Documentation ¶
Index ¶
- Constants
- Variables
- func NewAuthorizer(delegate defaultauthorizer.Authorizer, ...) defaultauthorizer.Authorizer
- func ScopesToRules(scopes []string, namespace string, ...) ([]authorizationapi.PolicyRule, error)
- func ValidateClusterRoleScopeRestrictions(scope string, restriction oauthapi.ClusterRoleScopeRestriction) error
- func ValidateLiteralScopeRestrictions(scope string, literals []string) error
- func ValidateScopeRestrictions(client *oauthapi.OAuthClient, scopes ...string) error
- type ScopeEvaluator
Constants ¶
View Source
const ( UserIndicator = "user:" ClusterRoleIndicator = "role:" ClusterWideIndicator = "clusterwide:" NamespaceWideIndicator = "namespace:" )
View Source
const ( UserInfo = "info" UserAccessCheck = "check-access" // UserListProject gives explicit permission to see the projects a user can see. This is often used to prime secondary ACL systems // unrelated to openshift and to display projects for selection in a secondary UI. UserListProject = "list-projects" )
Variables ¶
View Source
var ScopeEvaluators = []ScopeEvaluator{
userEvaluator{},
clusterRoleEvaluator{},
}
ScopeEvaluators map prefixes to a function that handles that prefix
Functions ¶
func NewAuthorizer ¶
func NewAuthorizer(delegate defaultauthorizer.Authorizer, clusterPolicyGetter client.ClusterPolicyLister, forbiddenMessageMaker defaultauthorizer.ForbiddenMessageMaker) defaultauthorizer.Authorizer
func ScopesToRules ¶
func ScopesToRules(scopes []string, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error)
ScopesToRules takes the scopes and return the rules back. We ALWAYS add the discovery rules and it is possible to get some rules and and an error since errors aren't fatal to evaluation
func ValidateClusterRoleScopeRestrictions ¶
func ValidateClusterRoleScopeRestrictions(scope string, restriction oauthapi.ClusterRoleScopeRestriction) error
func ValidateScopeRestrictions ¶
func ValidateScopeRestrictions(client *oauthapi.OAuthClient, scopes ...string) error
Types ¶
type ScopeEvaluator ¶
type ScopeEvaluator interface { Handles(scope string) bool Describe(scope string) string Validate(scope string) error ResolveRules(scope, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error) }
ScopeEvaluator takes a scope and returns the rules that express it
Click to show internal directories.
Click to hide internal directories.