Documentation ¶
Overview ¶
Package pathperms provides a library to assist servers implementing GetPermissions/SetPermissions functions and authorizers where there are path-specific Permissions stored individually in files. TODO(rjkroege): Add unit tests.
Index ¶
- Variables
- func ComputeVersion(perms access.Permissions) (string, error)
- func NewHierarchicalAuthorizer(rootDir, childDir string, get PermsGetter) (security.Authorizer, error)
- func NilAuthPermissions(ctx *context.T, call security.Call) access.Permissions
- func PermissionsForBlessings(blessings []string) access.Permissions
- func PrefixPatterns(blessings []string) []security.BlessingPattern
- type PathStore
- func (store *PathStore) Delete(dir string) error
- func (store *PathStore) Get(dir string) (access.Permissions, string, error)
- func (store *PathStore) PermsForPath(ctx *context.T, path string) (access.Permissions, bool, error)
- func (store *PathStore) Set(dir string, perms access.Permissions, version string) error
- func (store *PathStore) SetIfAbsent(dir string, perms access.Permissions) (bool, error)
- func (store *PathStore) SetShareable(dir string, perms access.Permissions, version string, ...) (bool, error)
- type PermsGetter
Constants ¶
This section is empty.
Variables ¶
var (
ErrOperationFailed = verror.Register(pkgPath+".OperationFailed", verror.NoRetry, "{1:}{2:} operation failed{:_}")
)
Functions ¶
func ComputeVersion ¶
func ComputeVersion(perms access.Permissions) (string, error)
ComputeVersion produces the tag value returned by access.GetPermissions() (per v23/services/permissions/service.vdl) that GetPermissions/SetPermissions use to determine if the Permissions have been asynchronously modified.
func NewHierarchicalAuthorizer ¶
func NewHierarchicalAuthorizer(rootDir, childDir string, get PermsGetter) (security.Authorizer, error)
NewHierarchicalAuthorizer creates a new hierarchicalAuthorizer: one that implements a "root" like concept: admin rights at the root of a server can invoke RPCs regardless of permissions set on child objects.
If the root permissions are not set, the authorizer behaves like the DefaultAuthorizer.
If the child permissions are not set, the authorizer uses the permissions set on the root to restrict access to the child (including the admin override described above).
func NilAuthPermissions ¶
NilAuthPermissions creates Permissions that mimics the default authorization policy (i.e., Permissions is matched by all blessings that are either extensions of one of the local blessings or can be extended to form one of the local blessings.)
func PermissionsForBlessings ¶
func PermissionsForBlessings(blessings []string) access.Permissions
PermissionsForBlessings creates the Permissions list that should be used with a newly created object.
func PrefixPatterns ¶
func PrefixPatterns(blessings []string) []security.BlessingPattern
PrefixPatterns creates a pattern containing all of the prefix patterns of the provided blessings.
Types ¶
type PathStore ¶
type PathStore struct {
// contains filtered or unexported fields
}
PathStore manages storage of a set of Permissions in the filesystem where each path identifies a specific Permissions in the set. PathStore synchronizes access to its member Permissions.
func NewPathStore ¶
NewPathStore creates a new instance of the lock map that uses principal to sign stored Permissions files.
func (*PathStore) PermsForPath ¶
func (*PathStore) Set ¶
Set writes the specified Permissions to the provided directory with enforcement of version synchronization mechanism and locking.
func (*PathStore) SetIfAbsent ¶
SetIfAbsent writes the specified Permissions to the provided directory only if they don't already exist. Returns true if the permissions were written, and false otherwise (the error is nil if the permissions already exist).
func (*PathStore) SetShareable ¶
func (store *PathStore) SetShareable(dir string, perms access.Permissions, version string, shareable, overwrite bool) (bool, error)
SetShareable writes the specified Permissions to the provided directory with enforcement of version synchronization mechanism and locking with file modes that will give the application read-only access to the permissions file.
type PermsGetter ¶
type PermsGetter interface { // PermsForPath has two successful outcomes: either returning a valid // Permissions object or a boolean status true indicating that the // Permissions object is intentionally not present. Finally, it returns an // error if anything has gone wrong. PermsForPath(ctx *context.T, path string) (access.Permissions, bool, error) }
PermsGetter defines an abstract interface that a customer of NewHierarchicalAuthorizer can use to obtain the PermissionsAuthorizer instances that it needs to construct a hierarchicalAuthorizer.