 	}
 )

@@ -247,7 +247,7 @@ func (r PermissionsUpdate) GetRoleID() uint64 {
 }

 // Auditable returns all auditable/loggable parameters
-func (r PermissionsUpdate) GetRules() permissions.RuleSet {
+func (r PermissionsUpdate) GetRules() rbac.RuleSet {
 	return r.Rules
 }

@@ -272,7 +272,7 @@ func (r *PermissionsUpdate) Fill(req *http.Request) (err error) {
 		// POST params

 		//if val, ok := req.Form["rules[]"]; ok && len(val) > 0  {
-		//    r.Rules, err = permissions.RuleSet(val), nil
+		//    r.Rules, err = rbac.RuleSet(val), nil
 		//    if err != nil {
 		//        return err
 		//    }

--- a/compose/service/access_control.go
+++ b/compose/service/access_control.go
@@ -5,28 +5,28 @@ import (
 	"github.com/cortezaproject/corteza-server/compose/types"
 	"github.com/cortezaproject/corteza-server/pkg/actionlog"
 	"github.com/cortezaproject/corteza-server/pkg/auth"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 )

 type (
 	accessControl struct {
-		permissions accessControlPermissionServicer
+		permissions accessControlRBACServicer
 		actionlog   actionlog.Recorder
 	}

-	accessControlPermissionServicer interface {
-		Can([]uint64, permissions.Resource, permissions.Operation, ...permissions.CheckAccessFunc) bool
-		Grant(context.Context, permissions.Whitelist, ...*permissions.Rule) error
-		FindRulesByRoleID(roleID uint64) (rr permissions.RuleSet)
+	accessControlRBACServicer interface {
+		Can([]uint64, rbac.Resource, rbac.Operation, ...rbac.CheckAccessFunc) bool
+		Grant(context.Context, rbac.Whitelist, ...*rbac.Rule) error
+		FindRulesByRoleID(roleID uint64) (rr rbac.RuleSet)
 	}

 	secureResource interface {
-		PermissionResource() permissions.Resource
+		RBACResource() rbac.Resource
 		DynamicRoles(uint64) []uint64
 	}
 )

-func AccessControl(perm accessControlPermissionServicer) *accessControl {
+func AccessControl(perm accessControlRBACServicer) *accessControl {
 	return &accessControl{
 		permissions: perm,
 		actionlog:   DefaultActionlog,
@@ -34,40 +34,40 @@ func AccessControl(perm accessControlPermissionServicer) *accessControl {
 }

 // Effective returns a list of effective service-level permissions
-func (svc accessControl) Effective(ctx context.Context) (ee permissions.EffectiveSet) {
-	ee = permissions.EffectiveSet{}
+func (svc accessControl) Effective(ctx context.Context) (ee rbac.EffectiveSet) {
+	ee = rbac.EffectiveSet{}

-	ee.Push(types.ComposePermissionResource, "access", svc.CanAccess(ctx))
-	ee.Push(types.ComposePermissionResource, "grant", svc.CanGrant(ctx))
-	ee.Push(types.ComposePermissionResource, "namespace.create", svc.CanCreateNamespace(ctx))
-	ee.Push(types.ComposePermissionResource, "settings.read", svc.CanReadSettings(ctx))
-	ee.Push(types.ComposePermissionResource, "settings.manage", svc.CanManageSettings(ctx))
+	ee.Push(types.ComposeRBACResource, "access", svc.CanAccess(ctx))
+	ee.Push(types.ComposeRBACResource, "grant", svc.CanGrant(ctx))
+	ee.Push(types.ComposeRBACResource, "namespace.create", svc.CanCreateNamespace(ctx))
+	ee.Push(types.ComposeRBACResource, "settings.read", svc.CanReadSettings(ctx))
+	ee.Push(types.ComposeRBACResource, "settings.manage", svc.CanManageSettings(ctx))

 	return
 }

 func (svc accessControl) CanAccess(ctx context.Context) bool {
-	return svc.can(ctx, types.ComposePermissionResource, "access")
+	return svc.can(ctx, types.ComposeRBACResource, "access")
 }

 func (svc accessControl) CanGrant(ctx context.Context) bool {
-	return svc.can(ctx, types.ComposePermissionResource, "grant")
+	return svc.can(ctx, types.ComposeRBACResource, "grant")
 }

 func (svc accessControl) CanReadSettings(ctx context.Context) bool {
-	return svc.can(ctx, types.ComposePermissionResource, "settings.read")
+	return svc.can(ctx, types.ComposeRBACResource, "settings.read")
 }

 func (svc accessControl) CanManageSettings(ctx context.Context) bool {
-	return svc.can(ctx, types.ComposePermissionResource, "settings.manage")
+	return svc.can(ctx, types.ComposeRBACResource, "settings.manage")
 }

 func (svc accessControl) CanCreateNamespace(ctx context.Context) bool {
-	return svc.can(ctx, types.ComposePermissionResource, "namespace.create")
+	return svc.can(ctx, types.ComposeRBACResource, "namespace.create")
 }

 func (svc accessControl) CanReadNamespace(ctx context.Context, r *types.Namespace) bool {
-	return svc.can(ctx, r, "read", permissions.Allowed)
+	return svc.can(ctx, r, "read", rbac.Allowed)
 }

 func (svc accessControl) CanUpdateNamespace(ctx context.Context, r *types.Namespace) bool {
@@ -99,11 +99,11 @@ func (svc accessControl) CanDeleteModule(ctx context.Context, r *types.Module) b
 }

 func (svc accessControl) CanReadRecordValue(ctx context.Context, r *types.ModuleField) bool {
-	return svc.can(ctx, r, "record.value.read", permissions.Allowed)
+	return svc.can(ctx, r, "record.value.read", rbac.Allowed)
 }

 func (svc accessControl) CanUpdateRecordValue(ctx context.Context, r *types.ModuleField) bool {
-	return svc.can(ctx, r, "record.value.update", permissions.Allowed)
+	return svc.can(ctx, r, "record.value.update", rbac.Allowed)
 }

 func (svc accessControl) CanCreateRecord(ctx context.Context, r *types.Module) bool {
@@ -158,7 +158,7 @@ func (svc accessControl) CanDeletePage(ctx context.Context, r *types.Page) bool
 	return svc.can(ctx, r, "delete")
 }

-func (svc accessControl) can(ctx context.Context, res secureResource, op permissions.Operation, ff ...permissions.CheckAccessFunc) bool {
+func (svc accessControl) can(ctx context.Context, res secureResource, op rbac.Operation, ff ...rbac.CheckAccessFunc) bool {
 	var u = auth.GetIdentityFromContext(ctx)

 	if auth.IsSuperUser(u) {
@@ -170,13 +170,13 @@ func (svc accessControl) can(ctx context.Context, res secureResource, op permiss

 	return svc.permissions.Can(
 		append(u.Roles(), res.DynamicRoles(u.Identity())...),
-		res.PermissionResource(),
+		res.RBACResource(),
 		op,
 		ff...,
 	)
 }

-func (svc accessControl) Grant(ctx context.Context, rr ...*permissions.Rule) error {
+func (svc accessControl) Grant(ctx context.Context, rr ...*rbac.Rule) error {
 	if !svc.CanGrant(ctx) {
 		return AccessControlErrNotAllowedToSetPermissions()
 	}
@@ -190,7 +190,7 @@ func (svc accessControl) Grant(ctx context.Context, rr ...*permissions.Rule) err
 	return nil
 }

-func (svc accessControl) logGrants(ctx context.Context, rr []*permissions.Rule) {
+func (svc accessControl) logGrants(ctx context.Context, rr []*rbac.Rule) {
 	if svc.actionlog == nil {
 		return
 	}
@@ -204,7 +204,7 @@ func (svc accessControl) logGrants(ctx context.Context, rr []*permissions.Rule)
 	}
 }

-func (svc accessControl) FindRulesByRoleID(ctx context.Context, roleID uint64) (permissions.RuleSet, error) {
+func (svc accessControl) FindRulesByRoleID(ctx context.Context, roleID uint64) (rbac.RuleSet, error) {
 	if !svc.CanGrant(ctx) {
 		return nil, AccessControlErrNotAllowedToSetPermissions()
 	}
@@ -212,11 +212,11 @@ func (svc accessControl) FindRulesByRoleID(ctx context.Context, roleID uint64) (
 	return svc.permissions.FindRulesByRoleID(roleID), nil
 }

-func (svc accessControl) Whitelist() permissions.Whitelist {
-	var wl = permissions.Whitelist{}
+func (svc accessControl) Whitelist() rbac.Whitelist {
+	var wl = rbac.Whitelist{}

 	wl.Set(
-		types.ComposePermissionResource,
+		types.ComposeRBACResource,
 		"access",
 		"grant",
 		"namespace.create",
@@ -225,7 +225,7 @@ func (svc accessControl) Whitelist() permissions.Whitelist {
 	)

 	wl.Set(
-		types.NamespacePermissionResource,
+		types.NamespaceRBACResource,
 		"read",
 		"update",
 		"delete",
@@ -236,7 +236,7 @@ func (svc accessControl) Whitelist() permissions.Whitelist {
 	)

 	wl.Set(
-		types.ModulePermissionResource,
+		types.ModuleRBACResource,
 		"read",
 		"update",
 		"delete",
@@ -247,20 +247,20 @@ func (svc accessControl) Whitelist() permissions.Whitelist {
 	)

 	wl.Set(
-		types.ModuleFieldPermissionResource,
+		types.ModuleFieldRBACResource,
 		"record.value.read",
 		"record.value.update",
 	)

 	wl.Set(
-		types.ChartPermissionResource,
+		types.ChartRBACResource,
 		"read",
 		"update",
 		"delete",
 	)

 	wl.Set(
-		types.PagePermissionResource,
+		types.PageRBACResource,
 		"read",
 		"update",
 		"delete",

--- a/compose/service/access_control_actions.gen.go
+++ b/compose/service/access_control_actions.gen.go
@@ -16,12 +16,12 @@ import (
 	"time"

 	"github.com/cortezaproject/corteza-server/pkg/actionlog"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 )

 type (
 	accessControlActionProps struct {
-		rule *permissions.Rule
+		rule *rbac.Rule
 	}

 	accessControlAction struct {
@@ -66,7 +66,7 @@ var (
 //
 // This function is auto-generated.
 //
-func (p *accessControlActionProps) setRule(rule *permissions.Rule) *accessControlActionProps {
+func (p *accessControlActionProps) setRule(rule *rbac.Rule) *accessControlActionProps {
 	p.rule = rule
 	return p
 }

--- a/compose/service/access_control_actions.yaml
+++ b/compose/service/access_control_actions.yaml
@@ -10,11 +10,11 @@ defaultActionSeverity: notice
 defaultErrorSeverity: alert

 import:
-  - github.com/cortezaproject/corteza-server/pkg/permissions
+  - github.com/cortezaproject/corteza-server/pkg/rbac

 props:
  - name: rule
-    type: "*permissions.Rule"
+    type: "*rbac.Rule"
    fields: [ operation, roleID, access, resource ]

 actions:

--- a/compose/service/chart_test.go
+++ b/compose/service/chart_test.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"
 	"github.com/cortezaproject/corteza-server/compose/types"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/store"
 	"github.com/cortezaproject/corteza-server/store/sqlite3"
 	"github.com/stretchr/testify/require"
@@ -52,7 +52,7 @@ func TestCharts(t *testing.T) {
 		svc := chart{
 			store: s,
 			ctx:   context.Background(),
-			ac:    AccessControl(&permissions.ServiceAllowAll{}),
+			ac:    AccessControl(&rbac.ServiceAllowAll{}),
 		}
 		res, err := svc.Create(&types.Chart{Name: "My first chart", NamespaceID: namespaceID})
 		req.NoError(unwrapChartInternal(err))

--- a/compose/service/namespace.go
+++ b/compose/service/namespace.go
@@ -8,7 +8,7 @@ import (
 	"github.com/cortezaproject/corteza-server/pkg/actionlog"
 	"github.com/cortezaproject/corteza-server/pkg/eventbus"
 	"github.com/cortezaproject/corteza-server/pkg/handle"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/store"
 	"strconv"
 )
@@ -28,7 +28,7 @@ type (
 		CanUpdateNamespace(context.Context, *types.Namespace) bool
 		CanDeleteNamespace(context.Context, *types.Namespace) bool

-		Grant(ctx context.Context, rr ...*permissions.Rule) error
+		Grant(ctx context.Context, rr ...*rbac.Rule) error
 	}

 	NamespaceService interface {

--- a/compose/service/record_test.go
+++ b/compose/service/record_test.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"github.com/cortezaproject/corteza-server/compose/service/values"
 	"github.com/cortezaproject/corteza-server/compose/types"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/store"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -17,7 +17,7 @@ func TestGeneralValueSetValidation(t *testing.T) {

 		svc = record{
 			ctx: context.Background(),
-			ac:  AccessControl(&permissions.ServiceAllowAll{}),
+			ac:  AccessControl(&rbac.ServiceAllowAll{}),
 		}
 		module = &types.Module{
 			Fields: types.ModuleFieldSet{
@@ -71,7 +71,7 @@ func TestDefaultValueSetting(t *testing.T) {
 		a = assert.New(t)

 		svc = record{
-			ac: AccessControl(&permissions.ServiceAllowAll{}),
+			ac: AccessControl(&rbac.ServiceAllowAll{}),
 		}
 		mod = &types.Module{
 			Fields: types.ModuleFieldSet{

--- a/compose/service/service.go
+++ b/compose/service/service.go
@@ -14,7 +14,7 @@ import (
 	"github.com/cortezaproject/corteza-server/pkg/objstore/minio"
 	"github.com/cortezaproject/corteza-server/pkg/objstore/plain"
 	"github.com/cortezaproject/corteza-server/pkg/options"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/cortezaproject/corteza-server/store"
 	"go.uber.org/zap"
 	"strconv"
@@ -22,8 +22,8 @@ import (
 )

 type (
-	permissionServicer interface {
-		accessControlPermissionServicer
+	RBACServicer interface {
+		accessControlRBACServicer
 		Watch(ctx context.Context)
 	}

@@ -50,9 +50,6 @@ var (

 	DefaultActionlog actionlog.Recorder

-	// DefaultPermissions Retrieves & stores permissions
-	DefaultPermissions permissionServicer
-
 	// DefaultAccessControl Access control checking
 	DefaultAccessControl *accessControl

@@ -101,13 +98,7 @@ func Initialize(ctx context.Context, log *zap.Logger, s store.Storer, c Config)
 		DefaultActionlog = actionlog.NewService(DefaultStore, log, tee, policy)
 	}

-	if DefaultPermissions == nil {
-		// Do not override permissions service stored under DefaultPermissions
-		// to allow integration tests to inject own permission service
-		DefaultPermissions = permissions.Global()
-	}
-
-	DefaultAccessControl = AccessControl(DefaultPermissions)
+	DefaultAccessControl = AccessControl(rbac.Global())

 	if DefaultObjectStore == nil {
 		const svcPath = "compose"
@@ -167,8 +158,7 @@ func Activate(ctx context.Context) (err error) {
 }

 func Watchers(ctx context.Context) {
-	// Reloading permissions on change
-	DefaultPermissions.Watch(ctx)
+	//
 }

 func RegisterIteratorProviders() {

--- a/compose/types/chart.go
+++ b/compose/types/chart.go
@@ -4,7 +4,7 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"github.com/cortezaproject/corteza-server/pkg/filter"
-	"github.com/cortezaproject/corteza-server/pkg/permissions"
+	"github.com/cortezaproject/corteza-server/pkg/rbac"
 	"github.com/pkg/errors"
 	"time"
 )
@@ -59,8 +59,8 @@ type (
 )

 // Resource returns a system resource ID for this type
-func (c Chart) PermissionResource() permissions.Resource {
-	return ChartPermissionResource.AppendID(c.ID)
+func (c Chart) RBACResource() rbac.Resource {
+	return ChartRBACResource.AppendID(c.ID)
 }

 func (c Chart) DynamicRoles(userID uint64) []uint64 {