Documentation
¶
Index ¶
- Constants
- func CreateMiddlewareAuthFunction(authServices []AuthService) grpc_auth.AuthFunc
- func WithPrincipal(ctx context.Context, principal Principal) context.Context
- type AnonymousAuthService
- type AuthService
- type BasicAuthService
- type CacheData
- type KerberosAuthService
- type KubernetesNativeAuthService
- type KubernetesTokenReviewer
- type OpenIdAuthService
- type Owned
- type PermissionChecker
- type PermissionClaimQueries
- type Principal
- type PrincipalPermissionChecker
- type SPNEGOService
- type StaticPrincipal
- type TokenReviewer
Constants ¶
const EveryoneGroup = "everyone"
All users are implicitly part of this group.
const (
SIDAuthenticationAuthorityAssertedIdentity = "S-1-18-1"
)
Partly reimplementing github.com/jcmturner/gokrb5/v8/spnego/http.go for GRPC Copying constants as they are private
Variables ¶
This section is empty.
Functions ¶
func CreateMiddlewareAuthFunction ¶
func CreateMiddlewareAuthFunction(authServices []AuthService) grpc_auth.AuthFunc
CreateMiddlewareAuthFunction returns an authentication function that combines the given authentication services. That function returns success if any service successfully authenticates the user, and an error if all services fail to authenticate. The services in authServices are tried one at a time in sequence. Successful authentication short-circuits the process.
If authentication succeeds, the username returned by the authentication service is added to the request context for logging purposes.
Types ¶
type AnonymousAuthService ¶
type AnonymousAuthService struct{}
func (AnonymousAuthService) Authenticate ¶
func (AnonymousAuthService) Authenticate(ctx context.Context) (Principal, error)
func (*AnonymousAuthService) Name ¶
func (authService *AnonymousAuthService) Name() string
type AuthService ¶
AuthService represents a method of authentication for the gRPC API. Each implementation represents a particular method, e.g., username/password or OpenID. The gRPC server may be started with multiple AuthService to give several options for authentication.
type BasicAuthService ¶
type BasicAuthService struct {
// contains filtered or unexported fields
}
func NewBasicAuthService ¶
func NewBasicAuthService(users map[string]configuration.UserInfo) *BasicAuthService
func (*BasicAuthService) Authenticate ¶
func (authService *BasicAuthService) Authenticate(ctx context.Context) (Principal, error)
func (*BasicAuthService) Name ¶
func (authService *BasicAuthService) Name() string
type KerberosAuthService ¶
type KerberosAuthService struct {
// contains filtered or unexported fields
}
func NewKerberosAuthService ¶
func NewKerberosAuthService(config *configuration.KerberosAuthenticationConfig, groupLookup groups.GroupLookup) (*KerberosAuthService, error)
func (*KerberosAuthService) Authenticate ¶
func (authService *KerberosAuthService) Authenticate(ctx context.Context) (Principal, error)
func (*KerberosAuthService) Name ¶
func (authService *KerberosAuthService) Name() string
type KubernetesNativeAuthService ¶
type KubernetesNativeAuthService struct {
KidMappingFileLocation string
TokenCache *cache.Cache
InvalidTokenExpiry int64
TokenReviewer TokenReviewer
Clock clock.Clock
}
func NewKubernetesNativeAuthService ¶
func NewKubernetesNativeAuthService(config configuration.KubernetesAuthConfig) KubernetesNativeAuthService
func (*KubernetesNativeAuthService) Authenticate ¶
func (authService *KubernetesNativeAuthService) Authenticate(ctx context.Context) (Principal, error)
func (*KubernetesNativeAuthService) Name ¶
func (authService *KubernetesNativeAuthService) Name() string
type KubernetesTokenReviewer ¶
type KubernetesTokenReviewer struct{}
func (*KubernetesTokenReviewer) ReviewToken ¶
func (reviewer *KubernetesTokenReviewer) ReviewToken(ctx context.Context, clusterUrl string, token string, ca []byte) (*authv1.TokenReview, error)
type OpenIdAuthService ¶
type OpenIdAuthService struct {
// contains filtered or unexported fields
}
func NewOpenIdAuthService ¶
func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService
func NewOpenIdAuthServiceForProvider ¶
func NewOpenIdAuthServiceForProvider(ctx context.Context, config *configuration.OpenIdAuthenticationConfig) (*OpenIdAuthService, error)
func (*OpenIdAuthService) Authenticate ¶
func (authService *OpenIdAuthService) Authenticate(ctx context.Context) (Principal, error)
func (*OpenIdAuthService) Name ¶
func (authService *OpenIdAuthService) Name() string
type PermissionChecker ¶
type PermissionChecker interface {
UserHasPermission(ctx context.Context, perm permission.Permission) bool
UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
}
type PermissionClaimQueries ¶
type PermissionClaimQueries map[permission.Permission]string
type Principal ¶
type Principal interface {
GetName() string
GetGroupNames() []string
IsInGroup(group string) bool
HasScope(scope string) bool
HasClaim(claim string) bool
}
Principal represents an entity that can be authenticated (e.g., a user). Each principal has a name associated with it and may be part of one or more groups. Scopes and claims are as defined in OpenId.
func GetPrincipal ¶
GetPrincipal returns the principal (e.g., a user) contained in a context. The principal is assumed to be stored as a ctx.Value. If no principal can be found, a principal representing an anonymous (unauthenticated) user is returned.
type PrincipalPermissionChecker ¶
type PrincipalPermissionChecker struct {
// contains filtered or unexported fields
}
func NewPrincipalPermissionChecker ¶
func NewPrincipalPermissionChecker( permissionGroupMap map[permission.Permission][]string, permissionScopeMap map[permission.Permission][]string, permissionClaimMap map[permission.Permission][]string, ) *PrincipalPermissionChecker
func (*PrincipalPermissionChecker) UserHasPermission ¶
func (checker *PrincipalPermissionChecker) UserHasPermission(ctx context.Context, perm permission.Permission) bool
UserHasPermission returns true if the principal contained in the context has the given permission, which is determined by checking if any of the groups, scopes, or claims associated with the principal has that permission.
func (*PrincipalPermissionChecker) UserOwns ¶
func (checker *PrincipalPermissionChecker) UserOwns(ctx context.Context, obj Owned) (owned bool, ownershipGroups []string)
UserOwns check if obj is owned by the principal contained in the context, or by a group of which the principal is a member. If obj is owned by a group of which the principal is a member, this method also returns the list of groups that own the object and that the principal is a member of. If obj is owned by the principal in the context, no groups are returned.
TODO Should we always return the groups (even if the principal owns obj directly)?
type SPNEGOService ¶
type StaticPrincipal ¶
type StaticPrincipal struct {
// contains filtered or unexported fields
}
Default implementation of the Principal interface. Here, static refers to the fact that the principal doesn't change once it has been created.
func NewStaticPrincipal ¶
func NewStaticPrincipal(name string, groups []string) *StaticPrincipal
func NewStaticPrincipalWithScopesAndClaims ¶
func NewStaticPrincipalWithScopesAndClaims(name string, groups []string, scopes []string, claims []string) *StaticPrincipal
func (*StaticPrincipal) GetGroupNames ¶
func (p *StaticPrincipal) GetGroupNames() []string
func (*StaticPrincipal) GetName ¶
func (p *StaticPrincipal) GetName() string
func (*StaticPrincipal) HasClaim ¶
func (p *StaticPrincipal) HasClaim(claim string) bool
func (*StaticPrincipal) HasScope ¶
func (p *StaticPrincipal) HasScope(scope string) bool
func (*StaticPrincipal) IsInGroup ¶
func (p *StaticPrincipal) IsInGroup(group string) bool
Source Files
Directories