iam

package module
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2022 License: MIT Imports: 14 Imported by: 25

README

license Release Version PRs Welcome

(English Documents Available)

Overview

iam-go-sdk 是蓝鲸权限中心(BK-IAM)提供的用于快速接入权限体系的go SDK

Features

  • 鉴权支持: IsAllowed / IsAllowedWithCache
  • 单个操作批量资源鉴权: BatchIsAllowed
  • 单个资源批量操作鉴权: ResourceMultiActionsAllowed
  • 批量资源批量操作鉴权: BatchResourceMultiActionsAllowed
  • 生成无权限申请URL: GetApplyURL
  • 生成无权限协议json: GenPermissionApplyData
  • 资源反向拉取接口basic auth鉴权: IsBasicAuthAllowed / 以及basic auth middleware
  • 获取系统Token: GetToken
  • 支持prometheus统计接口调用信息
  • 支持反向拉取框架 dispatcher/provider interface

Getting started

Installation

$ go get -u github.com/TencentBlueKing/iam-go-sdk

Usage

Benchmark

$ make bench

BenchmarkExprCellEqual-12         	 6156810	       193 ns/op	      32 B/op	       1 allocs/op
BenchmarkExprCellNotEqual-12      	 6286323	       190 ns/op	      32 B/op	       1 allocs/op
BenchmarkExprCellLess-12          	 8583621	       142 ns/op	      32 B/op	       1 allocs/op
BenchmarkExprCellStartsWith-12    	 9665572	       126 ns/op	      32 B/op	       1 allocs/op
BenchmarkExprCellIn-12            	 2872075	       411 ns/op	      64 B/op	       3 allocs/op

Roadmap

IAM Repos

Support

BlueKing Community

  • BK-CI:蓝鲸持续集成平台是一个开源的持续集成和持续交付系统,可以轻松将你的研发流程呈现到你面前。
  • BK-BCS:蓝鲸容器管理平台是以容器技术为基础,为微服务业务提供编排管理的基础服务平台。
  • BK-BCS-SaaS:蓝鲸容器管理平台SaaS基于原生Kubernetes和Mesos自研的两种模式,提供给用户高度可扩展、灵活易用的容器产品服务。
  • BK-PaaS:蓝鲸PaaS平台是一个开放式的开发平台,让开发者可以方便快捷地创建、开发、部署和管理SaaS应用。
  • BK-SOPS:标准运维(SOPS)是通过可视化的图形界面进行任务流程编排和执行的系统,是蓝鲸体系中一款轻量级的调度编排类SaaS产品。
  • BK-CMDB:蓝鲸配置平台是一个面向资产及应用的企业级配置管理平台。

Contributing

如果你有好的意见或建议,欢迎给我们提 Issues 或 Pull Requests,为蓝鲸开源社区贡献力量。

License

基于 MIT 协议, 详细请参考LICENSE

Documentation

Index

Constants

View Source
const Version = "v0.0.8"

Variables

This section is empty.

Functions

func NewObjectSet

func NewObjectSet(resources Resources) expression.ObjectSetInterface

NewObjectSet create an ObjectSet from resources

Types

type Action

type Action struct {
	ID string `json:"id" binding:"required"`
}

Action is the action of permission

func NewAction

func NewAction(id string) Action

NewAction create a action with id

type ActionPolicy

type ActionPolicy struct {
	Action    Action              `json:"action"`
	Condition expression.ExprCell `json:"condition"`
}

ActionPolicy is the response struct

type Application

type Application struct {
	SystemID string              `json:"system_id"`
	Actions  []ApplicationAction `json:"actions"`
}

Application is the application for permission

func NewApplication

func NewApplication(system string, actions []ApplicationAction) Application

NewApplication will create the application

func (*Application) Validate

func (a *Application) Validate() error

Validate will check if the application is valid

type ApplicationAction

type ApplicationAction struct {
	ID                   string                           `json:"id"`
	RelatedResourceTypes []ApplicationRelatedResourceType `json:"related_resource_types"`
}

ApplicationAction is the action for application

func NewApplicationAction

func NewApplicationAction(id string, rrt []ApplicationRelatedResourceType) ApplicationAction

NewApplicationAction will create the application action

func (*ApplicationAction) Validate

func (aa *ApplicationAction) Validate() error

Validate will check if the application action is valid

type ApplicationActionForApply

type ApplicationActionForApply struct {
	ID                   string                                   `json:"id" binding:"required"`
	Name                 string                                   `json:"name" binding:"required"`
	RelatedResourceTypes []ApplicationRelatedResourceTypeWithName `json:"related_resource_types"`
}

ApplicationActionForApply is the action for apply

type ApplicationActionListForApply

type ApplicationActionListForApply struct {
	SystemID   string                      `json:"system_id" binding:"required"`
	SystemName string                      `json:"system_name" binding:"required"`
	Actions    []ApplicationActionForApply `json:"actions" binding:"required"`
}

ApplicationActionListForApply is the action list for apply

type ApplicationRelatedResourceType

type ApplicationRelatedResourceType struct {
	SystemID  string                        `json:"system_id"`
	Type      string                        `json:"type"`
	Instances []ApplicationResourceInstance `json:"instances"`
}

ApplicationRelatedResourceType is the related resource type for application

func (*ApplicationRelatedResourceType) Validate

func (arr *ApplicationRelatedResourceType) Validate() error

Validate will check if the application related resource type is valid

type ApplicationRelatedResourceTypeWithName

type ApplicationRelatedResourceTypeWithName struct {
	SystemID   string                                `json:"system_id" binding:"required"`
	SystemName string                                `json:"system_name" binding:"required"`
	Type       string                                `json:"type" binding:"required"`
	TypeName   string                                `json:"type_name" binding:"required"`
	Instances  []ApplicationResourceInstanceWithName `json:"instances" binding:"required"`
}

ApplicationRelatedResourceTypeWithName is the related resource type with names

type ApplicationResourceInstance

type ApplicationResourceInstance []ApplicationResourceNode

ApplicationResourceInstance is the resource instance for application

type ApplicationResourceInstanceWithName

type ApplicationResourceInstanceWithName []ApplicationResourceNodeWithName

ApplicationResourceInstanceWithName is the resource instance for application, which with the names of each field

type ApplicationResourceNode

type ApplicationResourceNode struct {
	Type string `json:"type" binding:"required"`
	ID   string `json:"id" binding:"required"`
}

ApplicationResourceNode is the resourc node struct for application

type ApplicationResourceNodeWithName

type ApplicationResourceNodeWithName struct {
	Type     string `json:"type" binding:"required"`
	TypeName string `json:"type_name" binding:"required"`
	ID       string `json:"id" binding:"required"`
	Name     string `json:"name" binding:"required"`
}

ApplicationResourceNodeWithName is the resourc node struct for application, which with the names of each field

type H

type H map[string]interface{}

H is a shortcut for map[string]interface{}

type IAM

type IAM struct {
	// contains filtered or unexported fields
}

IAM is the instance of iam sdk

func NewAPIGatewayIAM added in v0.0.5

func NewAPIGatewayIAM(system string, appCode, appSecret, bkAPIGatewayURL string) *IAM

NewAPIGatewayIAM will create an IAM instance, call all api through APIGateway if your TencentBlueking has a APIGateway, use this, recommend

func NewIAM

func NewIAM(system string, appCode, appSecret, bkIAMHost, bkPaaSHost string) *IAM

NewIAM will create an IAM instance if your TencentBlueking has a APIGateway, use NewAPIGatewayIAM

func (*IAM) BatchIsAllowed

func (i *IAM) BatchIsAllowed(request Request, resourcesList []Resources) (result map[string]bool, err error)

BatchIsAllowed will batch check the permission for resources lists

func (*IAM) BatchResourceMultiActionsAllowed

func (i *IAM) BatchResourceMultiActionsAllowed(
	request MultiActionRequest,
	resourcesList []Resources,
) (results map[string]map[string]bool, err error)

BatchResourceMultiActionsAllowed will check the permissions of batch-resource with multi-actions

func (*IAM) GenPermissionApplyData

func (i *IAM) GenPermissionApplyData(a ApplicationActionListForApply) (data H, err error)

GenPermissionApplyData will generate the apply data

func (*IAM) GetApplyURL

func (i *IAM) GetApplyURL(application Application, bkToken string, bkUsername string) (url string, err error)

GetApplyURL will generate the application URL

func (*IAM) GetToken

func (i *IAM) GetToken() (token string, err error)

GetToken will get the token of system

func (*IAM) IsAllowed

func (i *IAM) IsAllowed(request Request) (allowed bool, err error)

IsAllowed will check if the permission is allowed

func (*IAM) IsAllowedWithCache

func (i *IAM) IsAllowedWithCache(request Request, ttl time.Duration) (allowed bool, err error)

IsAllowedWithCache will check if the permission is allowed, will cache with ttl

func (*IAM) IsBasicAuthAllowed

func (i *IAM) IsBasicAuthAllowed(username, password string) (err error)

IsBasicAuthAllowed will check basic auth of callback request

func (*IAM) ResourceMultiActionsAllowed

func (i *IAM) ResourceMultiActionsAllowed(request MultiActionRequest) (result map[string]bool, err error)

ResourceMultiActionsAllowed will check the permission of one-resource with multi-actions

type MultiActionRequest

type MultiActionRequest struct {
	System    string    `json:"system" binding:"required"`
	Subject   Subject   `json:"subject" binding:"required"`
	Actions   []Action  `json:"actions" binding:"required"`
	Resources Resources `json:"resources" binding:"omitempty"`
}

MultiActionRequest is the request object for Multi Actions Request

func NewMultiActionRequest

func NewMultiActionRequest(
	system string,
	subject Subject,
	actions []Action,
	resources []ResourceNode,
) MultiActionRequest

NewMultiActionRequest create a request

func (*MultiActionRequest) Validate

func (mar *MultiActionRequest) Validate() error

Validate will check if the request is valid

type Request

type Request struct {
	System    string    `json:"system" binding:"required"`
	Subject   Subject   `json:"subject" binding:"required"`
	Action    Action    `json:"action" binding:"required"`
	Resources Resources `json:"resources" binding:"omitempty"`
}

Request is the policy query request body

func NewRequest

func NewRequest(system string, subject Subject, action Action, resources []ResourceNode) Request

NewRequest create a new request for policy query

func (*Request) CacheKey

func (r *Request) CacheKey() (string, error)

CacheKey make the unique key of a request

func (*Request) GenObjectSet

func (r *Request) GenObjectSet() expression.ObjectSetInterface

GenObjectSet create an ObjectSet from the resources of request

func (*Request) Validate

func (r *Request) Validate() error

Validate will check if the request is valid

type ResourceNode

type ResourceNode struct {
	System    string                 `json:"system" binding:"required"`
	Type      string                 `json:"type" binding:"required"`
	ID        string                 `json:"id" binding:"required"`
	Attribute map[string]interface{} `json:"attribute" binding:"required"`
}

ResourceNode is the mini unit of a resource

func NewResourceNode

func NewResourceNode(system, _type, id string, attrs map[string]interface{}) ResourceNode

NewResourceNode create a resrouce node

type Resources

type Resources []ResourceNode

Resources means `one resource`

type Subject

type Subject struct {
	Type string `json:"type" binding:"required,oneof=user"`
	ID   string `json:"id" binding:"required"`
}

Subject is the object of permission

func NewSubject

func NewSubject(_type, id string) Subject

NewSubject create a subject with type and id

Directories

Path Synopsis
examples

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL