authz

package

v2.0.0-alpha.5 Latest Latest Go to latest Published: Jun 1, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/brigadecore/brigade

Documentation ¶

Index ¶

Constants
func AlwaysAuthorize(ctx context.Context, role Role, scope string) error
func NeverAuthorize(ctx context.Context, role Role, scope string) error
type AuthorizeFn
type PrincipalReference
type PrincipalType
type Role
type RoleAssignment
- func (r RoleAssignment) MarshalJSON() ([]byte, error)
- func (r RoleAssignment) Matches(role Role, scope string) bool

Constants ¶

View Source

const RoleAssignmentKind = "RoleAssignment"

RoleAssignmentKind represents the canonical RoleAssignment kind string

View Source

const RoleScopeGlobal = "*"

RoleScopeGlobal represents an unbounded scope.

Variables ¶

This section is empty.

Functions ¶

func AlwaysAuthorize ¶

func AlwaysAuthorize(ctx context.Context, role Role, scope string) error

AlwaysAuthorize is an implementation of the AuthorizeFn function signature that unconditionally passes authorization requests by returning nil. This is used only for testing purposes.

func NeverAuthorize ¶

func NeverAuthorize(ctx context.Context, role Role, scope string) error

NeverAuthorize is an implementation of the AuthorizeFn function signature that unconditionally fails authorization requests by returning a *meta.ErrAuthorization error. This is used only for testing purposes.

Types ¶

type AuthorizeFn ¶

type AuthorizeFn func(ctx context.Context, role Role, scope string) error

AuthorizeFn is the signature for any function that can, presumably, retrieve a principal from the provided Context and make an access control decision based on the principal having (or not having) the specified Role with the specified scope. Implementations MUST return a *meta.ErrAuthorization error if the principal is not authorized.

type PrincipalReference ¶

type PrincipalReference struct {
	// Type qualifies what kind of principal is referenced by the ID field-- for
	// instance, a User or a ServiceAccount.
	Type PrincipalType `json:"type,omitempty"`
	// ID references a principal. The Type qualifies what type of principal that
	// is-- for instance, a User or a ServiceAccount.
	ID string `json:"id,omitempty"`
}

PrincipalReference is a reference to any sort of security principal (human user, service account, etc.)

type PrincipalType ¶

type PrincipalType string

PrincipalType is a type whose values can be used to disambiguate one type of principal from another. For instance, when assigning a Role to a principal via a RoleAssignment, a PrincipalType field is used to indicate whether the value of the PrincipalID field reflects a User ID or a ServiceAccount ID.

type Role ¶

type Role string

Role is a type whose value maps to a well-defined Brigade Role.

type RoleAssignment ¶

type RoleAssignment struct {
	// Role assigns a Role to the specified principal.
	Role Role `json:"role" bson:"role"`
	// Principal specifies the principal to whom the Role is assigned.
	Principal PrincipalReference `json:"principal" bson:"principal"`
	// Scope qualifies the scope of the Role. The value is opaque and has meaning
	// only in relation to a specific Role.
	Scope string `json:"scope,omitempty" bson:"scope,omitempty"`
}

RoleAssignment represents the assignment of a Role to a principal such as a User or ServiceAccount.

func (RoleAssignment) MarshalJSON ¶

func (r RoleAssignment) MarshalJSON() ([]byte, error)

MarshalJSON amends RoleAssignment instances with type metadata.

func (RoleAssignment) Matches ¶

func (r RoleAssignment) Matches(role Role, scope string) bool

Matches determines if this RoleAssignment matches the role and scope arguments.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL