rbac

package
v2.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 15, 2021 License: Apache-2.0 Imports: 22 Imported by: 2

Documentation

Index

Constants

View Source
const (
	ConfigMapPolicyCSVKey     = "policy.csv"
	ConfigMapPolicyDefaultKey = "policy.default"
	ConfigMapScopesKey        = "scopes"
)

Variables

This section is empty.

Functions

func ValidatePolicy

func ValidatePolicy(policy string) error

ValidatePolicy verifies a policy string is acceptable to casbin

Types

type ClaimsEnforcerFunc

type ClaimsEnforcerFunc func(claims jwt.Claims, rvals ...interface{}) bool

ClaimsEnforcerFunc is func template to enforce a JWT claims. The subject is replaced

type Enforcer

type Enforcer struct {
	*casbin.Enforcer
	// contains filtered or unexported fields
}

Enforcer is a wrapper around an Casbin enforcer that: * is backed by a kubernetes config map * has a predefined RBAC model * supports a built-in policy * supports a user-defined policy * supports a custom JWT claims enforce function

func NewEnforcer

func NewEnforcer(clientset kubernetes.Interface, namespace, configmap string, claimsEnforcer ClaimsEnforcerFunc) *Enforcer

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(rvals ...interface{}) bool

Enforce is a wrapper around casbin.Enforce to additionally enforce a default role and a custom claims function

func (*Enforcer) EnforceErr

func (e *Enforcer) EnforceErr(rvals ...interface{}) error

EnforceErr is a convenience helper to wrap a failed enforcement with a detailed error about the request

func (*Enforcer) EnforceRuntimePolicy

func (e *Enforcer) EnforceRuntimePolicy(policy string, rvals ...interface{}) bool

EnforceRuntimePolicy enforces a policy defined at run-time which augments the built-in and user-defined policy. This allows any explicit denies of the built-in, and user-defined policies to override the run-time policy. Runs normal enforcement if run-time policy is empty.

func (*Enforcer) RunPolicyLoader

func (e *Enforcer) RunPolicyLoader(ctx context.Context, onUpdated func(cm *apiv1.ConfigMap) error) error

RunPolicyLoader runs the policy loader which watches policy updates from the configmap and reloads them

func (*Enforcer) SetBuiltinPolicy

func (e *Enforcer) SetBuiltinPolicy(policy string) error

SetBuiltinPolicy sets a built-in policy, which augments any user defined policies

func (*Enforcer) SetClaimsEnforcerFunc

func (e *Enforcer) SetClaimsEnforcerFunc(claimsEnforcer ClaimsEnforcerFunc)

SetClaimsEnforcerFunc sets a claims enforce function during enforcement. The claims enforce function can extract claims from JWT token and do the proper enforcement based on user, group or any information available in the input parameter list

func (*Enforcer) SetDefaultRole

func (e *Enforcer) SetDefaultRole(roleName string)

SetDefaultRole sets a default role to use during enforcement. Will fall back to this role if normal enforcement fails

func (*Enforcer) SetUserPolicy

func (e *Enforcer) SetUserPolicy(policy string) error

SetUserPolicy sets a user policy, augmenting the built-in policy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL