rbac

package
v3.0.0-...-4d98359 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ConfigMapPolicyCSVKey     = "policy.csv"
	ConfigMapPolicyDefaultKey = "policy.default"
	ConfigMapScopesKey        = "scopes"
	ConfigMapMatchModeKey     = "policy.matchMode"
	GlobMatchMode             = "glob"
	RegexMatchMode            = "regex"
)

Variables

This section is empty.

Functions

func PolicyCSV

func PolicyCSV(data map[string]string) string

PolicyCSV will generate the final policy csv to be used by Argo CD RBAC. It will find entries in the given data that matches the policy key name convention:

policy[.overlay].csv

func ValidatePolicy

func ValidatePolicy(policy string) error

ValidatePolicy verifies a policy string is acceptable to casbin

Types

type CasbinEnforcer

type CasbinEnforcer interface {
	EnableLog(bool)
	Enforce(rvals ...any) (bool, error)
	LoadPolicy() error
	EnableEnforce(bool)
	AddFunction(name string, function govaluate.ExpressionFunction)
	GetGroupingPolicy() ([][]string, error)
}

CasbinEnforcer represents methods that must be implemented by a Casbin enforces

type ClaimsEnforcerFunc

type ClaimsEnforcerFunc func(claims jwt.Claims, rvals ...any) bool

ClaimsEnforcerFunc is func template to enforce a JWT claims. The subject is replaced

type Enforcer

type Enforcer struct {
	// contains filtered or unexported fields
}

Enforcer is a wrapper around an Casbin enforcer that: * is backed by a kubernetes config map * has a predefined RBAC model * supports a built-in policy * supports a user-defined policy * supports a custom JWT claims enforce function

func NewEnforcer

func NewEnforcer(clientset kubernetes.Interface, namespace, configmap string, claimsEnforcer ClaimsEnforcerFunc) *Enforcer

func (*Enforcer) CreateEnforcerWithRuntimePolicy

func (e *Enforcer) CreateEnforcerWithRuntimePolicy(project string, policy string) CasbinEnforcer

CreateEnforcerWithRuntimePolicy creates an enforcer with a policy defined at run-time which augments the built-in and user-defined policy. This allows any explicit denies of the built-in, and user-defined policies to override the run-time policy. Runs normal enforcement if run-time policy is empty.

func (*Enforcer) EnableEnforce

func (e *Enforcer) EnableEnforce(s bool)

EnableEnforce executes casbin.Enforcer functionality and will invalidate cache if required.

func (*Enforcer) EnableLog

func (e *Enforcer) EnableLog(s bool)

EnableLog executes casbin.Enforcer functionality.

func (*Enforcer) Enforce

func (e *Enforcer) Enforce(rvals ...any) bool

Enforce is a wrapper around casbin.Enforce to additionally enforce a default role and a custom claims function

func (*Enforcer) EnforceErr

func (e *Enforcer) EnforceErr(rvals ...any) error

EnforceErr is a convenience helper to wrap a failed enforcement with a detailed error about the request

func (*Enforcer) EnforceRuntimePolicy

func (e *Enforcer) EnforceRuntimePolicy(project string, policy string, rvals ...any) bool

EnforceRuntimePolicy enforces a policy defined at run-time which augments the built-in and user-defined policy. This allows any explicit denies of the built-in, and user-defined policies to override the run-time policy. Runs normal enforcement if run-time policy is empty.

func (*Enforcer) EnforceWithCustomEnforcer

func (e *Enforcer) EnforceWithCustomEnforcer(enf CasbinEnforcer, rvals ...any) bool

EnforceWithCustomEnforcer wraps enforce with an custom enforcer

func (*Enforcer) LoadPolicy

func (e *Enforcer) LoadPolicy() error

LoadPolicy executes casbin.Enforcer functionality and will invalidate cache if required.

func (*Enforcer) RunPolicyLoader

func (e *Enforcer) RunPolicyLoader(ctx context.Context, onUpdated func(cm *corev1.ConfigMap) error) error

RunPolicyLoader runs the policy loader which watches policy updates from the configmap and reloads them

func (*Enforcer) SetBuiltinPolicy

func (e *Enforcer) SetBuiltinPolicy(policy string) error

SetBuiltinPolicy sets a built-in policy, which augments any user defined policies

func (*Enforcer) SetClaimsEnforcerFunc

func (e *Enforcer) SetClaimsEnforcerFunc(claimsEnforcer ClaimsEnforcerFunc)

SetClaimsEnforcerFunc sets a claims enforce function during enforcement. The claims enforce function can extract claims from JWT token and do the proper enforcement based on user, group or any information available in the input parameter list

func (*Enforcer) SetDefaultRole

func (e *Enforcer) SetDefaultRole(roleName string)

SetDefaultRole sets a default role to use during enforcement. Will fall back to this role if normal enforcement fails

func (*Enforcer) SetMatchMode

func (e *Enforcer) SetMatchMode(mode string)

SetMatchMode set match mode on runtime, glob match or regex match

func (*Enforcer) SetUserPolicy

func (e *Enforcer) SetUserPolicy(policy string) error

SetUserPolicy sets a user policy, augmenting the built-in policy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL