Documentation ¶
Overview ¶
Package auth provides mechanisms for enforcing authorization to Project resources in OpenShift
Index ¶
- func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, ...) *userProjectWatcher
- type AuthorizationCache
- func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)
- func (ac *AuthorizationCache) GetClusterPolicyLister() client.SyncedClusterPoliciesListerInterface
- func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error)
- func (ac *AuthorizationCache) ReadyForAccess() bool
- func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)
- func (ac *AuthorizationCache) Run(period time.Duration)
- type CacheWatcher
- type LastSyncResourceVersioner
- type Lister
- type Review
- type Reviewer
- type WatchableCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewUserProjectWatcher ¶ added in v1.3.0
func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool) *userProjectWatcher
Types ¶
type AuthorizationCache ¶
type AuthorizationCache struct {
// contains filtered or unexported fields
}
AuthorizationCache maintains a cache on the set of namespaces a user or group can access.
func NewAuthorizationCache ¶
func NewAuthorizationCache(namespaces cache.SharedIndexInformer, reviewer Reviewer, clusterPolicyLister client.SyncedClusterPoliciesListerInterface, clusterPolicyBindingLister client.SyncedClusterPolicyBindingsListerInterface, policyNamespacer client.SyncedPoliciesListerNamespacer, policyBindingNamespacer client.SyncedPolicyBindingsListerNamespacer, ) *AuthorizationCache
NewAuthorizationCache creates a new AuthorizationCache
func (*AuthorizationCache) AddWatcher ¶ added in v1.3.0
func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)
func (*AuthorizationCache) GetClusterPolicyLister ¶ added in v1.3.0
func (ac *AuthorizationCache) GetClusterPolicyLister() client.SyncedClusterPoliciesListerInterface
func (*AuthorizationCache) List ¶
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error)
List returns the set of namespace names the user has access to view
func (*AuthorizationCache) ReadyForAccess ¶
func (ac *AuthorizationCache) ReadyForAccess() bool
func (*AuthorizationCache) RemoveWatcher ¶ added in v1.3.0
func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)
func (*AuthorizationCache) Run ¶
func (ac *AuthorizationCache) Run(period time.Duration)
Run begins watching and synchronizing the cache
type CacheWatcher ¶ added in v1.3.0
type CacheWatcher interface { // GroupMembershipChanged is called serially for all changes for all watchers. This method MUST NOT BLOCK. // The serial nature makes reasoning about the code easy, but if you block in this method you will doom all watchers. GroupMembershipChanged(namespaceName string, users, groups sets.String) }
type LastSyncResourceVersioner ¶
type LastSyncResourceVersioner interface {
LastSyncResourceVersion() string
}
LastSyncResourceVersioner is any object that can divulge a LastSyncResourceVersion
type Lister ¶
type Lister interface { // List returns the list of Namespace items that the user can access List(user user.Info) (*kapi.NamespaceList, error) }
Lister enforces ability to enumerate a resource based on policy
type Reviewer ¶
Reviewer performs access reviews for a project by name
func NewAuthorizerReviewer ¶ added in v1.0.8
func NewAuthorizerReviewer(policyChecker authorizer.SubjectLocator) Reviewer
func NewReviewer ¶
func NewReviewer(resourceAccessReviewsNamespacer client.LocalResourceAccessReviewsNamespacer) Reviewer
NewReviewer knows how to make access control reviews for a resource by name
type WatchableCache ¶ added in v1.3.0
type WatchableCache interface { // RemoveWatcher removes a watcher RemoveWatcher(CacheWatcher) // List returns the set of namespace names the user has access to view List(userInfo user.Info) (*kapi.NamespaceList, error) }
Click to show internal directories.
Click to hide internal directories.