A little while ago, we decided that we would put some system configuration into the store, and rely more or less on access controls to govern who could read/write that data, which is quite a nice flexible system. However, although I knew the ACL system existed, I didn’t actually know anything about it, or even if it worked.

Like most things store related, the code is reasonably clear, and when you try it you find it basically works. I rarely leave the store code in Bongo feeling unimpressed, which I suppose is a good feeling!

So, I documented what I learned about the ACL system on the wiki, and that resulted in this patch for bongo-config (mostly). Before, without ACLs, even logging in as admin meant you couldn’t read or write the Bongo configuration in the store – it just refused you access. Contrast with now:

= $ telnet localhost 689
  Connected to localhost (
  Escape character is '^]'.
  4242 NMAP <b7237b90laptop.alexhudson.com462e5b4d>
= AUTH USER admin ****
= STORE _system
  1000 OK
  4240 Permission denied
= READ /config/manager
  2001 nmap.document 654

Everything marked ‘= ‘ is something I typed in. So, you can see, we switch to the _system store, and try to look at the contents with a collections command – this fails, we don’t have permission to do that. But we can read the bongo-manager configuration file.

Next stop, a basic but working Hawkeye 🙂