From 698c7be20b14d720f4f11751586ec3bb7c5ec9f9 Mon Sep 17 00:00:00 2001 From: xfiderek Date: Mon, 6 Feb 2023 20:37:23 +0100 Subject: [PATCH 1/5] add first version of granular access control RFC --- assets/000/concept.png | Bin 0 -> 67705 bytes rfcs/000-granular-access-control.md | 165 ++++++++++++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 assets/000/concept.png create mode 100644 rfcs/000-granular-access-control.md diff --git a/assets/000/concept.png b/assets/000/concept.png new file mode 100644 index 0000000000000000000000000000000000000000..bf980d8e30f4d16aff7ea6128c49f1e1950c6274 GIT binary patch literal 67705 zcmeFZXH=8xx;3nb3RVOG5fM;8>C&4NMM@w6q)Lqfp@b&AgDga(E4_pC009L;FDgap zJxFK@NG~D@CA9aBF3(>3yzd$3`|;uS$#Lu$nFYlu@XkH72@3po+*woU{;`stYm3K@u^fXuxTo!5vXXYXnznT}SeB~q z%loTRkKVp{X#0Vh_H5e)H?t3Pb(bQNt*DQSC}uw__7_2}ylZ*<;Y;h}SuVQEC%JXC zwRvuDAMGp7S8qSGUp%@dEA3O0XuWAp#`9qD7AxsSJ) zo80WI{%_y=GsLSWWG~y#oenO!_x~JTj-`~GD#kN{XXdZ}YwBM^$i1Ls;SjoZt@hNv zE$h$l#{%l9<)CvSW#PY1|NmYE1IM$(uBT5IuKxF({XN8g4&Xl)@E;fWPYn1^5d2RT z`2RZ%27IOT*&4NUn+~~E>uCF~m2RsDeo(lQs3x;(o^sc-jJIy3ta3ix`;@HPso!aL z_ZG-j{^1O)|CX&@2?n@NdVZqQH-G)59KSr$d);&P^%t-HGj;2Yb;f?X-%Ac0XWB-K z%X=i7H^e4Avd>==?>pF^^j^mhu!g0D&KeBAb9>)8kc}-g=2QPIo6D6@)Pv7eelZPe zjYQE2?0z`S{6$lh7m?wASaY6PW;{}Q>xky&iN*0tl>^-SfH1Neax4Aqu&yC`>79w&C_>cZ$7A>L zosAj0cJ>6G3RZmy+b?%g%pxUhr&~fqx5u6JCS*?kovf4Z9TONmx0FirZ&1aGfh?HG zEivMXz{eh`^}AyZO$W%U?uLdbb`|}KZoSgmU*Zkzt;Hr>wC-tctxb#_>`fgVR;^YH zs;x~;`5!eHKmBmhZ5dsKJIi1HxNxw^-(TwMvlF&G67xLxCq(?B+bU)RS2Le(W7Zb_ zZg(!FSJ%Lrol(&ICAw~{R)i22`1g+E02I+x3HAE7!#ze`$oBLTllvEr6x(T0bj^C> zUa?lbnoi{pErK50cR1d}%X&NTVYcGvT#Cb*XiLracthJkm>A~hVBLSs9qzZAYge~g z>9)68Rd%wd_q_Yf=~gM!wexKb$^nXrWg9QZ?nbocFxQ$p3&) z*)2LYG!DP;{5P^{xg-Z|yEMK1-&TiY$z&=^FtnGrbuzl=dD4~z4M@+m& z73hs)KQpk=U`)P;@i#uQS_fAp1f$nW5=4Z$u1`)J7$&{$$iaV)QJ3K?mX)v`VB1?N zDm9AF=_v1&v1!_AE3G+d+Yv3V~H`2bR_W0z|KO+z)StS139FIOTOCh;|*< zioo(fZrI-Xtqh+5UAV97wnIpJiE&+})H+|?%Cw;Pdi|za!ljz8f1Ry8!nR3(D@?Jg z-)O6x^jaP@a_-g~72L^;M$xOoUi1b5Vqz ziDxTb>dddpc&;SJnCQBUJukpuvalfV$3o($tM`9)8dvsk=BGw4THlC^4F2U~OYBdN z4z}wS`*7#?CfuhmNfybdNe)Z##?-_iT#PRf??{;PoM$q$dJ}|W@?NW%$AMEr0!PYd z*l1&P8?&n##o3gu5|=waG5fE$t;au#%ZXjc`4wyAJji2tQ9lp&)-5YH&7l^e!Y=22 z9}3ke5a+HqW+nVOJga6#bf?E>*5EHmmg)LGTYzi3+Q=1>g1u-bPr3H+2Pad_(PSLu zK4ApzKCjE{Lvrx(npjGdaqW8TGGCQMWXtS{i+42=%cSja!iFFs8Z#P%Ib}zP78W{a zzaTkHfGw3A)Z*p^JlUUnxeTfzt>>zPU=6Rx_lZ%!YtVL02V3l)?)dF{EKk%`?HQxG z+NuK*XksLL&MF^x1EX-Qv*V7@9F6AkvIjGlY_-zEzeKC@EehUbzg;!qX1E6;&`Ms4 zy^~fg#xp9XV;x~fe#FImV`&&C99)KNE3IAypK&eQFfHy^Wgox+j#Tux zWd7gLQ7-cxm?GkP_vk;JW9a92G4`#md8a1QZj!~%o<4z6GvisxXQS91NZKXp73fQsTYCcvcpJw5m? z3orO$#peOOKTej!3c@1v_5#J9H%Lo6170sb(R*PqU-To}U1L|B?Iz$YHFKL! zAJ0%+bNb9Gx?Eh2YrmB-ULE7aL1F$9%p?CHllvd@Q0=@vW*V(}oQ#3>$C{Nk7JyTzvJr?;|bOPdb8#_a1>O{0u`3B#+v z!bOi*LZmYbKAxmEdfY2}RDZDM-c&x>;H~HFv9@${xZPA`J(xFYou6i5TgXWtp7TDnj9R*_)J+7(DXh!9gD_u*>|+a@5J z61eOK_3)+xXM3zpfT)52XzN3JIau*H*2LS+`^SgVMKZw`z95UxM*izH^VgTBn*3pQ zvx_Y4@^N6-k{i$=ua;SmyAeg`%H)G3y{59g^`<7|?57A^(~?;SQ|59yS%3ir$Te@; z1pax{$_e27jTVz=;iZZ$F$W=>eJD{4|rxtC)P5WlgP`BSNYFCu zKK_Ki0UvEh?;It)^)}$dX}6aO^ZmPX8UB7!O9k00Sz&x-uWu^hfPdJH*_KDF0t_JP zIQ>A1Fr;PNX0^RGVZ62U_DOTGVU_(Vu5q<;%qWA|f8SBhq4~U6MZ*@Z=#H=PrwmuD zzC8~YFmiO~1L>8w&Ex(y*Q&;y!e)N9(5P2Wae8lzG#!#I$!WDm1Yjkp%`Tw{kvBKy zt}2z9G*~2d901R&c579%TlTu-j2QLWGR^z!aQEH z#PE=iswuz{M&GVcD^dF>UH8l}WPFR$3`z7M4C~n~<|eqo{5QMBPBP@5>qb{i*3NPs zZAAHh`4-G#~0JHl@|2 z(M5+IO>MK=Q~v90Ga$b$;-X`HHd^V=uBx=Cq^q!G0OYYsbUWOguXBYJEgE7*9y=Zw ztVMbCwr_m9)R%A)K-_AY7%$NWClL|?oD32^J5O)1D@9#5)hj8kjX< zS90iSg+Z5W2CqZ5)7L#RV**XwbOM_OjBDah1=fS0)(x|nw7jG83W;;7P`;Y(G61pn zDiiH_2+@RssyiVF^&L4D20`5Sd|i+syZ@t^uSiq>Wrrw_UY4n*le(s+f>zssS8{ZO zq3uRQN>jI|F z$7shAI{E6lV$)D7UqETv*A~fS!(CFHwTH>;=oRX{8&qrZ`EnQ}L>~r;QnT>~L22AG zmc6h`H_pklY@kucc{Q%caQWbMOO5qS9x@plL7WYx3a`5(iH_ihnt&ZJu(6FsKWR;x z{70^u4Fu7j+0p#61PjS&wFhDiX?=fSk1Eo?Wk<;@`H7l;rb_77vkM7@z&0Z2ApGrO zv>|*UkS4br`iPE4I7EUmj_Fp7`~JqKs?HWw6)0DVh7GG?7=26!QEMxMKiRMTJ=xi= zx09v<*#(K=YC3w-O_lR04vp5Jp0N7X7pH5`PO8XmU5lfY9E1whOhLG|76t{J?`j!5mxGZP(()&h6=P252uFDIW!?+gL<-R$gbJaFcRtvidI$?KG}D~Np5pB| zHFVjo9TLZ$U^D%&m}x#k{&%-GwFWDFw~&rwaWC6d_UJxkMo;N^`)dzyxc*el)W(`CWwRR! zHjR+o4Ez^b{45IKO683Fy1`31%yjE|J+H(rh<(+V)7c7wYFeQ)qMn>V;%d;PD`-ZP zb=Sku@2#nVBEED8$GvE;4mC}bB9x0;-G-wOY!CxccRAyNG1c^mLoo2hy@a4;7xT4j zI$T_kt`)rK_L`4pxT~4tsAF)RhKzewOErQw;zCf?)5#{h46Cg<*!`ikZwB6)0#S4b zA7rhsu&%-U&x`&$fiYu9`N6SPh}mE)UZur6*H?8~v}Eg0c{;V?l4yWRIY)c^IjJ7} z^?$%yTj1nxXOz~RA7mPAWHF_JC|s7##GZr2btg&2bd{r zt=pcH3X@jiea5VIqvt zOGz(KcCkic9>ie%v_saES971ZM0|4E0VohBoD0%u31xzEnuqK?3V=?()>z9WJRt+lb*>NbQWn`hqExUe$*!gD?hqbMPNME7CWYpOlVGFk{eH`bOYQtS1DOiiFfPnt$mD~(VLyEvfrIXRa`28KlPyI-(z0#wjYh2-5&=5f!77e7#keZjKno+U>`eEf2+R#e!;vFRyWI|F%#0(Q$d3n^GBb zGrdvynySmuUQr-Q?vEB=>PQr=kIEvN=2{b`i>E#H2CKXrhX00EyDS=fHqo~2J}n6k z{|EcIX(DXAmz!WB2%8^nV>j4)H*UclaX$|=X(F!j0{LmpNg*i+m#VOQotU-Qb~UE# z4(4@KM%#G7;VsYW5%;vl;#P0B=iAD!o---D?YsfVNXNl%z7{Ayju7sR+q)=HpVvFu zqS@1HVI{#NmJl`u2hee>y>~$(AC@wQi+igrElX?UDolVkMcH4=fjwgja^-6p)x`J~ z#o0)2E1~CSt9__$Cy=~eX1eqCKbVP+psRgO$`3E2L{7yoafU-4l6q`gXSB=YyTYGKf+-%upWjB7mRH{*`I(770X6Pg3r6w7fhtfIg;GWi1nWp;AaxYB|0s~ z&+_;sJs%lG?5+0)ABG?DAI~7IrGZW2AEEXbSvz1iI6g(kvuMyCZ&5Yg5f`5)FLU#U zrb%MnzSijJpSSQJmCe@k-m5ZASOc5y7DnhhRA_-~#)eh2ZCzJbfnN*%^`1n+VK3){ z%UY!AyMDqi?GWEfhh+d}-x@X<&yvaMMQUx3IA&3ct}BCT?fqo~D%_(0D_Dba*|m=8 zP5CJyn`w3%p9OUrn$Ng{H^!Y&l1l~H3um%}yRYv9k{I2w zEvj?J`rpKJyu$1?hqcq{K6*1@KgY|&cIsllbIRK>^NaZzqAlhhA6s7lH}O7-M5O|% z;t5zl&V$D*U*3s=VoV+ye>yx7x;ULZ>Oy&rL9m5Xq`FgwD2FH>lC$#z-ab(i)HQHPT~gKH^8N`wA|~t|@x&H~B=FpMbCK!?>7rRUYD8II$pDif zhD)3PbsvsIQZe}}PLT>gj~?)&IP{q!pdeN|KBtVurrkqZs-wCdKcG6Xk*yTf^E|aH z*`rLK9?vgR<0k%;=f+#khGWx|{0BD*n1b!}w2;P4TNWZGR zwYuI@7q746Aw~>`UWm57PW1ucD!EZW4O~xy4=_{+H8`7qM5thG#mRsH5~0OFGW7w_ z27o5;qvhqmTN@+Ce-A46zLXQiR4KwFg~~#GZ4SQZ&JYtF)6Jt#!{2TGp@vlh%3`y9 z+BDkcGB8p(XkKrk5U^J?NJ^u)4NH6kAko6-!xO_TA4G7_^v#KoYCBTL0>5sM=in|( zo)Ll~a1`m63R;tfghWMcv1nZUwdZ!PtoCwg`%LLViNIa(oNm_%R6~90h2c~K( zzYlE_%2JG>RHj2pf39eGL!W``_x|{t62@o;_Btr{)RZEY1=!*Vfp)~106ZWM2Q9l8 z06&Ta!NPWRM~K)4IL|g`#b4vlP+Dat*UTk%uD<6DNYvf<={)=Swdm8Y?<>>>pVWcH z!2;exST$bAVb?CUuqAMj4*(Vsnjv5b&dwkOtP(TRyTB+9vT-j1_<4C1#+I2@b^82O z^Wf`V1)vvq1Cze9$%c8S#>>>5?14g@yLKX=g2H_D5F8t=H7@AAI_WOX|BrW(to+_m zF!H)Iu7b`yITt_$d&@No*nCg22P8(sPCnCsOutT+DrQ*m6_Kg{Fq36o7S~ABY35a6 zbV#d*^kf)P#|zL)q+_F@+=;Np;c%Mk3O9RokaxfaQ73?t6#VsTgXXj!vbo5SY=9`e zbS;=faTmM-L*CcW4wPde8ORUt6JF5&fGi?5=+G#`=O<)Z%3trVJHP{@WwcI{Mcnvx z@}mWxozrzm=ly*_$PFy!68LgNW|xFP8Zh0%Ghji#7K2~tZw3if$i}?Q{AON6!u@2C zje(Z8&Pa+bx!)ER_W!}csI3&i*V%5HmW9yM=3j^gQ+$5gZ%r|za7;j-UgiR+c|fHK zt|;u~8L9$sX@b{Tf7yAma^~y7B1X=8mttV`1>&x+z$)*(h)|Qya;Cdgl?fG>6S9eZU{`!K^{_VZMQ=?x$1g?U%1O$ES@a})v(k2T>%3tv@b0m)Z z^gVM5ssgavGL^^L!6Z*%2c8o5zTiT@RX}IXykX^-VR)F`PA=)XWDfcfWtQol9GHnR z#<--AMBAUOEsKG``Ok^ExLhL>0j`A&k32!jLE3<&)xX5Sb??_Hc=-H^TULU{`OgPm zU_v&(IImhSM(UFh)~A|KgViDhAPTnJ8)PA0BDq~4YTT7PMxIrJ6)Ywwvw$R6%TxqM zc=dzh74kwB5E+7l{zL|1R7axr-0X8o8tUF;e9B}_LnPu_8yK(p@TWJ0aP)7ZyqVow zV-N@SsdKZp8c6ySfkBIg3eQ_3z_2?DH%Z&Pd4fEalf)Sr0&rmm>?))kk`Yk@+Kfqp zw^H=WI82h;|8kbkO#JQ0Be(xoM`mFC%AR$2gdbEdHB>{!q<{`%7wp@0Aq(il>Tnn* zxZKH&r+3Mt*?w7klDUiZS+ZOZZE6Hb03`?5TM{4KAov;SDoRhZnBTpLG=Kgq&&38u z0F}6*-dqlD)VWt0Cgtc3A|pbDi>7>(9gI49S6r4n>+ggj^S>t)s^bs^1eC=7^EE%z zst2vdzEJPml$@LrfI~I3&W%e=9U{i*-v+L(|M)&L%U8-@!NRTl#CUNZdmQJ;9O1H~7OvuhkO>|5APE@Jzr|0--z=xA4PNacs-~<(+(0Ko*b+hMD8ZJa-x>O@VB{eD41JU?*h|(U`S=85X%B zc>U=80v|aSaIoTI)H*D$gupPVCu6^X#GG^!G_{PB7c?$_Tb>CF{pEh|!Q3a#UYQ7z zI|(*HE0=YK+zAYmRQ^ox8fc6;lXiBNlBt8_$37Z=&ZEWr@$s{7>tZ-yWe$zIZC->W z+Q;k7D}ttiUDf?I6hj~r>R*(OB=zB_0CXW`M5+Q(BPE^X*F}+mrJUn=9N_8>6eZYl zOLb6A_1bpCat07&#@B9eG)FK=2g{+sSDu(IC-2LK%KUR0M-i8=_oLp=|Ex=!6b!k z+*^|}G!0?5eG^1i){`bR@BH?7_!;1LZ2$B-vSmK7>f`dzyk=j})e)8!;^rikDt4e7 z7^iJlBS~UojRE(z)pT@Fx){DS>FvNMf{bPI-`^m$Y)>(rZ87irmc0osh_$vV;jT_#ZSogE^ zCk|$)T;BvuK*{z3Cm{NIlp*5_eg_mBtFc;Y@B9xpGq!*g_x81sng}HMR<~d$PtX)< zGTEkN@o?{8d&>RDzh8lVRN&LKnMq6hni47loJsm`$n;fB=u z#4i-KE~Be_rh;i-Y^%S$So>ZXE$B3>%qaf!F}sdd(I%(^aU`J$t_k#!?9x5wAge~h z!YdM!E`zX2pa#)(wwiXO%?4z4|KZ=wu5^#R2wN(FQE?pc{T^tDkR(IjW$N7*2Xaed zGCZb3Kmf=XCG}4Xk*M4yWD&#ZqwS_65o3Rn&&0htesJcO5LonLD4IqimP@OqvYSTKo zJn3VOw*8MRL677yt6S9FpDzi^BmA!)9g-U1B*_sz=rMjBO`p*#vsWDAU?f4JieAZI z;MDg17DR6gIwcw3-tsr@d<0zRh3!oNv$iiP+-U8Bo5zdhhe4OmU}yA37|*m!RQ=9$ zSWpIP0>Hk{pve8^w*@FH9N7QrA$m_;q4x@97ijE{`}U6(lmT_ymuklusDL4`FGg3~ zi`3Hs3{k&pk$_7DdQd;&u#($R^}|Zgzv z(^fN2bA7VGSnudZuxw&ZbJHP#e++m=GS*i*0dPqcp#5#YN>@};TPS^iAEdQ38^-Nw z8X@h9cB;WKbx~fXi~)Amb6~(=M>J*U(%p9?epG@-b_)+eA+D@qt9O5X^v)xH@7H<6 z=2668G})Td1iwo|`5rWx%C9~^EH51nHJ~hm&C~h8R^UKOU@xk=F|-V%P4_nvn)Y*5 z!!;y8=h+CGd-QXwsI<|kthZ?%f?qbimm8a?Ek$a(^482oSAy=wt&fG#ifjgiss-ST zVvvrzv>>tx|D9z63|e#Oqs=D$hI9>bGVB_h%-|1V==cMIcoWx_7<~}_%6(P`@zYMg zqEZfbSU6(NTVLJ&l(V<>wzmzAoJhbm&l$T~>HH<=VEU6JQ~-il?$ONLzN@B!Ckq(t z%X9@6gJz|+C+*Ins{#(DzfK`MV!M}dfVx{G-9lJ>>_qlO(I^>WL8tkvmOjZelAJ}VaR4BtQP}-O1k|14@)l}Cy0AKe_HbpmWcNE9R4te)-m)4sC zYQD)^ufMj3D7Ch3h!C}rtU8S6^!7ajk534p9w62W;vQE2j&&{lezw8_LtbcM zjk1Gxgh2e)Z^wi726Pl=kB^+qn3tTtcbZ9C&`eYHd%?xzE#rNJT<*I5aQ&1tXkq7_ zvuhArI?%l4V(+W}I*#3Y$+!5G0E0T!->|+w8yZg?eHAHG#_l>P+@kvUO?DmCZB-WZ zUb7`kQQasc(-r}|EU+bQHaQe4;01KmE5J1z8JbP5)1B7lUn4%|e2tnO5r}?1bXqe5 zMJwIo|E#Zb!*f1uq@>+yt}Ok4$bwG5O=r1svOffUVVP}i-$#9TKBiLoubRuY$ihaM zz8yg?yw&!H>S|xiH-FubL~U%oNwsQ(&ip{dLl`rm)&DEiP0If1tcy2@?`J+?Lv2WF zo_fi^ACrqZBEDYuHLn4dbX7EY;M4`8ru+@L?MDBS1)2VYYtaY&nD4?AzHhSlp|L^vGE0Fqc^8(i zW1a7RytkbJI$!iRl4Xkd$$=(LW}E#ltnr|B`!qk_kQjmpDJHRk1XxzH`o-(Y9{ zBA!5^=mHP5l5Pd5eS$LVN%ISdEn-rm`9`lMtU>$8#l+4wmtQzkh(knV6GRhX-_J** zy?%4)j>PGYmH|uqad-9?vZFejHt6rOo9P(Cda>dyYe10VXf~7}aVz!d{W{b*aqOGe z>`RN_!U)hBZ)8>UJeO`h(@H zb+e?gUVm1E*?z)bx!4!`px3q9cx_lZkDs63*rlI=>{~hQLHRxZgl#W`cJ{fOtM1^~PdAN*Y-Ot+Z7do?84)Zaat{F;}u#X2P6{YNEGEJn*2YzOxy z+uAJKVi$uInxsZA9!`F=0-g+bRKAt<-Apatc%S3!(D*3Qx%5Sgc;$+~d^IR_# z57d?&ROl9(1D>bR1?%;fyy`I3*x)ZYtT#9Tp?<&+MEp@`%i9ixP=wSktiA5g)_~K& zeH`~doo#gLjmfMIoOz!hg^pnp$TW*HE`Z9@@^c(`V&;b41YbvbJ<-ccG!G9Yme9M~ zO~1Lwii9&y4>=%gRCE>dp*lA>TJM#a0jZoLwfsu#2TuK)Nm*GJf5;d%ciucO5|o!h zaLwFfxRP$|!sW*u(#{Z+vu3!p^_f*}V9WF2i-Ati+*8S0Cz%u56*nEOx-9`QUL(eHbW z_ptK<&>*0-msH6^U*CbQvVks16wKRc?^vzg zJ+QkZFTHn29BI<^=B$JsWR!7?6?aS4+i80`F6hr_IGt~cc2D`F4Sbt=Nxjp41Vx7{iMmHu23EiRsq_k zbn@>Acl#DcCncl-?}Gi5sFs!-|L?Yzy#48%evDlj8XaS@+3+_;-EzJtG`_zkAGzi-ysKT?R@On2m8h$)H z6)#xo6XN$(!|io1%O)W%t`IfncMHap4`qX)^W7QvpuO#S!J97gE%lT-0_3W%n2!bUX*LrR`ieBW&Gaspxq_Xu5RA z-C}L1m;RUjt1(EuUS5RlvdPep`>OC-c?-e&Xc9Fa*f^w-mnWLiHz(2YEWE^;9#OQI zi|f~em)xe&I6`MFrbs4`q-Cw9n!R^r3Hmqm?^e7>7vv%Y1wRV&6glU*rfF2jP!v!8 z>iH#Zg!7U_@iGK1xeJrbGA+|yAt>}iZl%p$L0+{(@nDdp-SyZg3)tb0t)KF{5RD$w z6tu|9RZ^fLI^FLjX&z;5<|Y|xaS>+)^cij;Pd>ZvGDVjqk(RU>O-OzN{0H2c=Eh2eaZeE?D0 zp$?qF8uw&uA~?~!FA|Qwd1OkwDAZved!-ntSoSpU zE6o4UM_x_HbKPZ{B)CJJN256i-=yUP<-l$BK!3tyrSD?tc3V5afC zGa|j{ZVz+XWJEMCo~TrDNzR$h|^Y!g7zYFr@m`2Deji7RO` z@Q}pVg~3<{N^NxeT$o_0&mOK=-Ly>e1u{D}vDl@!zd0v;cQQAt9be?h{8$ z+j;>_w+IT)u$p-G^8%=I?bBVB{Lr{K-o+A49u7kJf>ezE_HA~KI9Rb|Sm=>cUNU#1 zrhxvcw=QPgeM!i)Ecx^IQc%qM3)t;mqHURlAK4b!R_0hI*lh>ze&QTEln*;Sj6!!K zR1bY3gY1%mh`PNF#Hy{~oZuqal7*M_P5U1kZH1(szB##M&mDHYtFGfMk6W0GtK8S@ z{BoLd8`=FnndGeoG{EermX)zy6TpOcm1b31Cgqn-_$(*59WEZZX`OC>7A|}Z*BQ8K z)uCN%p=Zy3Ja!_-_86R0bk}u})5@Ndlr%!y%?U9OZlEtV9JUUtk3<3o*;XE3l(**; zV6f9;etck{+F!}WqrKnhs}1E6dh_Uo2g8CwHho+Nv45y#dRn#^1Qgd|_=0iRkd1uG zw5AF)z7FeicmH(e-OzT-Udae=?PzOJAjYG`6ud}B0mR4F%4@SPPd`w3!Bl_&8y4vH?p~1yJqUxmP5?6{)Q93 zKbW4aFuG`33e|*jJt?RKacEUrQg`)``x2A!X>lCC>E?>ZfJ}XU3$BHXE65W#yqETzH3_ zZC^-UR$U%Si1MMRIbc}7AbbRkEq~Dj|{R)stY0ouXA6D>DU^WqiwvcrISR_;Wl(thbyqzK$p*MCYp#!KO29#xPo|8@Rtd+zp-g~f?*QwwBN$y0J z2)^_D+MM%Nm6!=*0=K~8Nj)PuSG&clS|KzsjW9dEnGyHMln!GgO&YQ#r}0&vC!sa4 ztcs9Z0+;y|29a*IOd|yIPjh*m?(d@Oe!2ly2F_;V*;}}EpmqSLZ{v5nhtj5kQyX^e z{R;U`>z+S)+@`q2##-8E{LR1RTO)NKaKFU1hWDvw$2dCIHE7BmIHFLC)taYyCHH!1 zY`9g=AK1QOmLY%mk@d%L-Kgho27cIlZ*9*S^&w^dqrT|s=7{Cz_gpeh<}-L7JM%UK z8+$g7xlO;-qKdIW>&WHU-ltTgh3Q3>G#6wjjCkQ~T6FfN4YNs=H>2h5I;bz@CFATNUd?fZ-R8^pfVk;2UbLQ)dR45SMec6=1$S_C3SC24`K;{5XWzrb?+{-jM8!bN)uk%9!Wx}s8&LW+tx{0+X_va zB%c|~7D0-pcx1!UAYs(cpu7URRVZzbQt+-Obi@*hy|pyqszO$J9{jb1c0vYCv5EMm z1UW5iw5US=X*=39ICJB{!9yQ=#5q-D;R>KzOQvx3ic*y&q^A$V%BTev*M}F9E15#t zHMfnmp~zI+uAYMHK~vaXDd$`V@~3IpP}^P1OGt=pM(dRcXtwrB;gf=yuo|l+uUxZX z%=d(?+i~~S%ey*5Ac!Gk@Hfrgp$!LLgWlYvWi#0%BHDPXiC&e%{IbJVjbg@0+j74! z!y{MSUY)ia^RJ*YvNFwc366{~YVcmz%`P@UOQQ!~Cx%;`71M+k!jtXS65JkIH6U*$TOnokcG&&a(q@2*JX8Zk`CHNvCX~ZjGYNJg0@ctgcx`VRab1rrC$>*`FF+}e--uDI``s=Bp4U0tJ zRihS+Vt)RU~30p_k zT?7HR5Web7XIkb<{v}T85S22tr?a1gEbT|}s)v~j^#t7HX4A0Ovu83f(O9ZVLyz2T zu-g{#hkr{d(7kvZHrPLOqUp1rwB4eD(Q?KDLaHPcXvFdqb};cVqQwRIY$B%+rq&z& z4cBy|SL0@{2>baa#<2bLr&@YKJ^juh(qJmD(LY1q(6W4CPRv4=hwWg8Du%flvmku% zg&x7E3`KT7Kxc4Be9fn~&R3?SG`8u7IT!jmM%d4>^uM`CilxS}L}ZI{!^`j2?EEV4vL3;<&>F-K2L;|CLMDk@%z2ZaO7QW#-Whx~+q0_G?k+kp1o0hBg> zILv>H{Z#9tUIhXQ8xCpek0hGZx8-DP74sY8!+$IWxyRGPoB0&9fou4C{Q~}X5 z_+71w%3n`7tV>P2%+Fi?#>Q;Yv%EZ9RkQcCFmBhQLriofOXb)o+4IbdNd((vBdML1% zK~uX;=$Q%gZyc728>`B9XGZubCcJwY3Tg1?EE*`iRLn2H&U)Z%@M+mO3NCYB)qSB! zhl@65xY1H)&yU`>640mmL0x^qYjGA8A&KGn>3BlU>MP-DPZ``vnTm-$avVG=ur1w|&F|OSU&FajdDiO%ud?Fs#e_%u&+H;$uRgrm%@J&xa{}HiD=JrA$dJ2Dkxr;MJ zF*lxGkAI1ciEU0;`XL;u98JV5S5QU?dgGsr`zOA%zpjN&94c4fKQOrlX#6?*?J23X z>SmZMft}AxGsP9ZL}<>t2`CQH*!G+zL*jeZfUKj0*r5bbYPp93s2SlP9lP+WA{_!c zA%4{kv;vDs3DmKE5$(cd95G&w_LU%rA9Ic6VRJ8sor{cNpL>>?+saIbeNrm(bY{btnN0YdjW1@B_k z{Hyenhw^p)x{&(?RuK}bkwupAbpNm7b<|KI6 zu4DLeTOPkl9FoAh8`-k6#(hIuzO&4>3`*A@zGDO)gH~}uSrp?ShVbNq+uk~w1|w;` zU%33-6wKB}KGYGHiePn-TGNy}wh*!Pn`MpW60D1cT``G6n-4~kL!YOtg*ml`-H_J8 zD`bcgL+wSg`DtU(jK1~-=z_%hzn{W%%J0LJup8j(p&*_eEYRl=*9#Jd{G-6*mlH=1 zJyBn{itZBAZ#+S*s5X&5$Tcm)Z5JC%t_ur27+lv8<~3fo`yRjjvgu}-&I!?%V zo$l54KHp-#x?=G2vr0?OX`$>)aO{jvhZj;LedSRrXMM#-h#LLj8OXZ6a{@`TSCZK| z2+?mGf(X-7g{Eb%cz0(M=x?zdV3Ozoj@gUNjcw7k?^W!5?E4Bo&~;=qderyM@v1oSnv#n zt>Q-*{N;|Q53_3zXi?O>l3r`gS#!oP@%o)XYWv)7hWKi|?iv;v3WKC+t!U$o`lcKO zB7gQjI@lN%`+N4e6H0}EMd92u^2BTyl*hkU(4*b^X6bt-QP*oLUagpRId z6`*;p`P{0S%;ItF`CaVjK)Qq{IxsjJ7v}H__*)qBxF|YwO3uY013lQZ8iNv`{Lp#3 z7naph#rvhJEHZrE#9SxTY0z`z$-23=r`y#aFK#pXJ{xhO=?Dewjf9+9IQt@=_5M%! z|HIx}hE<_;ZKH}HAtDAUC?&EK1VmCwQV>`mjWkN9NGcs7Dj>*0Qo2*6Q^Y{JL)xIz zAQS}7mWh})#OBbx1at`BOFMjal zn$B%V)qft#j)|qR5;+zAD)-Qz3g>6h87!^OY|By(Wrw9U-VbYEB@kN;=MpHs6kIdP ztEcDm>|omZwYI<~kMHNKsr|)fg+EJIg;a0h^){m61X-+PZz1*@?#A~fqwrbW>!Efm ziHWO4v!}L8ktbYTx-1+$LF!$m%kfOqS(AF@2Yp$`vDMV1QhgD*YS-2@exAkPD)^R4 zwG1xL{7D`s{HyqBe4x+c1-X<5qv~`aTh{9cOPR&PjbY)RyDA??JiqpnmaS!#Z6ml{ zC^SAvc11v8~pFZWN5Zui}q9D*o&tO8s z!X!)oT79V{`byA+eG&u;s!`9hvTlnDFNe`d!t;P8hU?|he9o2jslNaPzr8A+HFD{Ep_HmbavBxn z{g`VuZr!R>uwkv9JB)i4maJb*`1pfy^}N5MJNvE9khTMI8zR^3^U%uZsAC^EZggmp z+!uReCa-bf?8YZb9HUh9l?RFl%vSrq**Vwu#%f9&?H-q6%V*oP!*0g-^&TTp$m(7? z{XtG>SvoMC+I-_Yz05}I3$Jn2^=HgKAW>a@d#`#`RCw;v?5C?42d|#!zR0|sY}I)z zr21~8{Kl2(OHwY}E0e269bU7e+23jea$U%8rC6&!LqT= z)&b+5mlmW1*D)%P;L0T}mPxr;=H;(JQMuulmjT$t17qz-1ji6AQa@S@ySU0i7 zeE<+{&1Vjg!kY5WX*0=M@n3aG;9$lS|1NN@>!!FjK>2R*bjDK)8My`?c9Ivgtgs5* z=|}W2Gn3l;KA2Hk$|$n4>ai{VrEpI>{(MEqi8bXr=ovXo${C?P=eAExFlbNdcPd@A z5_DP^DqpxH^@8%fvCS%En)z%`tBdSqpHG}@g=pco-fvcEDs5^DMVImY#$J#pIsmX` z1U)>+J|mIHhp=9@|C=Ry*f94%FE-!&W0m=FFtUp= zAhhfg${IXSoF1TY9)B;>5IjRzRn=`u1p@E&lYfFVjZI0vsY9jZg`*vjDz|dTuwdmp*SY?C!2pp~h)z+V^Ui*$^8B^Y*?x7k~F{K2jTjsF`V~ z>k$vYpgjj@Z|WGukR{gYrX}%@qPou?#sCRsa|mFWm7DS<&X5G&m;>Yxw@6VSHztQ# z@<>+QPuX3D^Kbm&pivpqm%yp1ey^{58tbQ}DPn>+`Z9NNw@ts9sVL8Vi-2 z1FVjtC`1o>g7#jDZbqD-2TXZldoJC3MIZ{t z44f>w*~Xfa+i7dPc02eF;Kc3}sP)Hs%8Y1#R1$8{J7>)5vTG@bd@M;qw=DtUuk2D{ zd@RAPeS3uGMBtIKb3|CJfFr?;_l4J{Qp~0j3-%TZ1V0{4ok+zg#w0B$%g~NHxAs=x z2FRstvJ@UQAkiKQ;qPKXfZiJ@z8GCT>^w;2*$XmxUA)P2*y^AxY`k#4iIk;Lym>!B z8udz2xrDn;`|)*a0g^K=NwA2!9NqpMT`bssqoZh)7^f zc{m*}Xu^3cCp+f{LQPzN^^UGhY)=~kFmzo2FmeG`?Q>Y^`0)2H?`(ho#y>xYCH3=m zo{0$WO6T`vT>-7RSuP?FRkSTVRa|gf{q@F*jvFBNtzjd%oa&Ma^vqa3`^>)#Fr>$x zWZi!YCQ%$3;CV-U+eU+FUpTF{7)=5 zl84@H5lebVkR)~iuh$lO7B*5C&;QJkAe0cZqGI(^-0}k5Dj~+KW^NM&R<|%jS7bmc zPpQ{BDF_<@d~ELo;Bd-+M0()sP5R(Q1J)Rsx3_`IV!Py_;=@eRWe2bC2R4?7>k{WY zVcr(vRZ?E_1zSk^xM;7>6WA2x68}NifbS@NUEIg;XaDIP0#Ch$ zh2cse;M9euT&<+FA~x-fZNAGeO-G1~1o`! z^Ka@oeWohHm}H(5fdy`DAAAJ(v9YtW3Z|Ds9S;)h(hN?aSq{CK(gjBt5&HHL1?KNZ z%qM!mZ30S^*pG^^@rp(m1H~CVKQV9gq5Z)e#4_+9-TEmYJW*}~t5Yh)0To>r03vj- z*QlA5Z1o!KhfS&*g7$~miZh5oclY>7NBSW=KZmj7Nf6xH##VO>GoX|9?g5@oKN4L)29} z_(fSC)bQVqk(96#bu|+e>1Ne+1P=Ot zbpM;=_UYJv#C!?Pskc!(GV zuXx%9+1&lY+*|Ax!bTo^1uk>;Yw+>orv)V+h`l2f2F3+w8-N*xNJ6LaU{+pU9(&8t zc4s3JbJo($a{|#BXF9TZ&#}P9o~0}U>OGP_wu;+3X_yLR=10{?{}~h;2Ov@v>36ue zl@fsJhk(8Fj_cBAh+iBAvfsHlZ?UGMpFG#+=RwUeEB0LsvOm1kr3!-^D(|TZ&&HO?e`Y>-%}i zOn)(aL_vGXfgBzZ>I7}^0&g)Qb}#ZaRuA)i{Q5^uqJh<6jmSs%FnX0MU>-K`On36Z z^AeG4iQrZN@)rI}_7euG!fzZzRI`(oiiAG8NAQg<|9_$p?!eE3{6mKOh$*o7 zwcgrtGarBwqtrgl3YG~uM2HIREk;Zj=2|0n6xfRj6-B#RqIG zj3)9Ww|b3XO^va=ULu_Yurp}kN9Nx9#)~mX5x~w$6L5ZS9OGyKTsiatZ6|=PEfe>f z$*)CdU$WxLI$;I@i9RNF*beH9k0$@Z_ z3>M9v*64D52h3RsjJJ^Lkn295c9OHpp3f%A4&y93(`>fY!o&{1Q@!`Z*jH=WQSBTP z1q?p2wCFl!4wsM)^sE0dakUTl&S>HthR|L#&7B7opJu=&S0&60Lk?t#Fhj>`NNRaH)xr+ zW5Ay(W1zkjtekw-6tTo!qJm!qh>X9Gc>;R51>iGBS4Xuok=&PJfB+xQM^G@q+13p_ zdE9{Xoe|5c@7-d}*2oCRFP{=}&P7VqD}N>vDuWt8#x!Z-FpNO@qYqj%UpS_@?8f5- z%pO*G5xmjefdIiPnSGi9p(AT>#7((5mdFT_DA5sa`Edp!bg{2WQf~c(XIdd}*&H6w zjeyPapB{mb06%G+HrcI$K+WWe zy_2L#Ndl&4QPbkdiA&L#;hT+7L%F z76@a*HKTXG9gLLy1Cftsr+eT*Jpaikg#B-8U<1-*%;VM4UHSzanbG6=cfSNFCkx@v zh!Q)vIK}UqSzBObOC@$zb_P}!7NY=>_lG~Vb3>eZdu1R0v$Akm9Z$Ev4jN4j?~t6) z=ASmN3jGAoL|h3F{hP$;3-7av+>fxzqbLlfgXDIBI8h87vMvDceVGw~-j@K?u+q!z zQkEC+bb6gZBe2p4DWxObNZmL@g@ZI&@_%;L>AjqZe17SOYx;?gRxhf1p8%-}6s2c} zB7I*Y9Sx*9y|z^qfwxijswGaIAk;?8Ti$Q2nT(;w(2W>2b3MzM5>9K&jlpLNjd^-S zKt8pNg;e%12_5WBUpuxDlghlj7I-m_rH=1EW&Qa{;A2@*til(F$U6Ac!IE1dvC{QL zSsbRH-~e0bB^5^?rNf+MgJH>ips{W(OWFViubfB?X{_mIz$# zE5OezOJFakKVuu*@Zq>lbKZq}-O4iM3D;x!S}Gi;J8g{-Rd60!+D0z2sHPVk#X)(2 z;(3sQo1d|2X;9bD`mm9Em$oU0F=b~bY_se=bH5fc1O16!j}5cYR-M>g=X9@i$MXGI zz6L7N4C}~zg&Y>SFBUwIQE8BgkLxvAHNXOFcMIr8oOkT0j1Z>VyBtaARZATkiz$kT!0&jotL2Uu{ z1X={(RZ+xB6QyldgSAxieCutAx2@#oryQvWKw1|3`m0hz;0Nr(n>Y%LD|%VlCx=6 zP-D=|omrxU=z4TB^O18HoPfNujx4$nqK8j*al;R~qN5yrhmerr`_XO3Yv;J+1E$ht zViW19Lm;yni3D?8P_e=ukL*$uYUyF&eO9R^JqEgac@Rs?r_K`vEx=8#{~Y|myq`{o zaiT7EBVJn@72ansvu{7vg88q5Yl!m;>M^`{y_Su8 z7^9zO58Ii)5AP~kEFJP9dgst-t zMCCf(KRnzEWJS$o*zpb^y&C;=pk4Z{N_5z!*?>in!(=Nr@JPfe?N&jlX8vtnF*EPH zPNl~`j@byxVCW2lyVg*-vtrvjr zJ(#JSLN<#%!h?4mNRT0j{>_LvjBC)91@=D4*dzFx>m9~yl;*-`M^l8#>GFwlsCvtruP2`cUFw7Lqs1Gd&kdu2A7G8iv!bJB@GoM@eBZ4$K{7 z;2oTUzY)HQdnJ~Lv_68(TB&#ZaY}Pe_#G|?cmFqQ&a~}rgJ%u;M%ewA|J!x>M^?WU zeyL%P4E78LR~`m}29)(j;iux08*VVP--Z6vaZd)}FDCFOc~G%A>dy~lp)Z<8AT&>K z58?>Tsyx&O2x&l6qyO&2^TXS&-X5R*Xud-~?FUefH z<6{K319OxYsvE$%WTtjCzIai|827+}ca_j~(9>|?WBnd^_;Gs^=wLDO`XqvlcHLl- z$7nI_7%{lRxPZwCB&J2kr{Q8y%Q_{s0X4yJq;8{WjLGre z@I{oF(6WG4ce~;Pa$ls-`XxVz!b(GLg6oR8ApdX*d=s>@N~V$n2f*LZ{nY^SirdA6 zK;XLsEM&ONB*4&0AzL?8;WTRsiIwM0Gu>Ge4wyTL%5@8!f7rJ5Ys<5dQaJ9SABbWP zddub>>nnIQPN?>CV;ySz%!9%~5lBA_LRQ8Mi8zvfe53%HaCzVZl%T_0Q5@cpA~RUr zr*8%KcbpAqAJFpMfwDQD0J3L+uFFb3(1pjG;xrVSyHmUrxIIe@qcGopo?J}XRiS;; z3|mBZ|HFpfBRF*59i$WfWQ*K`6YW04bmlOUsutkts~g-vG9yTke4%V|Goe~&Z>8nT zmgpw0l=1m@O!u#)KMa3WuT~%47)3&@^1%42Az@*ieEoUhs=%U?-qvj7`Usd#1FP|xgb?1UUr)d#aeg-Q8?pWNWG5^A z1Q~*s-vT#B?LgCD07|YHp(hTK<5TxSS3M*itU$Omf)~mcP0FzTw(c)T`=u;~%B_3? zL2_fzet3~nDIdw<3&%B+XtA^=334`|@0utjhVw};Bj`y8Ge_-$yV)gFsLt1a1s{q&$yA1?E6P zBVX+!N&}fL*nr|XM^&@Q1Jlb)qeIpoUKxEHxbu;Aa^QtM@QCLcY!A^=2K!>%jUYXaO=?$O(3^8G~&5#(`Btj)$($#Cr7icrQvLp z^?e2EXHPzVAPT%H{K_<@F(?x{7tw<>x&WP6}mB$U_(T`h#T z@uS!$fXidou^lRVbzlTlM&N%K59(}Iefe?gzpC#2(!CpD5iR0YqSKi76EY*^CQYxW zv^=SQ0A1U%C6>RfXw6rT-kCEiZHUaM`2ISCB}&s3Vh6x?G6AjqS8nG-ja0b#i|-4T zqnb+2z}&B}a~LSHpcXPdf~A95w#BT4G0S7+-{6zFu*!KxAD>W*MxLS++q0LjQODb` zplUs#R0jS)DVE4ah?d9{zeE?yJ`wVTq_kCk}9O^ejHbD%!J*E^me?;w3$2kJuKJoD4) z!D%Qxuv*l;29-8mA>HAY%{eFwV*}-9`guy<1~tI;?gaxe5m9E9Rs2?!ef%{f&2)!V z)3L8my4X%>F;#?Vu=MurjOX@p&)RyMKOW@!^oE^U^LwUN)If-8A)|Ws0Su_y3-E*W zOkeR>x=IH%ws5guGWk$pEF|_I#6(XyJ7CC}wRsonRm{WV$nMM1%>dd7Q~Ug~ua8O1 z^j`e<9GRHo>0f*dW(TH->o7x9vs9oJX#S%4Vu&Ch#C>r*Rcri*5JyG?;xgO`J&g7ggTAJ?=wc4K>pYqkOAyMmlTb_0?mw$qwuFUeRYjt77s+IF3 zU=GY-fY;NDbn$y#X#ys|?X&?E#+~li4Txn$PHEQ zQl<68S+bNGe9fhP9HX9+H=PctIWMsgZpM zLq)mf!NF^!?B>;|vhKqg+LOey`JI8D4*)Ni7hRQGYqJ-j7)ed+rL50CK%mEdZ()r_ za96Wx%bG6C$*_tI{pGc^)tC=iKN3CHpt8eIvszqZo>H{$_Tk3Bh@;K#up^TOfAd}i zjo6kcimlC1MLuG%$U^ld<@DGbM7cO8ebSD;-Uzc%Pw)2t8|&!rT1bkaA_rK7h;qnV z?iTy*-1q#W?p-b4n^IFxVQ0K_Eez`6b@E}!_OPzhA49RFjxFehRs`m-@FIGbnVA!$GZb06TlzU6Q=Un=BCdTyGNjQi#?4lZ0hP9 z$(!+yO}CgY;#x6L-CVclH9>r%BZIj`@W=W?rYH58!_)h5o^`3Lnv|K6H;Xh=O<5-=> zYwO8XY+;>;>jMe#J~C7Z*w0MgU1(TKpc(Sm^p?tYPf6rqgRsfYh~q8B9-n$LbUE+3_w%5X$f)mKP|=P58??F{cnK)$Vx_D%A4_C7R|l2$Qbr|v#C)v_!x z$u_hH*DhV;m`6t~7m^axnR%{zU2y*Txu|Z^0WuA!*Jnm1?(sAu!YKqPsk&-#uG*zq?T{iJJme#wo&Mrz^@hpV zH~eJFX~K2pxE{eTxii^YCt%B)ou|Y`$Z%$Ld_5#BOVR20ws-}rW=Q>9D??JPNYogK zE!+>74yu~*ZAf_{*w`Xi1>u`qq|M%VHSl;pT!6EtXVS?qPS={CUeU8C=F6aGDFktX z3(a)hxpMOYS;^H5R=v69%@Z0_SXR644eh$TccyAQlCPZS2Og~*`)hHiUajzO*QHKg zbt0VLkW5qQ`ts~#b{AHo#k@yl0pcN_P`xJ<6&IEh?OIfO{r9JQshRnAHCv+A&9U3n zkuxfpu``r$j)QGZ+jb`v4zsZ?-UNYb)o=i9st^}no8A|771$FQr`B!i+N<@FSwKnr;p*X=d*le*?s6Z4ZU?naJBb( z7nf_~X)m-VA_jwcY>TzRC>=f4(xT*$*m5Pr2AS^M4c*jgD(K;(649Yx)%F}szItF4 z#m{nn9oU~%YpBvU>rETSkneZgC#6x*zDFZTpF*D5;w62_A1pQ2S8*Vc|%UZX!SKTzyI|6W_J2vk;XKozz^%j?f=JGZWN zSciaQ6UVC{HpTf6Nu5g+FCv##??UJ#{ird3LND;UVagmitImyU;38O{gi04juG0C$ z@pSE(=)a<6q!6_=yf2m?;))_N9Q_FBUN>0lc5D>t}FibIlpB{$seZ(rhj2>ih? zuvH0Mmr67zsP%Yo>`ea4w`A0%CJ-(x0t`>OusT=S(~6Z#u3(W_ySF-I==-7cAe5JZ zh#Y!-4x9c!nl=98TGafk9}a5IETPhJ8*w~2$?aET>t?0oiHfv;rgMQ5{Oap0YqH_j zWy06jef0oJcbAvw`7Rc~wmebsL|*=}!7?aml-{LTT*cXgjh`8yPaBCF*AHqUVu^?nojcP0P!e4Apx~hYwIHUJUZ%b_7>?`E02=ZE+$?|r?#v0 zJD6RO^Qmsri_)rL2;K;~8waF+lX;R&1ShrP>S62=>;vwwpPKTRTH{S^@s@3~#}JwiZ>q9+0q zCrckyU+mwHTch6;>`=byCPK6-KLBqBY$3*@BljBp=_#|AAL)h*FW*r(i2EiCM}$!0 zl*uthSMERV{EPK#Nao@C-mXH1;SIc&QGW$e0O?*{QhCoon2^tLN(o614wKs&@aXi@ z|4rN&FRF*4qAu+7Wps@noz{_Tx~A=ayiPa^VG!e&qZ&JOih& z5DJavNpNPZh#*H$v=YVV(wV=-*klH;_+2ebg;-ncr&Yy13%)p0{h8MYYuc0NTI8bk zYocX%>oQ1{x@Dg}+|zTaN~^7XItjvZcIyMvXR$4WJ>(4#yB~yy*R=KDMdwd9iBIvE zhi-g-cL?m@%w&NpI8(!W_h~P@hAf0&C8$)Nr5gr+Ay(Au^?|@5H9c;{;*48e=?cSi zakVC;S^64n9oQClq7Tl`Q?q45gkZtGu(`-9vr%;G?>E!u(*xAprk_wryP0=L^mY0A z%kz6wV#o4ZHcj%Qvk}vzJ;3$)hCa6(daj*dv#_Xq`(!M6ji*T?f<{yO$O}~iDnX0m z2@%tcQhmb^G;jv%RWYm5BBxO55nbi*vRa$Z9cmIYn@$zq9vul52_}8!xPDo^#zLTS zlY_^i^L-0hx0~g~BB=M;0%up0pNaq8;z!3(eswSN(-zNJK6h>PxLFtXXyBi#>NycY zSc%2#v=Oo=yd2IW_ssezXhT0Y!S%QxyhMMt=tbV<$c3}rUg6)3w7f2=g?OgdXu6gt zhO3L}!vkUkgg-0XmR+hqicSM6*hy{B7_14McPs8VK`Zek(inWcv#57R*`f_g^a`pG!d|z)3+;kSgZfhALViaRKsz#C|HVfG_ zCq`U^t5r#=slu9JU4XS^0EPDtZVZ*gc_}Oh*(p>C?tRcXe@aiSl0)bJb~;w4NE~6; zg0vjG9Mjf#D;>0$<6NOUL%k}uwA0Claxdox#I_(q=5p>fJS9rsek&SHQ{+(?F;dAe zntA=%?YA3Mk>!Kz6-_neJ%6CIVtLwU?d%v`kPM|3no9JG_!EESrE)dYgf{V?wJje% zJ_~g#{nI8r`(JZ($9rgdE)HgG_U@HtCG$G=o`q9Gd1J&3D#X1qOYrE8+mrou_53ir z3Xk?(7*n4L*FDC0jyMyp?AQZ0i?P~mSvsZpr}|h?490@gso)M~UVb$WH<;aD-%v=l z>>_^C4dd}V`&at)goVv3L?5-kx6Q<&*fUY<&83gvTzy_y#&WEM93sOU5*VZ8Z&hDf z<+$7n;F1O@vHW&bk5hA28*v(;Qy&Wk^1pN6;4v*Cy1%HoB_tw$d{ZeF-Tlj@io_JQ z)L%-K+eeR<|CZn^Z}#FfUOM0_>kHsZ@)JzkVXi#{JrMrklA=6+b8m}nH~9sBEwX(} zW;MB&A`O4S!^}ng9Iu~367I3VO4ino7h=-f#8iBi$HNJZ`b)!$+y2XA(~vCMDM|Ss$Ea`E5~GE zbo_ZO{e+h|vR0z7PMm>nMf?S{NAj5q$@J7hBslb5OrHPVb>t@f#MH*IPZldFYd4O^ zM5k}*^fb3)eP#VaJwv33UX#_S9V@b!$TMZPe?SPP-#{>DtwK`&92?UvLfM*oPy_ms?}6H39#Kbym1JsGGxBEb zQc&VGnn@66XkY6~#Nn=@9G9(gRo_*VeNvq=jk4z=(@IkAZEw>TYt$8+8@}9_;_%7} zv8Dqbvu4OQJ-WP%+rw-Pjy<-DE_@u3 z6wpuKP@B4@AK_XDLDvb>hW&vAk}YG)TVEJXV)sX?&C-cR@Jgx=UitlXH4CX8UuYhH znlUK{7K)7xyhc@@eI9N5Tyx-WF(IyJ!$y8_70v#1@G(H>>^vzuk1|AI+aBdmK8*8D zNXi@!(x%Xbhh97ELKU*ZR7&QH;zT&IIp5kSgMsXguSLX(hiLo?X+0i>&%8JBdg;HQ zPW$@2yRuS-)~&$f?Dk2~D=caan5gDd{Tf}p!ro(-i2_Z7Ewr+HRX1uJ;Y)=Ex|HSB zCYz&GErKj$%T}_Md=d^hgdL(%xt6U|Siw9SO^CDarF%jatNwz(q-6vG-gU8$H&eXVF6VAuqrgyctm8mVN(;KDY{gf+>Gu$hlws$V5X0R(`lbPC zaihi)Eur0B&Fx<9?XUA-jJ=-WF;p|F^W?p&klHJIqrshxd#5NOdDTeioO4dRnp=zp z|M5Q?Dto~a$!>D&ya^#^h$0PHvU(&^Qes<7dh#MvBqHF9EPN)T@>lSD5WjM}>$SD^ z=8T!LX{S4Tb@$Jk?4@c98T*v~T8sDmf+SwqXNf{GDu%Uv4!-h*9uLP>zaF?^(B$s) zMw&CKTjlz^U*<~=^#;BuY^gpG4cRrG3#x6|*{Sf}qOU;(A!#XbRguXvEArkOY?tUK zn&U+Vmt!y1`UOCN-NJ0c&Wmk_TI;%N1qCmO+!K{23Mcd8kyH%mBHWj168&3*#e*|i z_}6W%RrM2C%i{(w&l2OJOD@K_MK71vLe4(GFs`d6&22~=5o69oxoB~ji ztF*`0w9|65dF<;d%W`3|2WM8z$2GT8Y)v#xo1+&R*3&djU}rv`pYLI1+6ajHT+QJ16*j%TDd=Qp(KpVw?>R0ZB{bem<%-$Kv9f&qrn)7dm(askLkU zB`Tnn@c>MO_w_H{7q7UtTeJx(2ne))XAFCLk^KWj#F(MVxnGtg5vCS1-Y4Qla-stT ziGHI}kle)uq!{k3zJOrY*S@%HIlYHQrV6ZM3LFD&%HsK>7uwv`(uOzJI3cEY zDsy8WF7nYVHJL5NfaVs5flI9cs6ZOi_uO|A9o963Bzz0E{D{uG#EDlyFbulW}< zaend(xKaM??fB=9A=e+y6JB|nqV^jyB*j`DVGZjVJ#fm6?IzMArmfN)U!FJY^U7@3 z4~vP8QiREmC_IQ+UW|ge4DEue& zI9OC;1|?qtvcY3ysjM;VsmUghWXB!j5?Z22{UhkCFs9!f4O^Zs5vONz%!_BXw;QC4 z_s6J@gO{I5aEOS$)=$k{gp8&L%N=XTg>&@_ST-lM`F{2@Le}`Z#`LF2x_6Rd{M@Wr z87O))5*xM-477zd^F}SnzaCE?|6QwPA~>%ruMcb9?=rAYCF4AC zq_%zj*VPjTpD=+Nd{ag+Qzn3cN-(N>ZoqLc!$Yy_o*9u>6Dv$fI`|SJVD=E(ik+8_#^|fg2ip%PT zmm$@4Lh4VLyP-79imBmrC^Y0h%#JE~X;jl<*tMn{Uv2*vPvrRpwM?SNa>q4mX3vNq4S~Y40+Md$^3e1Vv4i9dZ$0d+?$rqR^k{mdSnR0S0VR3eh?Zviwf1#ypR2+C}DH z7JBHMQT1$vIKdv;@GniEv42~;B+E{{NtT%W4yvUiCK%GWX#ys1m}pjm>cTJCVKi+}dz)10O=~cQ%6t zw}4eo_Or`&(yLYxaS~E3YD?>;`}cjr`pLGGEa@D~9Hn|cU(m$yD7qXb)Kb+h-AaAF zX)G>sdG%caHqXzodr?qa5O+mU{WiEBo-b+=xO#7N{Z@KfO7ICgqSxp|#*eS&Vj>%=cB~ZhoDNhJYd1yepPvyCGi68zm6&P1)ze zbu^PBO0B&wNiv{Fttcb$?TKe&)nDC-Hupq+4&vVuqCW{d;C_F%T6+lIS5n{g)XMbC zuv7LidTBlpq3F{4It109y5%Jl*XscYx>$-o%CZzMeVvR|UMzHhYE1+k8<}XaOp0jn z4aQ(!QKE2G%MepXmZ~}kjp%Gz0<}3v-muFp6n*?g4$oUI_%nI^*G3_QRxz|GO522 zzV)6&2yi>BLoo};OnSD}kM&o@yvp^GAzar!)W>GvKf5`4iHwZuWOkdckysyx72CQ9 zWR9C!59P|XD5`bLVdFA$Kbr!5_gWP$zmG1a;x*c}oA044abHC&0%X z)lkf_*zDUMePk?toGve-*}0^XS;aW1d*YMywtpguy7ufl206S(w{rzI#N6~PMU~>b^SjzvNRFv`8-^JcM12b}+j+=|O+&mnLO3~na6g%vrz*w4%U_NC$ARfZ^yf9_LYiZ-I)kc69yw6BzOdHYAbl` z6@ZATiMuGE2*iY8bflPX0`?ZW&7{;J=aMZVSqa_sA%XKMUFHA`n|sI5j5dG!4r=(@ zVT1FMFi%`_j`~oMm9ieS(iC5iVTi|1!2jJmiQR`EWEv9SIp`w{ej<21ckU|h{&aW} z+*8!ff-jIc9)sD9&S6+(qP&hg%!a#9bhU$b%(OBULsXDuTRR6D+FSU+!waWl9*EK5 z2lMN4Rp#yzH7db8kqgCXqSu!_v}#rlT|fLV1AicdWjOM7US&R+&>87sGxHNLd6YL{ zU?eUS3X%*V_`%#et*^HG(owS~*aSc@lnQ5kt|wwx{yD zhn685I-@*KJ%IcksT(lgZ{sApDC<-3gP{vJp}zam)X=Snn;E|vVF!ujL#uK!dr^WP z_!SJAtWWFNJrn9M(99L`dGtCu!v@>*OKXw^$(S;u*o{QU%5APO#~y3`bN3>*+8b02^J0u}&8d4NQbAt9!v z&Y30l69Kan`1;>JI7F{MW%^4P4DtV94k`!$(dfjOA_w`eqkAD&-boy`R>OMWINLRW zL9Ssl2U;*L*YO6xH6`pgI>*S0JO=~tZOE;N7TNkjZ&L-!iEm#&1RlMvBGwQ1;z5gy zxLoxd4Lr2xJA7ru_xnc`4NHvU*B{IrKK}qex=VGmZM&oE1Y68D{Cd0v?RF(XUtsK9 z$W_gF;sGM?&*I-%Hz-YI5&G1_RS1`}tx_k$&ZYAZ?lj}v%8)u_>;9a$#%ooOox!EU zwdL{lDCPMG{O`P~qiegmbC5cbac%J&&%^%?QFaV(^j`*3`3G{>O-Q8V@WWKu7go2M z(4K=~8jbo_p+Sdw`8b*>;J>>TzB_$;3?J#+b`3WQC9zds84pI^T}6`0Z57rZb}uPI zh42g$-grmXUXz4>Lq|ICEZpJp$*1n2WGllKK~GDJaf$Kfy7xH-C2RbZa4SSSejCWQ zhaim^E*b5OhC$S?dsLa0y=M!Vf5}}RCy|oC_xZ@ar_#H9Zh(yvfz|wZ2CdU3Q3NmQ z#-GwjQW7bEMS&qF`xeT#`{8NyVMT+V81!LrLKS>B#Ha3&5L|`Sfd+r03B#~6GMifTXl?e^d-EVO)q&OH`F`x8-@JWCX)e`zdGDer@--o;{* zSLSmkW_X(h62tZ5k$V{HQ*RO}}tF1fL`Qc1gv8866`S$os2sadU`V6*_$WrS~Dssm1c(9;<7dT85r< z0b+AR>B6f|JXWVm330C$8y zXi=h{Q0M>S6=oy2hCB324rX)ze(BK#- zxI|(The^Vb+hXC&fnE<5Ppn7C@R!qG!pCTPvfYah6nhWT$TT7j)a{4JQ>^kUu%<(w zj*tu(+}Zhie8S=T$jJ#QuYpU`@CMF`E-b%8N8my=>Td^aToL)s7k>pmf%>CV*k>j(``z*3ydl%hvL=MQ7I{y@D?ZWNvdf{ICpq`CjPZ1S91g7{fysrHB?L z_;j=Vl-;SFS!W0Zyj++M>?9WGG4)9}-GR`G!?mM25*?9>6kNpa7oUbteEVcoMD0TW zhvoR5Xc-i%C&Z=om!tls2^8GBuw#vo!7+X{c8`PLFzkw;yTl#Bgl9Nl3_mCu3+|y$ zYf;eJ?x2G90%!p;G@Nk$)4-POgOg*AaGh5#R;;4K(sv{lz0fnlPwf<`x7=!0bv zr=aIo7YS%WiG41+U!MF@oONU`Av z!1a5Cj;#eSRPt6v5U2;}Tq^TUf2t6uV`X$}v(L08#srnPze2B`wE$x~aqND;&Km9^ z5FmU1W&N=s*GI((XTkzB&Cb1%ThLsmpUU{uus*%0lNXArHdY3QgBqbYa~lnx^^`<&zFy@3ja9C4QXE28q6(>X z!Kcgsm|biG7-;|OfTju5=Cp1}<$n1;&q1Hr+pnbqlDJbEs^dm&Q~kbyTc%!J~CEqNteQ zKk&(Oo-aJkc$7ode+~qi+KdfsL!>#F6h{oW>ewU8R&&2>zksTa7uJcLProN||ng~8_EU)N)=cvJvvd*d7) zj%5W<`t`yH$5}^f_KSTrN} zbAn9bh7C{~6y~00slEk)s2t5UI=8t?rHg5%L6&u6P$2Hh3{zBdc1}6zjuE7M7>?$# z!mo~jk{0H1YKe$loZ$(6`L!XlZ~ex5Z~iTRH?p6=fe5`EJ^>l|Vkkn%kVBl|#<~iX zC&wZza@h2%KA~!_tCM5ZEXBq;wJD8I%Fh-Kr&H}1@J7D9?J2Pt#0>lasPO<$@)jiO zf$jIHC^CIv10=k3y-`gl=KMJR+wrlCa-7lX{0>KVjVYx7bgSNp^q>R-4Rotxidfr6 z482_6Eef>UP%F!*K2_RDjODo^c@o=U3&Z^96#9b-F+XIa11U_PLOY?bn3m z=ZG__apNYD8xRp~pkSkYjVfoB$#`w&DkPaM~P;+faZX0x&;2#wW*!vvyO^`3VVD|$4zLdU2?d&E;}NW zA2KYx23{U6=B+?Tnp&wBhMLxS_kK;-l9nnij2QYIJi?91z((H!s~qb_JTG4U_3;Ib zy9ua}ClsH*#ugp-R($=-t(QYk)NTbp zvSpO2Zpv#OOdCP+Uh`1&Fc-kA08(zM*&qf~uIg|tKcGyTF51?}&5JgC;iq=t-e$9) z?ma~ZRX4JofiM~QG{K&UR3z_FWN9dV9d>Un;95CCfl{igRRz1iv)RznKS z+W5d=7}W*6GVt2yp$$th=~RCP*;k@?#7083SmWw8kWB;h$UH#@swvwl{Hysr)6$&Z zp(~$S(z{uPEw{k7&3TFf(yk9fMHH+}k>4Nb$x`Z>ae`&`?e2ysH%qU!c3vkaN06=a&oEstJS6kv zw1v#+J5sH+W55SB1`ux14#b#LGvN@!@+54i9vXhzIY@viRB zY;YubvXY?oayrmgraB;eTO(c_KNdpPtaQ9OyyPrI`*;R*WL|58{NIuFZHXx0WW9{;7~6(g?QZOyLs!ryen5aE=;^@{YWIYotd1A zcgP4xj;XtPzm5Zw2A#X&-+JTBRK}|x&o3Z;Uhjrz`tipY8_KQLU8A|T{?={;)mdKnRMI# zQDk~t5)lObZ*XM3=qsj-?&`O#lE2s}0}f3JA5{|B{d&sm?XQ=dw`Y}PKt^Kec^NqT zD&W_1as59WaVlHPT~N8`M(}`tqXAW2lI0Zz7XPO1rm@C!Xp$_`VWMI3?h|UhIa5?LJx^=ovKAgeaykNmM%1~ zx1mDMk9?zt>;L!xiQsI1+xx$G-zXEHyOiv95q;EA<{bMjZ2vNRN!_bHb8Z46=nUH) zt`M zN#tryZrQYS(v(f==jB2%#B7H?L6n+>AXKvD;QL_4F@vcOQ;0BRw2m3{!`TWNJNt2U zC&vV%$@@ZUj2X3?VR<0@uOZPj*s|I?7XCIh-&kCS@1777J9$186lNue(6K4n;e)~f zG}oRo%hmuyNDXw|Ye-nBB85pzjI z8}bob`L}WO7~2!$zABR7+X}x+ebnI5w`7)>vz-aLe9M_9%dL7Xy+P>Nf=k)1_VTb! zL7nQ9Oa0*{G41hZ`?%vZ0qjhll67l~f;C9=%9+R{dNuMZRhVNpF13#KnIsl2q9Nt@ zJG8?-FtnYGHlwvBNljX8kU}b446G2#Y%>xpX#2+vWA0}ugdDBbYN1h;h$8i{ zgI{8BGB9a1c0Xob?yi5u+HBHB0P2fxNpPI4Z3umDci5tRyw3Xqd%GX0=U>tk5uklv z>vnU6PZzv#v8RVdV2*O$ViIzwn$2~>?F6l>eyL@(Diqt7zZbIUUE+x zBp4#!c=WnXx+sl0VI)?&Vdz5PiC9Ym@1sb;aUU5gm^lG-QJx2`wjj2aR^&RNMKuzW zk)*zOB<3R8qVKV4sv38+xjRD>VOP)Jv<7pp=yG=p_Qo8!4LY|bSP!LFkK}i`A|8bv z3y(UsA?2-mLeGxxRWFRmuWWn^AL%HlG4C^jI87&aoemj!7s420em{MPfVMzLVz)nK zx4XK}rmdiUIA46#7FK4ycyG?I68#Qq-SS3wwIW44&Wt<9+er#;a^me3pBHUR2i-(p z^KXNc{&3>Ny?0)Z*g1cfenmhiZAp$cXFBtc;?^S`kG9#`m1CJl@ZFf2>6Yq?b`rBY zZLTWim#o{~C$Y;4*c3;MJ4{PZ-YXFYDnj{m{pG!g(6W*4AX_%O`rW#L{Mz(d-c{1& zo<*MWXya^e8sQN$ix59dwRY~w(c}mjyRX?J; z2?bueV;Gy0GHjKv*M8-Y^^UgH%_v@j5$H!3v24{e*D-;WN3>qk&p)8ky_wK;rh$5% z&CK}*0nM-sl!;0*x{@j(l8`TgUGuAZYgg0wT>-YbF#58|Z<5FE@4T_&!jUMap**Is zVz)>`9*?b$$%99S`DGSIUDk~y1sWA-z}_uNhY7h#Z4E6V8w?#$+roKzt@l;y>U~5O zvS}|Gr8Mp&U?#rlRgWrGS6&mYER|TWubzsH(_4>S+^OS2zsr8YN(XzdH<(k9SJC)t zZAgMktS{01z@a>2kttm2ZN)5tO23>`IJ3MHBR3C#vWvHx(N}R*-@Q<6?cb1`C%7)6 zBf3Wjq)f_R4L5<77D6+l=0~GIq)+s2`K2%|Ps`14DXy~dU8}i!Lg!RaDUJzEh0J%Z^R?xy4?vU; zm)szXyW{fSM$PULZI9hsL6oBo)_lsV+PG&{$mW1{jizJ*K5zC6zbUN)W?&k^*gw&A zBVNGclZ$vk4y@n_d1w*KsBqE4B#vUM5R%d-CW!)^FsY1DkFvp7tC1zETz!k1U@6rt zo}n5wInhh#u&ov-&*7#ur?o46*A*v)JkTE)1@y~v2C!pNs!n|Q6W|JFu3dC=7a{2Y2TUd`GsXTUnyi4Th&L zicf#A&99rerg(kH2et~TH@jI04r>;>&CyBKMJdu6%+!!NaZ{iMu^hEFKmDjy&B(5s zfYH0Bi#l>zR1b+r5i55a+BZ}gC0{8+E9U!fW}yeR_;j4Q25f+K)S#WRf$$@LKd3!N zW@0{Tl7&o}cyHH7ubG!JD`nMo4m;%4$7JI6Cjo445}fmue1r!k7vX6}o5bAphS7Qs zMcA!#^SajKih7<)Rpcz*t*%l#bmgf>&yUEQr-h^M{clvb_X$}jU#yNETPoY6_ZzdNRUD2*zdQ7yws{t6uN9< z&6?!kU&}M)AuO&~GUN4R&#C*|xZXkrpg4&h&r;<%4W$_&Q|ArJJ!y~aG-9GA)*L?D za$Tr6*<)0CEQo6@#HIiOwWw6<6ns7YsUjB&d)~fHmq4@3z)I##Of7;cyfM0LazvR&l zQu5=#N<9|sbMqVYAi?0wc;$4P>prt)McPspS-or`@9n09UE3e1cT1%!;xc1Knj|aJ zD1IpFjGMMQ58P`nvDLa<&sAv~TY{7@(L+ig8h1~DHK3tWX{9q!Z=7$HVZ6JCkdDqn$n_^S4D&!b0OP0A^VwedBRJ7*jb+&V9QDbB@rOv@Rh4F41qPDJcMm8u^ zXn-B!`{qI#KiX5fgg#D#@M!>M9>Cma!rB^geOt8V6O5E3#M{Y4zbjYoR~fyOso&cq zc2yZlgWd6@J<{UWphcH$2imQQd+gFkj3ogD40NCi&)03rZtVJ5nA1UA*;Me3b@=%1 zV{v%AQQ;&wUWJ-L(MF%9nGfg5E(~mUSphFy=S9V}| zJ{pjzTJ?tr2IBg*9+!qQS~~s1})p?IGIS5w7R=N ze1-mA@uVcd)0|rEQEjUM*+aG=L&xaaxT>_~XuV;iqGYms+U~dy#>REvd&i}c&BJqg zNXh0zZ=W|<8BQkhE0eq5A>#D;C8Lt^{4!J-dM@QMjnhOZh0>Tp6MTcK2ap0J zgO}(oxlQnmX|IkS_;xg$?LZt!H1PCbJREuU0SI(-uq!I@>(OLuV!2J3#WS(X>6lq6 z7R47ycXkkR4XOE>BKw_ADdTTC$mhBo2&kB&)f!Thrf6$~sOc;pO%rt#yd`Amt2_p{ zdq`l_QqEODHb$b^)_JBT#&SKk3C;@;7UY$@?TcE6pTRz%G}{VfRbE#F?d30@3nrtt z#OcBVh?iE5hCIfGGvgxI>N_rxPf-4(IPIJ%SSA?zuqols zzx8|n6Qt!z#A21N>lA~przp}D^q9c)>4DUTi0Hv3XhRbOhljS=?0~z7yfM3*z3?&4 zG_qyX#;z%3V%{fjeW`f^IhvBf;J_-)8lA!DGgxL<6M%KdZ%CEOonK4Fpz1g=Ior8$ zcGchTNoka?!w*48$fi}|*zKv3`q|YDY*Lw-xKN23w9bTp(c^iw+I1BEvfb0!J%}&> zT_cVh=Vs(wcoduHm#P`DZrk#eE{?mLLz5a)QK0O{X(2h^xVAg9zzTtJB>HxrbA6W4 zgxmkTY_d`T?2ZI+XR(?_4Lp>p<8rW$IC*`B1<(vw(_vH>Q;-}c7xOZYjI?3_u(5Ci=p{xma9-_pdT5 zuFTAL?ERJY+FL5Wdjt`l=j)-#WEW|?c1YKh-yVcU;p=Pa3VjZf@?2DzHjTug`C}1d z6GvjyyZg(NUdswrzGJ72{{M>rch#H$WW})rpxvM6)Usj)sss z!EWP|$F&K<$8r>ig{{z?eXwBzJrzHhfr}e`0O7 ztNfhH*RIHDJv}2W$Mr8(zO`o>$ggykpmOpSqf9brA;)ej)Z(?RxAS8$>D>w(?{;_a zu`~M_Eu&XR%ORccPG)$2T`DR`jh{5h%iP&mD3iQG^;|?l+K@0=P4lirrNNJnpUCHt zCEjEceS+cus`9<)xJCY~hJhI}(G***bCqRzJo<3c39Kgbp7cC30sAunUQvQVM^nQ4 zBrGyr6+=GQ<#Oj^PkV(oc=+TD)?Klj34(fx%%JWz+s|0T{^vR4>U5p(Hzy*~q{g?D z-x&5HwTXkxLg+_Y%sS(rOsSb7vqqd+lLo(m&9^vhkK5bTLhpzNZ?hy=#TiD5{14X& z*2*L`cR-fgFatw(l?us}g8zq69K@|LderOnV$NW~CE;}L!b-QeMO%+L88hEo@nl7G z39|DK+(yMtm9KK?RPqQ^7^Ehh^IW-*kb5$FRyAzU=PXxA^;&ITP;?(_cWIWr2(d2?lY|vvwK!D)}G9Tl!3y1;6=#s z?lQW}6gZC5UiD2$f}wV8EA5O2tpL&|q+bSsHXqXEHIMO*V}sLqj;{{RJx|N{fOVYi zp=YHXqzcjCZ+r$x98J2;; z7WI0wPMp!vj-G^|HO%uH=Ut5_UxnPiUaOuB105r1Eick?KzrbDil3;*nW7!vMcBSR zsot<|)m!;>U@AFFfZqp21Iel;-j~Y=HLdH3ugF>EI}>d3M%Si&qUe0^p*<3=ld5H^ zeF>ce7N~H?l}p@D^9C%LQTD%T9NC4rRVN6|(ZXumvKiI5h>*{}YDqj&)%__IcMfjHH)OI)|^;qmSqAYjaxo zE=}>4J*iD2AXkXL^DRt#{}u)+6~|Y>F@c`WoMcUE&of2apvql4W)T9u!=Y}hidTl- z3^$20SfW^qIyN#;X;eEdNJ5j_>1yII2y-3F zYOSD2XWN?4Hy5;2yL0%+%p}R{+n}D?_!kL!MUk3&=5!<=gy>VcNMW3*vX^+`WYF}H zBDZxj5|VrrsbI5+XoV0S2`}XNeh18NEI`T{fH<`Imh3_Cvaf&wG{5(YKP#H-&x*Li z)hDHhXLzqJK=1?dWs&u3XKvHG_8!CUkLSu#CIr`_EUkvO-6o4MX0^*cu6ieNxkpCw z zH+7-HsQxS7RXv>VG(?NXi-Z>18`hAZEt#hhez;kdh1PEd8KIEzNKsB zlT%|JPP(_!99@T;R>$~}PQJVR0+e308=KBLMnRM+VMgbI#Szv&8ig2R*{s!ubCTLT zlO%SF$me|D4hN{7-jXOEhqC7ve#$9%xIC_#nF&Q$f9qWpj-`VvRmrLXDI!*eskJ8y zL&ifAtKm{7rBp593U}o18jkNQRarF>v9v1D*@=yPjdo)}mH`F5rX!PV!_9i6)Ux81 z#uJKRuOW$*aV>O(1ncb7eVf%h)KPzl4MIDIIm&FAL9fpd6VfT1 zQMbTK@?_I#)CHZM&m~$uF@Fk+P4Zodl${<=e$00K!1gG{kZ;z0K7^1%75BM1GyZ7; zu>Sm5TPz-Y8+?C(kRQG>I4$62>7X7mN!X3N)}MskUV^f^XkR@re`z^+T)X=12^0Gs zo4Y7_<@L%iQ&`@*Q&-rEgAs;k>eIcCKGC{165Ns7$sOgHcFiYvBoFAC&VE6s*GM*Zi(vY{kW_tFm{0P4=OVrX z0ZioCv2eu9{>&QdO)@nad$9LmSv+!1AZG~&)iKfqH-#Wq&|NGTw3B9pEfitd5!}@N z_|dLOE}rDeF~&;mhUXfjT?dyLD@Kxlm_=lQi_g#lilu^~%{l#f{rB*qj3lY;g#gzl zNojtW2PT8GPBwc1n5RkX+`I`YKCN9CyiS%;n)yVHHb}#Ujqq3uA+t+B!E~XJ&1y?S zxrY0^Va0s(5&_hg3%)OFoSw3KGUkJM#H9?eRa(DkSHGf9UbWkD*LAvZnf;Ec-^$0F z{PGLrBuX4u-|uVh2JQR00M4Xd9y|JZIbSX?I$Qeg_QxE%LIojhPZX?hbx{{hyYcN) z_{z#wcjo1MVU(HpGVB{=nNvv`YhTWuR#GhzZIu!4Zke|6zJvU5N|(J4QpHF*@TvlNb)vu?Q5@w?61Ml!~Q{xl?DT&hWD+84drzJ2v()cV5%1+y@sHx z=VRPrlpYo#3+DnLMxEW~dOf8>?Y58)*~r zNL)>%P=?jU_h?nK3@F~k9oKA4h*!;7`9fCvM6sa9*vBnZq9B}aM=CsdiBkw#{hxNC&3D6>wf)UKyTjsbH~?||C!^TjGuqr>VLjt zfNd@QXXW~5t^R*CIss~g)k#KKUhx6jEOA2|({pK!Gm}2Y2}c_p=)p=Q@tjJ}uH2>X zEO?*(`{Wj!=k>Zd!^=}=m;v-x>s~@z&Qn~VX8B(P>h)1%{pkB7AI=!e)I&hq5jo>B zsM8l^;8XeIPJG4Q;o3%v{hHUC1q z65|eQJ@fw2FY)tJXHIa%UUq-k;NK-P07Ck94u{TnzIpXez4F<$pJyWx`yl@tICUCt zlL?n29@dB={+w?A*G>2wBx?WbK)%0{PyB+Wv_EAZ+%-VztF>)(@9giK>ohK>f^h!< z={sEf`9$I$UAFnvwLgs~_g4vtSq^FS8(jDDSElxWfU)3@=EoOMk6`R}*i6m)bIHF5 z3^Wa-mB)y??jjawY`MC&dbqI~ENS$+6 z*$MwSke#Eil>d4J9=I}&Q{wqd22lL}8u$6lMu|;3ynItbijwL1=M%iEy?SZc?NEZd5ct zT|n;vPfQGz<}VI1xb+#FC^vbg8u<1I59|MMohlf(0I`I?uRv;lVuD&cz>x304z86{ zLH8ScDSgcgWXbCaSr@=h)^X|YIlN6APb7i2;hC%LzjR-&QG5b<`wO@l?ya~9U`Bj5 zDZbW&AGx;RMT}HB;Kz!vllE zr?`cqD!I=5Gq``A-0wH@pLgz`58|JtIyw<-U_%%YrQ`-TsntdXK$#FP8zt!>)RD z&1m;~3TCu5i6d7H86?3~6d|5q%s!-hd!rf$3M-RgTsa;ocL2z~)!~S+V&FSD+`rM+ zYfDb0!3ko>IN^T|@n`u#=WzyEV3HeA+^iJ-snD5txmt>;=FTW-@)?u8{Lr`ZZ*hf7@S{Fjcys&5(<=fX=Q&*q+0dj}HmxY?aZX zi_h+g^Nf!gJJEw6uJ`cYa{_4^!b3n06Y@Rw!U7a7L_QQ~DR0G3cmgV`kmJnb(Pt3~ zD{uI_zh-fb9|BeNVVupILaaa$;Gm(ns#o~1fC{++Jf~c-5Q&3@lwEKV4bQOSkQb;P zK(Vs=_UYjuOeK_2YNA#N2;KvOVNBkpHyGv>ol^6634kR43fpuzxvxCH@Ee$j=IRAf zh<_O*(F4u*!5R;zKF4x-uF5YOz(WD&X<9Y#V5th{LaBlC>lCp!e1ZaW*jsUTJRIAh zRwOt_oIyaV1GGnnCnzefg$jr16(Gu98b&W(#hXyDi4$m7*VLPxs04aU1CnOLg+^t- zf&%A5V-r9sl(~Db#Fe>*_Hw~!Vz9>bNypwgIU1Z8^r)c+a0`N*)LBf{)dI64Bp|>U z181Z{KzBkkx)jvz#$w$%0I6r?1XX>>zB(OyGQEs>tRoopaqg;5Kg9#fW2R3pZX1*M zD>q5WSrW+^zq);$w}tLLg)tX%BRQx4EAt!1p8fqTV+L7SX**jdQfL?7WfVpPGvVZ# zACbFUo0y>#0mDebR)JUK0yDh1-ga2VN z$Z)eNE}xh+(Np*1t94d+Zd#TT2ghN{tqG&fheMs4>uzd1BN{S$Zp+W_;|pj$&==V3 z?SWR;ZG3o1K1NF>dH8v6{zB8EAPKi+gPpW62FC{#JKZ`zFboyT7^B%pA8kQ+yy@Hb z+=e__7j3U7b{J*R1+-~V8!D+wpFVe4S=z6gUHaC2o-f=>SsTO~KpB)y2xXq4BJ4Bn zG86=KsfF>O;lQ0NYv@+u_CiW{aH0e(7{}AX|3J)9D2=n~GB!Q8`uQw52@uy;j~fE| zAxa+&c8=e703m>H55Fw{t5i~8O!f@?6POYAy{QnB$M>H<{>bAv^VJ@BR3eMda!c>I zgEDAxK%fy>ktVDxpt zeUjoiVn_)1W%2;$10I*9{=L(Uxn;W(TcVSbfE0YS)f9*{zh-p5JPO#V42nSR+#am^ ztvp^pPn#H+5Gqsv-g6u|&M@mo2!AAwSo1>44md%+)S69Noe!rM7drewRsTY&AYA0f zi>fp2XrQdTnqS+r#ob9LLn_9?QMC}>w81KTgynPTbxO7x3etHq89**Y!7|~i^wcDD z&8Ysk-h4xXjYP)4)n@_aQp7W}kUTXvYDW~o;43obZO{kv!A^KLUXUQgZ2fdV<3>P;KvMaJ z25pNVb5>%!d+XUepO1SJFm&*a=gy1yG>h*8Y%HQ{@7cM@oVs=xr&6c2ecW3yEfYLK zkhqQ3^*J58U&I(#h?^pHyH4vFN-f_>MHW(X^b)Kz`2 z{j?sN^KNM3-&lYFTcbV&&!E$=71|uW6Oq+L`)SUhkeB3&BmfL-u`rPb+e1=n60y>W z=Tf?L29^ZO+?wi5M!O+|__Hz+<(Kx%O74GZf;^>-7KwW!6_oYnGED$I* zz#R2of~)~M%PFAv{^}^D$^n=skf=qF(uowVEo+ERRntK>hfO5hLRL#J6v>wFVfvIL*;h(nef54>dd~Yn zMlO2=t?WG|U`7Vp5-Hf7#$f>51m#Q`gpGpBR)fHimBY&|c+A3hf zW|H+btw^8+81-ER=8W-s{G5V5gX>OlEdp9m6<=%9vSrr-u=^k+TN2$8hw+FW#`8Cs zYU*9CDi~lI6Fg27>BN$bu`9k#7enXk)aB>T!glZ?a$EPJV|>Gmm{+@L(dS=t6q`Ra zTQrSjXX$ft8GFJSSU0*udUAlNZ}Lcy2^MEPWbs)>(C|0uI(4b$L9^~y4)SKFKl>5`dFQe z_dg~b?%K93pMG-T%w^wqru5Z7F;~bMBo9XQN3pJLxfzHn5MYuS!Mk@|?b@lddl86! zRP6h9mn^Sm<5idM@ae_M31wfmSUne!JKEy>xKUxy8xm^pJxlph<2%VG^i>m{%gv{p z2h=rfB=e~ue4&Rew03U>WOM6>%IzjaYQ+^e&Dw=qRf}TMQ#KEB&yQ$efuTebpyr?1 z4Wxohjaip;{kZIUEQQbxXwzP^>4ftZWk<-}9bAKiW~BmVsUwNH>N&Q_6w9}#0$*{Z zFZKa*ofPS(EtgdW2fq{mA7a1fWqfo-bie?hk=nD5Pz9bZYpSNBTIpfaa$5m58#8ra zq3z9yK}C6I!>!rjUcdmd@rsW16GYM-17KNl-+d`7qtTz3i+bo1v#z#9TBNpa6!}?^ zsG%FFvB0i;x=5{d!>dryyr{^PtuHgnP#@@U8oTft9Rf!8=$xAEJr1@NA58UR^YP}2 z>iKr<41w%5_m)gJ%gyQeQ<0HxFvhPruY}*$fLz?Yw8n319oSH@ar$(!mSvv8?A%d{ z*h}3AIn6MpxANDut)_biVUn%bl%;nY9A%abGr+LqiZ@~Xc@_^K2X+32g+&(O#HB@v zuR{Q1wOZJ(BHwJXr<_`nE2xzlJ2PQ<{+75C4?yOhkXhMQc#`x7lhaZjoS+Y0mruID zM3(jpnm1040$UpalB4G^bKnxhQ3YlNaqRpSawK-R^t~YZ#Vy60^jA)mrqS3Ioj4x* z>T%Cj3sh+-*Rze!#t0*a>4Y*LAF6syD<07w@l#X1IgeV~k>|_Dsj8g!Jw3vpPzbrV zs~sxWtk+k9CQ8q909NHFEvKky|_V(>Us(mePCab>L9` zlGcGoFE-S(_aM>+gpm=7c4hB~wa8`r`rITL(~F@!d^;iaB@Ki_$!Uh~efp@hH;{N0 zc#4O;Z=0*@P@Wvs(B4FSG z1uk1nDBs({jt2;z7kX4eM!0`KnSu})eafE7|c=wI8cr1G>tJw7FW7u zsLz$N4VO2+xlKr^m0y&6G9nNEGNfhoq3h)c!MO?%pJ?mkEnG zP9Z5xn(^h-Dtl3*hv|r{?%TR7<_ZHnHA;jH6_Q9sbdDNt8zM9PCf;0aQ_&mdX)oZ7 z+G^2U+HUy%b~3Jt(hP3&X0(yt9-|c5UHmKWGiwsl`3exP0#va>bGQ$ryed|cr^NXx& zB$uIFHOd`t-xXwJcVFJTlHpjtaj4TZBrp6r%}Fi(Qu{x{fuw6CmdbHZn&sI%UfXqpVl%7=aqSmsF(4+`G7(O=9ioXo6l z63Bdbqv?arT0~X^gp^AtorzyvJV^NV;f)8$SFtOu2QR=drdZu z?SdF^T-urfucZ~423t6@J5wpwCCDJGATLxQuiBB{yRw4TkqGE|tyNH8(}V@9%yJ?{ zs$XTKoq5%oj=_)2xRV5?5EfsiIB;`1;i{3~b;{Pr^DG<2D9O_T(^_6(F)B)iE$%Bo zIExdkMsorR@VeB+mP64z=u;X<`h2POIYuNEQVSN@Yf~GYeJ-MM%s>a+fRxlLbe@1~ z%_AbqCGT3@aBln$z+PIg^W@=>A{B_2nBmkiK`J{&%xIxvxXTawGD=7~QD%c=|qn`E(LsVS;tveQbj{&LJZ zrh9TObd)K#?d2Mtnes%g0E?-4yIcdUxx}Xh@2-U-u4X|}$XGsXH|skjsc%yUvFRVz1)(R!Fu+pjKb)hHQauzLc`R-ZOWNL zJ&l;NR5{DAcmif)15x2=+j>IMn)Q)W5e?1e#~|I6o8$Z?*zN-_>76UwNbOj)CmO-8 z)zVdLzV2;G>2s^IXBfVhq`hye@BT#!E7(pSrbzpEgMZc zpG6(7jppf&C$b%|EIxSZk8tcKwi3r_RyI?p3sZ8LP<>1vx*)}0Hrre)BN|#-;YTyQ zsYlAP|Jh<8Im4yha1*s*(j=Qf`cmD8DrwZwZFPHs!Rv6!foM|_wnC*Swb;2gTjt-! zYtkCnhm@@J(6kLh0|xTIkpB5NyLyY2*3FJQu>Z0!hWq;Mj~>qR26;7iL9-K-bMqnM z?n5fPZ3NUEc@qMpN2L*u0#CyP6hiHCDBWg-;MVWu;wGuVK4rV~u&&{mw?0E2ZVv@! zJVE#Q`a6s6fyP#?@#ZRR9@)nt_TN8$_VjChRQQmRL0#Ka2NpM}Ofymo!%%;*w^PHn z1rGC^>C99G3hMJ8?*=W4ZcSmDnCl0DZ# zq0gayuawR_NT=tIjAK)5%qZ=Cmc3+>%@lGT2M(6}!1LM7c8HsxOy4$$G3)hK@D4mH~|vJ+H?1tp5JimCxvbeR&hVfEp)8?pAAi}$C?TlF1G77!alarJ3Vd+Ss1WSQX6HA|H8(xOayYuB>n zc^1(+yLy`@ex$^up~hzloyI0H@Y828L_nkWF117Z*Fskeg9b!{CRfx!bItRZG)AxW zDx{msqaf$kBs--_Yj3@~9T~{n9Cap1yYZ8y@DM70j80zpp}TY%b)UNGV}5q46a*E- zQBSDLNYldqsnBU7Z6Qpn?Qrw$yk?UaN6)z!s1QMf8kLHmmbLZOrr1{{7mIlWV|fjU zE~>u@^vg|ayXu6e4)&xLHlMZ8p-WHFjrhsbiZAe_wJT@u5Ec^p!RL?yhK=%92O`zv zip_2sNn3>yLD+~!WUEllZfu0-e^`19vJJs=G5R{oCY*7TsdCL~J8k*v76)Q|>+Hh! z9}gJ=Wf$3W44%O}&6iMKGs|62m%o$%v~mvXFtzFQ##%zpvwE7N(jQ01v@4wI-um*C z{|X1~XJ?q}#|-~>J#~EW+_6(H>(;NIy{qggbxB(jKO*Z!95e+Hn&e)m6C8G$b0oR45Mf5m+P^ezE+KK9{tWaaJOG}rXzUN|44{SbNFw(AaSJ>#t zWvD>RRY}QPY^4}OwgJ<8Q^&G>?15gNQB?{a$Bc^lr4^#K=YpZU}Oe>LM(N2bk`XCRj&}j)u&Y+`3R-SZ+ z{8$?kID>pb^@fBh+~R=ew$10hiCWFL_S)YC$Rr&w zM382se5~r8qc8xW^dGqQQd@*AKz5Mw=Hu&zOcV;C%5QGhL-wB?IM06guASe^3$j5x ztCjZ(vkbJwsd55!EzVz!<^9Hh)E7-aO35Op!u(QbvO>x28?ja1%5wa*&F&(7!b znD8^@dMKn<_hmkkZJ_mK_0j=4K=S7zOxF;oQv*Qck|MK$UAW=u^rO$+k64;pShykY z=G+qt1Q4R?y6Gmbt3PIBjVJGG6N-}lj_3e`-@@A-NK|LLH?o%w-j^%(TgmrO z?yn4H&c9&~kac~MAr`v?5vpMmO3y4Y5l%LDP#Ex>xC8cex@)+#-?a+L#7sBRpUGd= zZrN6Lrp@^zffs(~DA&lS6A>MfPt1KW{SIH=fZ)~hJA=2m&#dwcW37de^VW7 zjSA_px--#8f! zR#&++T*$hpv^dl(nuxSdg_k9)R_Xy zfftD0a!N>X@bySTi%aj+f?AxRZ1=NfOuFj&RS>s)p_~%g)UT@@RaawNkLT(#%}qkf zE#nsYdwpwSBo*Xod)A?Y;U>an_eMSaWxMm{Cq#Teo5%s>X_-shmOpKADQ??E=zB7^ zfRIx%DqMpmGkvMCbeTsT?Ddq=Uu3*}uN)=i6uzSdQOWyS^#S*C!22&kCcL(~9PYdl zPt71TA#|=RQ2W+)@HX&aU=-vmRK`?@!WiSmW}o#%ArwQstlX=@6LaWZM);D3Slgj> z8$8b_xog+b99Dr^9lntNr(R(}A(076~87NQ4qs(EpI)Ah8$gRxq z{d)cALC%-AYlQ*fBmv~&>0QZ^M=PpL@S^Bu6Mgq3C8LS`Inur)ZG~^o4KN7L zKoc@4t`&rDy&Yb}v|TMPo!jQO4M7$2{YGMBh>h#`CT(kacPdXr*0-Fz8q22zn&DLp zZTyO&;w$55P}n%$EhlgMO8h8rqdXMbvP=OdV-(`k2)r^%>+8X^J?5FRmnK!e?i$f> zvRl0;czn3XniQ-WoJ3(;yA^e%puvjKd(R>H#MYodQx93oFA)z^OiJz7FA%gOv|Aw7 z`1Gkz)^~;ti|Ifb^0&hM+jL>4*SRM$hF`mT1K;8)2P)mZEPEY-Aj*{cWT{%|2DbIo z6Us(16b}UH?{>g>O@1s6uu)m1DK*@jl8H5LuMG6bC5CJBUSqcPJ~VGypH?Ivl{hEM4MNc3tu`*>9%xJLi^+N?ThYdUApkZP64B<)f(h9d^e9{ ze5PAVgh1zL525YfR;nZB{Y*h6vCR{WKvjTOE&XkjPx0N$MtpI^Y2(>3-AXPulW*S@ zK~f}(tCu%p=e?pXey{GIM_y@Q?fdZhv?tgaq10XsF*}m$$^@-UCtOc+cu7z7s)pt*dCO(gp-1KV!#!9s0StKl3V>hnNL(ii< zT3#(r+BcE%<}z2z!WQS{CD2r1UHivkZ19^sEW>m2B2wjII_w(q8ga$rs3X@h!{U^d zNMA;?Izj%LoxwPxm&{QlQd)DYHn#5{q|N%CtQHte1yuzz9%WiA29JD`#BP^7W!~S# z+J$(`#R%t?9{L6|o>W+D<%O9a3O8;n!Ia_EenrP6L+%u~a zc{y zN=KBxibMB%+GW*SWMhFe={LG-o3*8~Dzj_7Ug57~25%`)`Ys|C#2YNW#bq<<$9*mz zhT|)ImK|sgl=XcLj}f ziZ&##KZZ2WM*2hSSUMF$p-G{BK!*CF8%IVOLStX~`Ql`=UW1mapVfs2X{Pw7%}<}+ z)m_1Mx>K?X?K7x1LFS?3ve^>*$3Wwl0UfOzQOB>CwUOKms!2n}t?T-=p3O^&@q|Sd zfu-9BcP<0g&&-dR++!o7mXFfNZL?QZ48jQ*mDl-ShGy>348&*?*)8MNAzFxQI%@+g zM)e#COGoINzkRpp=cgz=@z?`(bJe4=KZ_jHC^?E&cF^f(<(ojZV<-7~w0%2fpKU6>NcAQuJ#A2-JT3%-@k3yV;``$apwbz9WM$T{LI!dGyQXy^nYc;l##oo?OfyT-!BwxeW zjn^D1k?-e|uEiGJ6i`weyF^)CbJBY?9`15mVs7b8->$9sKuMPWTa|G%Vbk^i(`> z4$LX=D^6P+xR(20b>m-u6jSiPJB{Hh&*sj6R1Cl8-@k`n@t5e<+o0zS&#p8*W97%4 zO87ZAa_o-$zn=!z$mhT#VJV?z5s#?^M^~QyTmS6O@Sa@^sqY7PL_;BhJ zL7(h{yK4WuVgG!L|Eyd8*Oz#|%Mh-uzO<%$ueskoOj=DnQ+eKNvms+@hsO83)vm6f zbw6}UH&Tfy*7q1 z&`sY%Do1iu>zpIyQ|HQ{CY28EC@T!@gk3;ea0Kk`e}=`MVT1?1P4ge8`_pv=;Y28Y zjF|0rH2NJ&eg@5kROFxN`S&9Pa3N-DMql|)wEJ5;CSmc$|IZlq^O_&0K#(G3#rXgI zO1~eAA>wuw*r1f3Zk~PNF|lp->&rMDgm-d|Mgfdn^%BH-qcq6@%KgkegSI8 z0m+|>{B2ayO(43{Dz2UT&)N8SE1wN}q5t(*&Rqo&f5hIAJM+JOeE1QPXa9DkKZo_$ kgDl{msr>(aDi3|{EM4W6U#u@V1^$zLsQ4iNo}vH$0Nc&0w*UYD literal 0 HcmV?d00001 diff --git a/rfcs/000-granular-access-control.md b/rfcs/000-granular-access-control.md new file mode 100644 index 0000000..17e9639 --- /dev/null +++ b/rfcs/000-granular-access-control.md @@ -0,0 +1,165 @@ +- Feature Name: Granular access control - Phase 1 +- Start Date: 2023-01-22 +- RFC PR: N/A +- Amundsen Issue: N/A + +# Granular access control - Phase 1 + +## Summary + +This RFC proposes first implementation of granular access control feature for Amundsen frontend. +**Included in phase 1** + +* enforcing authorization rules specified in database +* filtering search query results (prevent users from seeing content they are not authorized to access) +* Basic UI (redirect to 'you are not authorized to access this resource' page) + +After implementation of Phase 1, Amundsen users will be able to define set of granular authorization rules for users and groups by inserting authorization rules into database. + +I've also included [Demo PR](https://github.com/amundsen-io/amundsen/pull/2029), which aims to show an idea behind implementation of this feature. This PR implements authorization for "get_table_metadata" endpoint. Please take a look at `frontend/amundsen_application/authz_config.py`, as well as changes in `frontend/amundsen_application/api/metadata/v0.py` files. +Note that code on this branch won't fully reflect final implementation as it is subject to change as concept evolves. + +Phase 2 - see [Future possibilities](#Future-possibilities) + +## Motivation + +This feature was listed as one of mid-term plans in 2021 roadmap. Scenarios that may require granular access control include cases where: +* metadata contains sensitive information and can not be shared with everyone +* users should see only data from their business unit +* only admins and owners should be allowed to modify list of dataset owners + + +In longer term this feature could help with maintaning and administration of amundsen in more UI-driven fashion. + + +## Guide-level Explanation (aka Product Details) + +### Authorization (Granular access control) +When you enable authorization, you can control permissions on objects stored in Amundsen. You can define user groups and manage permissions on different scopes (e.g. database, table). Granular access control can also support filtering query results. By default, Amundsen is using [Casbin](https://casbin.org/docs/overview) as the authorization client. + +### Default configuration +Access Control List (ACL) is the default model used in Amundsen. Each user (or group of users) can be granted either `READ` or `WRITE` permissions on given resource type and scope. For example, we can add a rule that will allow user `bob@org.com` to view (READ) metadata of all tables from schema `hive`. + + +### Config modification +Default authorization behaviour can be changed by modifying `authz_config.py` configuration file. You can define new permission types or change the way authorization rules are applied to given endpoint. + +Apart from that, by modifying model configuration file of Casbin authorization client you can change access control model (for example to RBAC or ABAC). + + +### Technical details +Amundsen leverages Casbin to +* check if user is authorized to access particular resource +* fetch permissions of user (in order to filter query results) + +Authorization model is based on checking if "subject {S} is allowed to perform action {A} on object {O}". Rules are stored in the database that can be deployed together with the application. + +Action permissions are defined on endpoint level. For example we define that + +> Later this section could be extended with hands-on demo of modyfing permissions + + +## UI/UX-level Explanation + +Whenever unauthorized principal tries to access a resource, user should be redirected to a page with text `You are not allowed to access this resource`. Component should be modifiable via `config-custom.ts` (e.g. same way Badge Config works). + +## Reference-level Explanation (aka Technical Details) + +### Authorization flow +To abstract application code from access control model as much as possible, amundsen calls authorization client in order to verify that "subject {S} is allowed to perform action {A} on object {O}". + +There are 3 components added to Amundsen frontend, which are described below. + +**AuthorizationClient** +Proxy class that encapsulates authorization model and provides access to the database where access rules are stored. It implements methods that i.a.: +* Check if user is authorized to access the resource - This method takes user context, resource type (e.g. table), resource id and action and returns a boolean. +* Modify elasticsearch query to filter the records that user should not be able to see (this is not implemented yet) + +**RequestToActionMapper** +Given a context of a request, returns the corresponding action (e.g. READ, WRITE, DELETE). Example when user calls +I’ve added this component, because access control based on the HTTP method and url may not be sufficient for some of the use cases and also in my opinion actions are more natural than POST or GET methods. Mappings can be configured by developers in a configuration file. + +**BaseAction enum** +Enumerator with all possible actions (e.g READ, WRITE, DELETE) - developers can implement their own set of actions to meet requirements for granularity. + +![alt concept](../assets/048/concept.png) + +### Authorization config +Authorization flow components can be modified by changing config located in `frontend/amundsen_application/authz_config.py` file. Please take a look at Demo PR linked above to understand rough idea behind this config file. + +### Casbin policy +Authorization model is defined as a single `model.conf` file. +Take a look [here](https://casbin.org/docs/how-it-works) to understand how policies and models are defined. + +Current implementation in Demo PR: + +`model.conf` file: +``` +[request_definition] +r = sub,type, obj, act + +[policy_definition] +p = sub, type, obj, act + + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +# match subject (e.g. user), match action(e.g. read), regex match type (e.g table), regex match object (e.g. table id) +m = r.sub == p.sub && r.act == p.act && regexMatch(r.type, p.type) && regexMatch(r.obj, p.obj) +``` + +Sample policy looks like this: +``` +p, test_user_id, table, hive://*, read +``` +Which can be read as "user 'test_user_id' has permission 'read' on resource type 'table' that matches 'hive://*'" + +Note that current implementation does not have notion of group of users, but it can be easily modified (Check [here](https://casbin.org/docs/rbac)) + + +## Drawbacks +As current model works on level of endpoint, it would require relatively high effort to implement it for whole application, as we would need to modify every function of every blueprint. Despite this, once we ship authorization for a single endpoint, implementation for consecutive ones should be much easier and faster. + +## Alternatives +Since Amundsen stores mostly metadata, for majority of use cases granular access is not required, however I think almost everyone could benefit from simple model that allows defining READ/WRITE permissions on application level. Outlined concept certainly makes such scenario possible, however it may be an overkill. I think logic of application would be simpler by making such assumption, however most of code for granular control is already in place in Demo PR linked above. I am sometimes a bit frustrated with applications making certain assumption about granularity, so for for me it is important that users can adjust granularity by modifying config files. + + +## Prior art +DataHub implemented [granular access control](https://datahubproject.io/docs/authorization) for their application. + +It supports two ways of managing permissions: +* [Roles](https://datahubproject.io/docs/authorization/roles) - very simple permission mode with three roles (Admin, Editor, Reader) - roles are applied on application level, hence they are not really granular +* [Policies](https://datahubproject.io/docs/authorization/policies) - Allow to define fine-grained access. This model follows 'Subject, Action, Object' paradigm. + +Policies can be applied on scope of +* resource (URN) +* domain (logical boundary) +* type (dataset, chart) etc + +Main advantage of DataHub's granular access policies is very convenient [UI](https://datahubproject.io/docs/authorization/access-policies-guide/). Main limitation is that (contrary to Casbin) it does not support wildcards in policies. "Ability to define Metadata Policies against multiple reosurces scoped to particular 'Containers' (e.g. A 'schema', 'database', or collection')" is under consideration for implementation. Authorization enforcer used by DataHub is custom application-specific solution. + + +## Unresolved questions +### Default granularity +Current default authorization model implements two possible actions (READ and WRITE) for every resource type (Table, Dashboard etc). Limitation of that is that it won't support complex scenarios such as "user should be able to modify **table tag**, but not to modify table description", however this level of granularity could be achieved by modifying [authz_config.py]() file*. For me this setting is good tradeoff between simplicity and granularity, but I am happy to discuss it. + +**Just to be 100% transparent, such granularity would possible, but cumbersome to enforce in current Demo implementation, however I know how to support it easier and I am happy to implement that*. + +### Which adapter should we use for casbin? +Available [adapters](https://casbin.org/docs/adapters). +I think using PostgreSQL with [Sql alchemy adapter](https://github.com/pycasbin/sqlalchemy-adapter) should be the easiest option. + +### How to make granular access control optional? +It should not be necessary to download casbin and its dependencies unless granular access control is used. +What is the recommended way to skip installation of casbin if authorization is not used? +Also, since casbin would require some backend for storing the data (e.g. postgres), how we would like to add it to docker compose? Should we have a separate file (e.g. `docker-compose-with-authz.yml`)? + +### Filtering elasticsearch results based on authorization rules +In theory, it should be possible to whitelist elastic search records, by getting [all permissions of users](https://casbin.org/docs/rbac-api#getimplicitpermissionsforuser) and adding it as filter to search query, however i have never tested it so i am not sure how easy it will be to integrate it with current app. + +## Future possibilities +* API for permission management (add group, add user, add user to group, add permission) +* Syncing users and groups from IdP +* UI for permission management (we could then extend default permission model by `MANAGE` permission type, which would allow to call permission management API on certain scope) From e505cd943df1bcb2a4990566a1e65d2c92233502 Mon Sep 17 00:00:00 2001 From: xfiderek Date: Mon, 6 Feb 2023 20:41:59 +0100 Subject: [PATCH 2/5] fix png for the last time --- rfcs/000-granular-access-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfcs/000-granular-access-control.md b/rfcs/000-granular-access-control.md index 17e9639..05c581b 100644 --- a/rfcs/000-granular-access-control.md +++ b/rfcs/000-granular-access-control.md @@ -82,7 +82,7 @@ I’ve added this component, because access control based on the HTTP method and **BaseAction enum** Enumerator with all possible actions (e.g READ, WRITE, DELETE) - developers can implement their own set of actions to meet requirements for granularity. -![alt concept](../assets/048/concept.png) +![Concept Preview](../assets/000/concept.png) ### Authorization config Authorization flow components can be modified by changing config located in `frontend/amundsen_application/authz_config.py` file. Please take a look at Demo PR linked above to understand rough idea behind this config file. From 296d80e1c8347dee27a377ef20d3fc3cb0f3ed48 Mon Sep 17 00:00:00 2001 From: xfiderek Date: Mon, 6 Feb 2023 20:44:27 +0100 Subject: [PATCH 3/5] change order of questions --- rfcs/000-granular-access-control.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rfcs/000-granular-access-control.md b/rfcs/000-granular-access-control.md index 05c581b..0d293f0 100644 --- a/rfcs/000-granular-access-control.md +++ b/rfcs/000-granular-access-control.md @@ -142,10 +142,6 @@ Main advantage of DataHub's granular access policies is very convenient [UI](htt ## Unresolved questions -### Default granularity -Current default authorization model implements two possible actions (READ and WRITE) for every resource type (Table, Dashboard etc). Limitation of that is that it won't support complex scenarios such as "user should be able to modify **table tag**, but not to modify table description", however this level of granularity could be achieved by modifying [authz_config.py]() file*. For me this setting is good tradeoff between simplicity and granularity, but I am happy to discuss it. - -**Just to be 100% transparent, such granularity would possible, but cumbersome to enforce in current Demo implementation, however I know how to support it easier and I am happy to implement that*. ### Which adapter should we use for casbin? Available [adapters](https://casbin.org/docs/adapters). @@ -159,6 +155,11 @@ Also, since casbin would require some backend for storing the data (e.g. postgre ### Filtering elasticsearch results based on authorization rules In theory, it should be possible to whitelist elastic search records, by getting [all permissions of users](https://casbin.org/docs/rbac-api#getimplicitpermissionsforuser) and adding it as filter to search query, however i have never tested it so i am not sure how easy it will be to integrate it with current app. +### Default granularity +Current default authorization model implements two possible actions (READ and WRITE) for every resource type (Table, Dashboard etc). Limitation of that is that it won't support complex scenarios such as "user should be able to modify **table tag**, but not to modify table description", however this level of granularity could be achieved by modifying [authz_config.py]() file*. For me current setting is good tradeoff between simplicity and granularity, but I am happy to discuss it. + +**Just to be 100% transparent, such granularity would possible, but cumbersome to enforce in current Demo implementation, however I know how to support it easier and I am happy to implement that*. + ## Future possibilities * API for permission management (add group, add user, add user to group, add permission) * Syncing users and groups from IdP From 070a8b5022dbddfa0d9ff617ebf56c1524684b75 Mon Sep 17 00:00:00 2001 From: xfiderek Date: Mon, 6 Feb 2023 20:48:52 +0100 Subject: [PATCH 4/5] fix styling --- rfcs/000-granular-access-control.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rfcs/000-granular-access-control.md b/rfcs/000-granular-access-control.md index 0d293f0..b5b5338 100644 --- a/rfcs/000-granular-access-control.md +++ b/rfcs/000-granular-access-control.md @@ -7,14 +7,15 @@ ## Summary -This RFC proposes first implementation of granular access control feature for Amundsen frontend. +This RFC proposes first implementation of granular access control feature for Amundsen frontend. + **Included in phase 1** * enforcing authorization rules specified in database * filtering search query results (prevent users from seeing content they are not authorized to access) * Basic UI (redirect to 'you are not authorized to access this resource' page) -After implementation of Phase 1, Amundsen users will be able to define set of granular authorization rules for users and groups by inserting authorization rules into database. +After implementation of Phase 1, Amundsen users will be able to define set of granular authorization rules for users and groups by inserting them into database. I've also included [Demo PR](https://github.com/amundsen-io/amundsen/pull/2029), which aims to show an idea behind implementation of this feature. This PR implements authorization for "get_table_metadata" endpoint. Please take a look at `frontend/amundsen_application/authz_config.py`, as well as changes in `frontend/amundsen_application/api/metadata/v0.py` files. Note that code on this branch won't fully reflect final implementation as it is subject to change as concept evolves. @@ -35,7 +36,7 @@ In longer term this feature could help with maintaning and administration of amu ## Guide-level Explanation (aka Product Details) ### Authorization (Granular access control) -When you enable authorization, you can control permissions on objects stored in Amundsen. You can define user groups and manage permissions on different scopes (e.g. database, table). Granular access control can also support filtering query results. By default, Amundsen is using [Casbin](https://casbin.org/docs/overview) as the authorization client. +When you enable authorization, you can control permissions on objects stored in Amundsen. You can define groups and manage permissions on different scopes (such as database or table). Granular access control also supports filtering search results. By default, Amundsen uses [Casbin](https://casbin.org/docs/overview) as the authorization client. ### Default configuration Access Control List (ACL) is the default model used in Amundsen. Each user (or group of users) can be granted either `READ` or `WRITE` permissions on given resource type and scope. For example, we can add a rule that will allow user `bob@org.com` to view (READ) metadata of all tables from schema `hive`. @@ -68,6 +69,8 @@ Whenever unauthorized principal tries to access a resource, user should be redir ### Authorization flow To abstract application code from access control model as much as possible, amundsen calls authorization client in order to verify that "subject {S} is allowed to perform action {A} on object {O}". +![Concept Preview](../assets/000/concept.png) + There are 3 components added to Amundsen frontend, which are described below. **AuthorizationClient** @@ -82,10 +85,9 @@ I’ve added this component, because access control based on the HTTP method and **BaseAction enum** Enumerator with all possible actions (e.g READ, WRITE, DELETE) - developers can implement their own set of actions to meet requirements for granularity. -![Concept Preview](../assets/000/concept.png) ### Authorization config -Authorization flow components can be modified by changing config located in `frontend/amundsen_application/authz_config.py` file. Please take a look at Demo PR linked above to understand rough idea behind this config file. +Authorization flow components can be modified by changing config located in `frontend/amundsen_application/authz_config.py` file. Please take a look at Demo PR linked above to understand rough idea behind it. ### Casbin policy Authorization model is defined as a single `model.conf` file. @@ -120,7 +122,7 @@ Note that current implementation does not have notion of group of users, but it ## Drawbacks -As current model works on level of endpoint, it would require relatively high effort to implement it for whole application, as we would need to modify every function of every blueprint. Despite this, once we ship authorization for a single endpoint, implementation for consecutive ones should be much easier and faster. +As proposed model works on level of endpoint, it would require relatively high effort to implement it for whole application, as we would need to modify every function of every blueprint. Despite this, once we ship authorization for a single endpoint, implementation for consecutive ones should be much easier and faster. ## Alternatives Since Amundsen stores mostly metadata, for majority of use cases granular access is not required, however I think almost everyone could benefit from simple model that allows defining READ/WRITE permissions on application level. Outlined concept certainly makes such scenario possible, however it may be an overkill. I think logic of application would be simpler by making such assumption, however most of code for granular control is already in place in Demo PR linked above. I am sometimes a bit frustrated with applications making certain assumption about granularity, so for for me it is important that users can adjust granularity by modifying config files. From 86b548cf32d3b3a40b02d7f75db396753fba1ee3 Mon Sep 17 00:00:00 2001 From: xfiderek Date: Wed, 8 Feb 2023 17:38:18 +0100 Subject: [PATCH 5/5] assign RFC number --- assets/{000 => 049}/concept.png | Bin ...ss-control.md => 049-granular-access-control.md} | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename assets/{000 => 049}/concept.png (100%) rename rfcs/{000-granular-access-control.md => 049-granular-access-control.md} (99%) diff --git a/assets/000/concept.png b/assets/049/concept.png similarity index 100% rename from assets/000/concept.png rename to assets/049/concept.png diff --git a/rfcs/000-granular-access-control.md b/rfcs/049-granular-access-control.md similarity index 99% rename from rfcs/000-granular-access-control.md rename to rfcs/049-granular-access-control.md index b5b5338..80ae8ef 100644 --- a/rfcs/000-granular-access-control.md +++ b/rfcs/049-granular-access-control.md @@ -1,6 +1,6 @@ - Feature Name: Granular access control - Phase 1 - Start Date: 2023-01-22 -- RFC PR: N/A +- RFC PR: [49](https://github.com/amundsen-io/rfcs/pull/49) - Amundsen Issue: N/A # Granular access control - Phase 1 @@ -69,7 +69,7 @@ Whenever unauthorized principal tries to access a resource, user should be redir ### Authorization flow To abstract application code from access control model as much as possible, amundsen calls authorization client in order to verify that "subject {S} is allowed to perform action {A} on object {O}". -![Concept Preview](../assets/000/concept.png) +![Concept Preview](../assets/049/concept.png) There are 3 components added to Amundsen frontend, which are described below.