authorization

package
v0.0.0-...-fd0897c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2018 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package authorization is a generated protocol buffer package.

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the "who" is defined in a Subject message. The "what" is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

Example config:

```yaml apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata: 

name: authinfo
namespace: istio-system

spec: 

subject:
  user: source.user | request.auth.token[user] | ""
  groups: request.auth.token[groups]
  properties:
   iss: request.auth.token["iss"]
action:
  namespace: destination.namespace | "default"
  service: destination.service | ""
  path: request.path | "/"
  method: request.method | "post"
  properties:
    version: destination.labels[version] | ""
```

It is generated from these files: 

mixer/template/authorization/template_handler_service.proto

It has these top-level messages: 

HandleAuthorizationRequest
InstanceMsg
SubjectMsg
ActionMsg
Type
SubjectType
ActionType
InstanceParam
SubjectInstanceParam
ActionInstanceParam

Index

Constants

View Source 
const TemplateName = "authorization"

Fully qualified name of the template

Variables

View Source 
var (
	ErrInvalidLengthTemplateHandlerService = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowTemplateHandlerService   = fmt.Errorf("proto: integer overflow")
)

Functions

func RegisterHandleAuthorizationServiceServer 

func RegisterHandleAuthorizationServiceServer(s *grpc.Server, srv HandleAuthorizationServiceServer)

Types

type Action 

type Action struct {

	// Namespace the target action is taking place in.
	Namespace string

	// The Service the action is being taken on.
	Service string

	// What action is being taken.
	Method string

	// HTTP REST path within the service
	Path string

	// Additional data about the action for use in policy.
	Properties map[string]interface{}
}

An action defines "how a resource is accessed".

type ActionInstanceParam 

type ActionInstanceParam struct {
	// Namespace the target action is taking place in.
	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
	// The Service the action is being taken on.
	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`
	// What action is being taken.
	Method string `protobuf:"bytes,3,opt,name=method,proto3" json:"method,omitempty"`
	// HTTP REST path within the service
	Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`
	// Additional data about the action for use in policy.
	Properties map[string]string `` /* 154-byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionInstanceParam) Descriptor 

func (*ActionInstanceParam) Descriptor() ([]byte, []int)

func (*ActionInstanceParam) Marshal 

func (m *ActionInstanceParam) Marshal() (dAtA []byte, err error)

func (*ActionInstanceParam) MarshalTo 

func (m *ActionInstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*ActionInstanceParam) ProtoMessage 

func (*ActionInstanceParam) ProtoMessage()

func (*ActionInstanceParam) Reset 

func (m *ActionInstanceParam) Reset()

func (*ActionInstanceParam) Size 

func (m *ActionInstanceParam) Size() (n int)

func (*ActionInstanceParam) String 

func (this *ActionInstanceParam) String() string

func (*ActionInstanceParam) Unmarshal 

func (m *ActionInstanceParam) Unmarshal(dAtA []byte) error

type ActionMsg 

type ActionMsg struct {
	// Namespace the target action is taking place in.
	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
	// The Service the action is being taken on.
	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`
	// What action is being taken.
	Method string `protobuf:"bytes,3,opt,name=method,proto3" json:"method,omitempty"`
	// HTTP REST path within the service
	Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`
	// Additional data about the action for use in policy.
	Properties map[string]*istio_mixer_adapter_model_v1beta12.Value `` /* 147-byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionMsg) Descriptor 

func (*ActionMsg) Descriptor() ([]byte, []int)

func (*ActionMsg) Marshal 

func (m *ActionMsg) Marshal() (dAtA []byte, err error)

func (*ActionMsg) MarshalTo 

func (m *ActionMsg) MarshalTo(dAtA []byte) (int, error)

func (*ActionMsg) ProtoMessage 

func (*ActionMsg) ProtoMessage()

func (*ActionMsg) Reset 

func (m *ActionMsg) Reset()

func (*ActionMsg) Size 

func (m *ActionMsg) Size() (n int)

func (*ActionMsg) String 

func (this *ActionMsg) String() string

func (*ActionMsg) Unmarshal 

func (m *ActionMsg) Unmarshal(dAtA []byte) error

type ActionType 

type ActionType struct {
	// Additional data about the action for use in policy.
	Properties map[string]istio_policy_v1beta1.ValueType `` /* 191-byte string literal not displayed */
}

An action defines "how a resource is accessed".

func (*ActionType) Descriptor 

func (*ActionType) Descriptor() ([]byte, []int)

func (*ActionType) Marshal 

func (m *ActionType) Marshal() (dAtA []byte, err error)

func (*ActionType) MarshalTo 

func (m *ActionType) MarshalTo(dAtA []byte) (int, error)

func (*ActionType) ProtoMessage 

func (*ActionType) ProtoMessage()

func (*ActionType) Reset 

func (m *ActionType) Reset()

func (*ActionType) Size 

func (m *ActionType) Size() (n int)

func (*ActionType) String 

func (this *ActionType) String() string

func (*ActionType) Unmarshal 

func (m *ActionType) Unmarshal(dAtA []byte) error

type HandleAuthorizationRequest 

type HandleAuthorizationRequest struct {
	// 'authorization' instance.
	Instance *InstanceMsg `protobuf:"bytes,1,opt,name=instance" json:"instance,omitempty"`
	// Adapter specific handler configuration.
	//
	// Note: Backends can also implement [InfrastructureBackend][https://istio.io/docs/reference/config/mixer/istio.mixer.adapter.model.v1beta1.html#InfrastructureBackend]
	// service and therefore opt to receive handler configuration during session creation through [InfrastructureBackend.CreateSession][TODO: Link to this fragment]
	// call. In that case, adapter_config will have type_url as 'google.protobuf.Any.type_url' and would contain string
	// value of session_id (returned from InfrastructureBackend.CreateSession).
	AdapterConfig *google_protobuf1.Any `protobuf:"bytes,2,opt,name=adapter_config,json=adapterConfig" json:"adapter_config,omitempty"`
	// Id to dedupe identical requests from Mixer.
	DedupId string `protobuf:"bytes,3,opt,name=dedup_id,json=dedupId,proto3" json:"dedup_id,omitempty"`
}

Request message for HandleAuthorization method.

func (*HandleAuthorizationRequest) Descriptor 

func (*HandleAuthorizationRequest) Descriptor() ([]byte, []int)

func (*HandleAuthorizationRequest) Marshal 

func (m *HandleAuthorizationRequest) Marshal() (dAtA []byte, err error)

func (*HandleAuthorizationRequest) MarshalTo 

func (m *HandleAuthorizationRequest) MarshalTo(dAtA []byte) (int, error)

func (*HandleAuthorizationRequest) ProtoMessage 

func (*HandleAuthorizationRequest) ProtoMessage()

func (*HandleAuthorizationRequest) Reset 

func (m *HandleAuthorizationRequest) Reset()

func (*HandleAuthorizationRequest) Size 

func (m *HandleAuthorizationRequest) Size() (n int)

func (*HandleAuthorizationRequest) String 

func (this *HandleAuthorizationRequest) String() string

func (*HandleAuthorizationRequest) Unmarshal 

func (m *HandleAuthorizationRequest) Unmarshal(dAtA []byte) error

type HandleAuthorizationServiceClient 

type HandleAuthorizationServiceClient interface {
	// HandleAuthorization is called by Mixer at request-time to deliver 'authorization' instances to the backend.
	HandleAuthorization(ctx context.Context, in *HandleAuthorizationRequest, opts ...grpc.CallOption) (*istio_mixer_adapter_model_v1beta11.CheckResult, error)
}

func NewHandleAuthorizationServiceClient 

func NewHandleAuthorizationServiceClient(cc *grpc.ClientConn) HandleAuthorizationServiceClient

type HandleAuthorizationServiceServer 

type HandleAuthorizationServiceServer interface {
	// HandleAuthorization is called by Mixer at request-time to deliver 'authorization' instances to the backend.
	HandleAuthorization(context.Context, *HandleAuthorizationRequest) (*istio_mixer_adapter_model_v1beta11.CheckResult, error)
}

type Handler 

type Handler interface {
	adapter.Handler

	// HandleAuthorization is called by Mixer at request time to deliver instances to
	// to an adapter.
	HandleAuthorization(context.Context, *Instance) (adapter.CheckResult, error)
}

Handler must be implemented by adapter code if it wants to process data associated with the 'authorization' template.

Mixer uses this interface to call into the adapter at request time in order to dispatch created instances to the adapter. Adapters take the incoming instances and do what they need to achieve their primary function.

The name of each instance can be used as a key into the Type map supplied to the adapter at configuration time via the method 'SetAuthorizationTypes'. These Type associated with an instance describes the shape of the instance

type HandlerBuilder 

type HandlerBuilder interface {
	adapter.HandlerBuilder

	// SetAuthorizationTypes is invoked by Mixer to pass the template-specific Type information for instances that an adapter
	// may receive at runtime. The type information describes the shape of the instance.
	SetAuthorizationTypes(map[string]*Type)
}

HandlerBuilder must be implemented by adapters if they want to process data associated with the 'authorization' template.

Mixer uses this interface to call into the adapter at configuration time to configure it with adapter-specific configuration as well as all template-specific type information.

type Instance 

type Instance struct {
	// Name of the instance as specified in configuration.
	Name string

	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *Subject

	// An action defines "how a resource is accessed".
	Action *Action
}

Instance is constructed by Mixer for the 'authorization' template.

The `authorization` template defines parameters for performing policy enforcement within Istio. It is primarily concerned with enabling Mixer adapters to make decisions about who is allowed to do what. In this template, the "who" is defined in a Subject message. The "what" is defined in an Action message. During a Mixer Check call, these values will be populated based on configuration from request attributes and passed to individual authorization adapters to adjudicate.

Example config:

```yaml apiVersion: "config.istio.io/v1alpha2" kind: authorization metadata: 

name: authinfo
namespace: istio-system

spec: 

subject:
  user: source.user | request.auth.token[user] | ""
  groups: request.auth.token[groups]
  properties:
   iss: request.auth.token["iss"]
action:
  namespace: destination.namespace | "default"
  service: destination.service | ""
  path: request.path | "/"
  method: request.method | "post"
  properties:
    version: destination.labels[version] | ""
```

type InstanceMsg 

type InstanceMsg struct {
	// Name of the instance as specified in configuration.
	Name string `protobuf:"bytes,72295727,opt,name=name,proto3" json:"name,omitempty"`
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectMsg `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionMsg `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Contains instance payload for 'authorization' template. This is passed to infrastructure backends during request-time through HandleAuthorizationService.HandleAuthorization.

func (*InstanceMsg) Descriptor 

func (*InstanceMsg) Descriptor() ([]byte, []int)

func (*InstanceMsg) Marshal 

func (m *InstanceMsg) Marshal() (dAtA []byte, err error)

func (*InstanceMsg) MarshalTo 

func (m *InstanceMsg) MarshalTo(dAtA []byte) (int, error)

func (*InstanceMsg) ProtoMessage 

func (*InstanceMsg) ProtoMessage()

func (*InstanceMsg) Reset 

func (m *InstanceMsg) Reset()

func (*InstanceMsg) Size 

func (m *InstanceMsg) Size() (n int)

func (*InstanceMsg) String 

func (this *InstanceMsg) String() string

func (*InstanceMsg) Unmarshal 

func (m *InstanceMsg) Unmarshal(dAtA []byte) error

type InstanceParam 

type InstanceParam struct {
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectInstanceParam `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionInstanceParam `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Represents instance configuration schema for 'authorization' template.

func (*InstanceParam) Descriptor 

func (*InstanceParam) Descriptor() ([]byte, []int)

func (*InstanceParam) Marshal 

func (m *InstanceParam) Marshal() (dAtA []byte, err error)

func (*InstanceParam) MarshalTo 

func (m *InstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*InstanceParam) ProtoMessage 

func (*InstanceParam) ProtoMessage()

func (*InstanceParam) Reset 

func (m *InstanceParam) Reset()

func (*InstanceParam) Size 

func (m *InstanceParam) Size() (n int)

func (*InstanceParam) String 

func (this *InstanceParam) String() string

func (*InstanceParam) Unmarshal 

func (m *InstanceParam) Unmarshal(dAtA []byte) error

type Subject 

type Subject struct {

	// The user name/ID that the subject represents.
	User string

	// Groups the subject belongs to depending on the authentication mechanism,
	// "groups" are normally populated from JWT claim or client certificate.
	// The operator can define how it is populated when creating an instance of
	// the template.
	Groups string

	// Additional attributes about the subject.
	Properties map[string]interface{}
}

A subject contains a list of attributes that identify the caller identity.

type SubjectInstanceParam 

type SubjectInstanceParam struct {
	// The user name/ID that the subject represents.
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
	// Groups the subject belongs to depending on the authentication mechanism,
	// "groups" are normally populated from JWT claim or client certificate.
	// The operator can define how it is populated when creating an instance of
	// the template.
	Groups string `protobuf:"bytes,2,opt,name=groups,proto3" json:"groups,omitempty"`
	// Additional attributes about the subject.
	Properties map[string]string `` /* 154-byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectInstanceParam) Descriptor 

func (*SubjectInstanceParam) Descriptor() ([]byte, []int)

func (*SubjectInstanceParam) Marshal 

func (m *SubjectInstanceParam) Marshal() (dAtA []byte, err error)

func (*SubjectInstanceParam) MarshalTo 

func (m *SubjectInstanceParam) MarshalTo(dAtA []byte) (int, error)

func (*SubjectInstanceParam) ProtoMessage 

func (*SubjectInstanceParam) ProtoMessage()

func (*SubjectInstanceParam) Reset 

func (m *SubjectInstanceParam) Reset()

func (*SubjectInstanceParam) Size 

func (m *SubjectInstanceParam) Size() (n int)

func (*SubjectInstanceParam) String 

func (this *SubjectInstanceParam) String() string

func (*SubjectInstanceParam) Unmarshal 

func (m *SubjectInstanceParam) Unmarshal(dAtA []byte) error

type SubjectMsg 

type SubjectMsg struct {
	// The user name/ID that the subject represents.
	User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
	// Groups the subject belongs to depending on the authentication mechanism,
	// "groups" are normally populated from JWT claim or client certificate.
	// The operator can define how it is populated when creating an instance of
	// the template.
	Groups string `protobuf:"bytes,2,opt,name=groups,proto3" json:"groups,omitempty"`
	// Additional attributes about the subject.
	Properties map[string]*istio_mixer_adapter_model_v1beta12.Value `` /* 147-byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectMsg) Descriptor 

func (*SubjectMsg) Descriptor() ([]byte, []int)

func (*SubjectMsg) Marshal 

func (m *SubjectMsg) Marshal() (dAtA []byte, err error)

func (*SubjectMsg) MarshalTo 

func (m *SubjectMsg) MarshalTo(dAtA []byte) (int, error)

func (*SubjectMsg) ProtoMessage 

func (*SubjectMsg) ProtoMessage()

func (*SubjectMsg) Reset 

func (m *SubjectMsg) Reset()

func (*SubjectMsg) Size 

func (m *SubjectMsg) Size() (n int)

func (*SubjectMsg) String 

func (this *SubjectMsg) String() string

func (*SubjectMsg) Unmarshal 

func (m *SubjectMsg) Unmarshal(dAtA []byte) error

type SubjectType 

type SubjectType struct {
	// Additional attributes about the subject.
	Properties map[string]istio_policy_v1beta1.ValueType `` /* 191-byte string literal not displayed */
}

A subject contains a list of attributes that identify the caller identity.

func (*SubjectType) Descriptor 

func (*SubjectType) Descriptor() ([]byte, []int)

func (*SubjectType) Marshal 

func (m *SubjectType) Marshal() (dAtA []byte, err error)

func (*SubjectType) MarshalTo 

func (m *SubjectType) MarshalTo(dAtA []byte) (int, error)

func (*SubjectType) ProtoMessage 

func (*SubjectType) ProtoMessage()

func (*SubjectType) Reset 

func (m *SubjectType) Reset()

func (*SubjectType) Size 

func (m *SubjectType) Size() (n int)

func (*SubjectType) String 

func (this *SubjectType) String() string

func (*SubjectType) Unmarshal 

func (m *SubjectType) Unmarshal(dAtA []byte) error

type Type 

type Type struct {
	// A subject contains a list of attributes that identify
	// the caller identity.
	Subject *SubjectType `protobuf:"bytes,1,opt,name=subject" json:"subject,omitempty"`
	// An action defines "how a resource is accessed".
	Action *ActionType `protobuf:"bytes,2,opt,name=action" json:"action,omitempty"`
}

Contains inferred type information about specific instance of 'authorization' template. This is passed to infrastructure backends during configuration-time through [InfrastructureBackend.CreateSession][TODO: Link to this fragment].

func (*Type) Descriptor 

func (*Type) Descriptor() ([]byte, []int)

func (*Type) Marshal 

func (m *Type) Marshal() (dAtA []byte, err error)

func (*Type) MarshalTo 

func (m *Type) MarshalTo(dAtA []byte) (int, error)

func (*Type) ProtoMessage 

func (*Type) ProtoMessage()

func (*Type) Reset 

func (m *Type) Reset()

func (*Type) Size 

func (m *Type) Size() (n int)

func (*Type) String 

func (this *Type) String() string

func (*Type) Unmarshal 

func (m *Type) Unmarshal(dAtA []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.