After reading the usage documentation of ACL, it seems that the relationship between selectors is OR. If the default selector is to allow all keys to read and write, I can't add the denial of write permission to the special key to this user.
Or, do we plan to support similar requirements again?
Comment From: madolson
@judeng You are correct in your reading, there is no way to indicate blocking an explicit part of the keyspace.
I'm of the opinion that some type of "NOT" selector is important to add to our ACL system, but the last time we reviewed the code we opted to not go down the route, for lack of user interest. So would love to hear more about your use case.
Comment From: judeng
@madolson thank you!
We have a large cluster that has been running for many years. This cluster is used by more than 30 callers. There have been accidents caused by different callers writing the same key. However, due to various complex reasons such as the long age of the code, frequent changes of maintenance personnel, and lack of documentation balabala, it is impossible to determine which key prefix each caller needs to write. What we can only be sure of is that the caller should not write a specific key. Now we want to access ACL to restrict illegal writing,but if we only use the OR mode of ACL, it will easily cause accidents, which will restrict us from upgrading the old cluster to the ACL access method. On the other hand, there is no problem that the new cluster uses ACL
of OR mode.
Comment From: madolson
Thanks for the input, it will help us in prioritizing. I'm going to reword this issue to better encapsulate the request and we'll see if there are more people interested.