authorization

package
v0.7.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 10, 2022 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Index

Constants

View Source
const WorkspaceAcccessNotPermittedReason = "workspace access not permitted"

Variables

This section is empty.

Functions

func NewAPIBindingAccessAuthorizer added in v0.6.0

func NewAPIBindingAccessAuthorizer(kubeInformers clientgoinformers.SharedInformerFactory, kcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) (authorizer.Authorizer, error)

NewAPIBindingAccessAuthorizer returns an authorizer that checks if the the request is for a bound resource or not. If the resource is bound we will check the user has RBAC access in the exported resources workspace. If it is not allowed we will return NoDecision, if allowed we will call the delegate authorizer.

func NewSystemCRDAuthorizer added in v0.6.0

func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer

func NewTopLevelOrganizationAccessAuthorizer added in v0.6.0

func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.

func NewWorkspaceContentAuthorizer

func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyalphav1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

Types

type LocalAuthorizer

type LocalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*LocalAuthorizer) Authorize

func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*LocalAuthorizer) RulesFor

type SystemCRDAuthorizer added in v0.6.0

type SystemCRDAuthorizer struct {
	// contains filtered or unexported fields
}

SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.

func (*SystemCRDAuthorizer) Authorize added in v0.6.0

func (a *SystemCRDAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL