Documentation
¶
Overview ¶
Package authz provides an implemention of http authorization where specific URI (or URI's and their children) are allowed access by a set of roles
the caller can supply a way to map from a request to a role name.
the access control points are on entire URI segments only, e.g. Allow("/foo/bar", "bob") gives access to /foo/bar /foo/bar/baz, but not /foo/barry
Access is based on the deepest matching path, not the accumulated paths, so, Allow("/foo", "bob") Allow("/foo/bar", "barry") will allow barry access to /foo/bar but not access to /foo
AllowAny("/foo") will allow any authenticated request access to the /foo resource AllowAnyRole("/bar") will allow any authenticated request with a non-empty role access to the /bar resource
AllowAny, allowAnyRole always overrides any matching Allow regardless of the order of calls multiple calls to Allow for the same resource are cumulative, e.g. Allow("/foo", "bob") Allow("/foo", "barry") is equivilent to Allow("/foo", "bob", "barry")
Once you've built your Provider you can call NewHandler to get a http.Handler that implements those rules.
Index ¶
- Variables
- type Config
- type GRPCAuthz
- type HTTPAuthz
- type Provider
- func (c *Provider) Allow(path string, roles ...string)
- func (c *Provider) AllowAny(path string)
- func (c *Provider) AllowAnyRole(path string)
- func (c *Provider) Clone() *Provider
- func (c *Provider) NewHandler(delegate http.Handler) (http.Handler, error)
- func (c *Provider) NewUnaryInterceptor() grpc.UnaryServerInterceptor
- func (c *Provider) SetGRPCRoleMapper(m func(ctx context.Context) identity.Identity)
- func (c *Provider) SetRoleMapper(m func(r *http.Request) identity.Identity)
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNoRoleMapperSpecified can't call NewHandler before you've set the RoleMapper function ErrNoRoleMapperSpecified = errors.New("you must have a RoleMapper set to be able to create a http.Handler") // ErrNoPathsConfigured is returned by NewHandler if you call NewHandler, but haven't configured any paths to be accessible ErrNoPathsConfigured = errors.New("you must have at least one path before being able to create a http.Handler") )
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Allow will allow the specified roles access to this path and its children, in format: ${path}:${role},${role}
Allow []string `json:"allow" yaml:"allow"`
// AllowAny will allow any authenticated request access to this path and its children
AllowAny []string `json:"allow_any" yaml:"allow_any"`
// AllowAnyRole will allow any authenticated request that include a non empty role
AllowAnyRole []string `json:"allow_any_role" yaml:"allow_any_role"`
// LogAllowedAny specifies to log allowed access to nodes in AllowAny list
LogAllowedAny bool `json:"log_allowed_any" yaml:"log_allowed_any"`
// LogAllowed specifies to log allowed access
LogAllowed bool `json:"log_allowed" yaml:"log_allowed"`
// LogDenied specifies to log denied access
LogDenied bool `json:"log_denied" yaml:"log_denied"`
// SkipLogPaths if set, specifies a list of paths to not log.
// this can be used for /v1/status/node or /metrics
SkipLogPaths []telemetry.LoggerSkipPath `json:"logger_skip_paths,omitempty" yaml:"logger_skip_paths,omitempty"`
}
Config contains configuration for the authorization module
type GRPCAuthz ¶
type GRPCAuthz interface {
// SetGRPCRoleMapper configures the function that provides
// the mapping from a gRPC request to a role name
SetGRPCRoleMapper(m func(ctx context.Context) identity.Identity)
// NewUnaryInterceptor returns grpc.UnaryServerInterceptor that enforces the current
// authorization configuration.
// The returned interceptor will extract the role and verify that the role has access to the
// URI being request, and either return an error, or pass the request on to the supplied
// delegate handler
NewUnaryInterceptor() grpc.UnaryServerInterceptor
}
GRPCAuthz represents an Authorization provider interface, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a Unary interceptor that enforces that configuration for you by calling NewUnaryInterceptor
type HTTPAuthz ¶
type HTTPAuthz interface {
// SetRoleMapper configures the function that provides the mapping from an HTTP request to a role name
SetRoleMapper(func(*http.Request) identity.Identity)
// NewHandler returns a http.Handler that enforces the current authorization configuration
// The handler has its own copy of the configuration changes to the Provider after calling
// NewHandler won't affect previously created Handlers.
// The returned handler will extract the role and verify that the role has access to the
// URI being request, and either return an error, or pass the request on to the supplied
// delegate handler
NewHandler(delegate http.Handler) (http.Handler, error)
}
HTTPAuthz represents an Authorization provider interface, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a http.Handler that enforces that configuration for you by calling NewHandler
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider represents an Authorization provider, You can call Allow or AllowAny to specify which roles are allowed access to which path segments. once configured you can create a http.Handler that enforces that configuration for you by calling NewHandler
func (*Provider) Allow ¶
Allow will allow the specified roles access to this path and its children [unless a specific Allow/AllowAny is called for a child path] multiple calls to Allow for the same path are cumulative
func (*Provider) AllowAny ¶
AllowAny will allow any authenticated request access to this path and its children [unless a specific Allow/AllowAny is called for a child path]
func (*Provider) AllowAnyRole ¶
AllowAnyRole will allow any authenticated request that include a non empty role access to this path and its children [unless a specific Allow/AllowAny is called for a child path]
func (*Provider) NewHandler ¶
NewHandler returns a http.Handler that enforces the current authorization configuration The handler has its own copy of the configuration changes to the Provider after calling NewHandler won't affect previously created Handlers. The returned handler will extract the role and verify that the role has access to the URI being request, and either return an error, or pass the request on to the supplied delegate handler
func (*Provider) NewUnaryInterceptor ¶
func (c *Provider) NewUnaryInterceptor() grpc.UnaryServerInterceptor
NewUnaryInterceptor returns grpc.UnaryServerInterceptor to check access
func (*Provider) SetGRPCRoleMapper ¶
SetGRPCRoleMapper configures the function that provides the mapping from a gRPC request to a role name
Source Files