authz

Documentation

Index

• type Authorizer
  • func Load(fname string) (*Authorizer, error)
  • func (a *Authorizer) Authorize(user string, groups []string, resource string, permission string) bool
• type Policy
• type RoleDefinition
• type RoleMap

Types

type Authorizer

type Authorizer struct {
	// hash of the source policy yaml file (to check for diffs)
	SourcePolicyHash string `json:"source_policy_hash"`

	// role name to the permissions granted by the role
	Roles map[string]set `json:"roles,omitempty"`

	// user name to resource permissions
	Users map[string]resourcePermissions `json:"users,omitempty"`

	// group name to resource permissions
	Groups map[string]resourcePermissions `json:"groups,omitempty"`
}

Authorizer maintains the compiled authorization data

func Load

func Load(fname string) (*Authorizer, error)

Load loads a policy file onto memory

func (*Authorizer) Authorize

func (a *Authorizer) Authorize(user string, groups []string, resource string, permission string) bool

Authorize checks whether a user or set of groups have a permission on a given resource. Performance: worst case O(n), where n is the number of groups being checked

type Policy

type Policy struct {
	Roles     map[string]RoleDefinition `yaml:"roles,omitempty"`
	Resources map[string]RoleMap        `yaml:"resources,omitempty"`
}

Policy represents how policies are defined

type RoleDefinition

type RoleDefinition struct {
	Permissions []string `yaml:"permissions,omitempty"`
	Extends     []string `yaml:"extends,omitempty"`
}

RoleDefinition represents how a role is defined

type RoleMap

type RoleMap map[string]struct {
	Users  []string `yaml:"users,omitempty"`
	Groups []string `yaml:"groups,omitempty"`
}

RoleMap is a map of role name to the collection of identities that receive the permissions of the role