Documentation
¶
Index ¶
Constants ¶
const ( // AuthProxyDir is the directory in the KV store // where directories and keys used by // auth proxy will be stored AuthProxyDir = "auth_proxy" // AuthZDir is the directory under which all // types.Authorizations state will be saved // in the KV store AuthZDir = AuthProxyDir + "/" + "authorizations" )
Consts that will be used across different packages
const ( // TenantClaimKey is a prefix added to Claim keys in the // authorization or token object to represent tenants TenantClaimKey = "tenant:" // RoleClaimKey is a const string which represents highest // available role available to a principal in token object or // authorization db RoleClaimKey = "role" )
Variables ¶
var DatastoreDirectories = []string{ AuthZDir, AuthProxyDir + "/local_users", AuthProxyDir + "/principals", }
DatastoreDirectories is a list of all the directories in the datastore that our code assumes exist. These will be automatically created whenever a state driver is initialized.
Functions ¶
This section is empty.
Types ¶
type Authorization ¶
type Authorization struct {
CommonState
UUID string `json:"uuid"`
PrincipalName string `json:"principalName"`
Local bool `json:"local"`
ClaimKey string `json:"claimKey"`
ClaimValue string `json:"claimValue"`
}
Authorization represents the dynamic policy that defines mapping of principals and their access claims to entities with certain capabilities.
Principals are also called subjects. Entities are also called objects. Objects and the capabilities defined on them are termed as a claim's key and value.
Capabilities
(claim's value)
Principals -------------------------> Entities
(subjects) (objects or the claim's key)
This is a many-to-many association - one principal will have access to many claims (e.g., for different tenants), and one claim (e.g., for a specific tenant) might be associated with many principals.
All subject-object mappings must be unique - hence the primary key is a combination of the principal and claims' keys.
Fields:
CommonState: Embedded common state struct (which will be part of all structs that implement
types.State)
UUID: unique ID for an authorization.
PrincipalName: Unique name of the subject; it could be a username or LDAP group name.
Local: Bool indicating whether the principal is a local user. False indicates
that the principal is an LDAP group
ClaimKey: string encoding of the claim's key associated with the authorization
ClaimValue: string encoding of the claim's value associated with the
authorization
func (*Authorization) BelongsToBuiltInAdmin ¶
func (a *Authorization) BelongsToBuiltInAdmin() bool
BelongsToBuiltInAdmin determines if the authz belongs to the built-in local admin user.
func (*Authorization) Clear ¶
func (a *Authorization) Clear() error
Clear removes an authz instance from the authz dir in the KV store
Parameters:
(Receiver): authorization object on which operation is occurring ID: of the authorization object
Return Values:
error: Any error from the state driver
Nil if successful
func (*Authorization) Read ¶
func (a *Authorization) Read(UUID string) error
Read looks up an authorization entry in the authz dir
Parameters:
(Receiver): authorization object on which operation is occurring UUID: of the authZ that needs to be read
Return Values:
error: Any error from the state driver
Nil if successful
func (*Authorization) ReadAll ¶
func (a *Authorization) ReadAll() ([]State, error)
ReadAll returns all authorizations in the authz dir
Return Values:
[]State: List of authorization states
error: Any error when reading from the KV store
nil if operation is successful
func (*Authorization) Write ¶
func (a *Authorization) Write() error
Write adds an authz instance to the authz dir in the KV store
Parameters:
(Receiver): authorization object on which operation is occurring
Return Values:
error: Error received from StateDriver
nil if operation is successful
type CommonState ¶
type CommonState struct {
StateDriver StateDriver `json:"-"`
ID string `json:"id"`
}
CommonState defines the fields common to all types.State implementations. This struct will be embedded as an anonymous field in all structs that implement types.State
Fields:
StateDriver: etcd or consul statedriver ID: identifier for the state
type KVStoreConfig ¶
type KVStoreConfig struct {
StoreURL string `json:"kvstore-url"`
StoreDriver string `json:"kvstore-driver"`
}
KVStoreConfig encapsulates config data that determines KV store details specific to a running instance of auth_proxy
Fields:
StoreURL: URL of the key-value store
type LdapConfiguration ¶
type LdapConfiguration struct {
Server string `json:"server"`
Port uint16 `json:"port"`
BaseDN string `json:"base_dn"`
ServiceAccountDN string `json:"service_account_dn"`
ServiceAccountPassword string `json:"service_account_password,omitempty"`
StartTLS bool `json:"start_tls"`
InsecureSkipVerify bool `json:"insecure_skip_verify"`
TLSCertIssuedTo string `json:"tls_cert_issued_to"`
}
LdapConfiguration represents the LDAP/AD configuration. All the connection to LDAP/AD is established using this details.
Fields:
Server: FQDN or IP address of LDAP/AD server
Port: listening port of LDAP/AD server
BaseDN: Distinguished name for base entity.
E.g., ou=eng,dc=auth,dc=com. All search queries will be scope to this BaseDN.
ServiceAccountDN: DN of the service account. auth_proxy will use this
account to communicate with LDAP/AD. Hence this account
must have appropriate privileges, specifically for lookup.
ServiceAccountPassword: of the service account
StartTLS: if set, the connection will be upgrated to SSL/TLS mode
InsecureSkipVerify: if set, the certificate verification is skipped;
used only when `StartTLS` is enabled.
TLSCertIssuedTo: Servername for which the TLS/SSL certificate was issued.
This is used only when `StartTLS` is enabled.
The connection is prone to man-in-the-middle attacks,
if empty(TLSCertIssuedTo) and InsecureSkipVerify == false.
type LocalUser ¶
type LocalUser struct {
Username string `json:"username"`
Password string `json:"password,omitempty"`
FirstName string `json:"first_name"`
LastName string `json:"last_name"`
Disable bool `json:"disable"`
PasswordHash []byte `json:"password_hash,omitempty"`
}
LocalUser information
Fields:
UserName: of the user. Read only field. Must be unique. FirstName: of the user LastName: of the user Password: of the user. Not stored anywhere. Used only for updates. Disable: if authorizations for this local user is disabled. PasswordHash: of the password string.
type RoleType ¶
type RoleType uint
RoleType each role type is associated with a group and set of capabilities
type State ¶
type State interface {
Read(id string) error
ReadAll() ([]State, error)
Write() error
Clear() error
}
State identifies data uniquely identifiable by 'id' and stored in a (distributed) key-value store implemented by types.StateDriver.
type StateDriver ¶
type StateDriver interface {
//Driver
Init(config *KVStoreConfig) error
Deinit()
Mkdir(string) error
// XXX: the following raw versions of Read, Write, ReadAll and WatchAll
// could be removed, since it is not used directly for now
Read(key string) ([]byte, error)
ReadAll(baseKey string) ([][]byte, error)
Write(key string, value []byte) error
Clear(key string) error
WatchAll(baseKey string, chValueChanges chan [2][]byte) error
ReadState(key string, value State,
unmarshal func([]byte, interface{}) error) error
ReadAllState(baseKey string, stateType State,
unmarshal func([]byte, interface{}) error) ([]State, error)
WriteState(key string, value State,
marshal func(interface{}) ([]byte, error)) error
// WatchAllState returns changes to a state from the point watch is started.
// It's a blocking call.
// XXX: This specification introduces a small time window where a few
// updates might be missed that occurred just before watch was started.
// May be watch shall return all existing state first and then subsequent
// updates. Revisit if this enhancement is needed.
WatchAllState(baseKey string, stateType State,
unmarshal func([]byte, interface{}) error, chStateChanges chan WatchState) error
ClearState(key string) error
}
StateDriver provides the mechanism for reading/writing state for authN, authZ for RBAC. The state is assumed to be stored as key-value pairs with keys of type 'string' and value to be an opaque binary string, encoded/decoded by the logic specific to the high-level(consumer) interface.
type WatchState ¶
WatchState encapsulates changes in the state stored in the KV store and constitutes both the current and previous state
Fields:
Curr: current state for a key in the KV store Prec: previous state for a key in the KV store
type WatchableState ¶
type WatchableState interface {
State
WatchAll(chValueChanges chan WatchState) error
}
WatchableState allows for the rest of types.State, plus the WatchAll call which allows the implementor to signal value changes over a channel.
Source Files