Documentation ¶
Overview ¶
Package rbac implements the authorizer.Authorizer interface using roles base access control.
Package rbac implements the authorizer.Authorizer interface using roles base access control.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RuleAllows ¶ added in v1.5.1
func RuleAllows(requestAttributes authorizer.Attributes, rule rbac.PolicyRule) bool
func RulesAllow ¶ added in v1.5.1
func RulesAllow(requestAttributes authorizer.Attributes, rules ...rbac.PolicyRule) bool
Types ¶
type RBACAuthorizer ¶
type RBACAuthorizer struct {
// contains filtered or unexported fields
}
func New ¶
func New(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister) *RBACAuthorizer
func (*RBACAuthorizer) Authorize ¶
func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (bool, string, error)
type RequestToRuleMapper ¶ added in v1.5.1
type RequestToRuleMapper interface { // RulesFor returns all known PolicyRules and any errors that happened while locating those rules. // Any rule returned is still valid, since rules are deny by default. If you can pass with the rules // supplied, you do not have to fail the request. If you cannot, you should indicate the error along // with your denial. RulesFor(subject user.Info, namespace string) ([]rbac.PolicyRule, error) }
type RoleToRuleMapper ¶ added in v1.6.0
type RoleToRuleMapper interface { // GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namespace // of the role binding, the empty string if a cluster role binding. GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error) }
type SubjectAccessEvaluator ¶ added in v1.6.0
type SubjectAccessEvaluator struct {
// contains filtered or unexported fields
}
func NewSubjectAccessEvaluator ¶ added in v1.6.0
func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBindings rbacregistryvalidation.RoleBindingLister, clusterRoles rbacregistryvalidation.ClusterRoleGetter, clusterRoleBindings rbacregistryvalidation.ClusterRoleBindingLister, superUser string) *SubjectAccessEvaluator
func (*SubjectAccessEvaluator) AllowedSubjects ¶ added in v1.6.0
func (r *SubjectAccessEvaluator) AllowedSubjects(requestAttributes authorizer.Attributes) ([]rbac.Subject, error)
AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list. It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.
Click to show internal directories.
Click to hide internal directories.