authorization

package
v0.11.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2023 License: Apache-2.0 Imports: 29 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	DecisionNoOpinion = "NoOpinion"
	DecisionAllowed   = "Allowed"
	DecisionDenied    = "Denied"
)
View Source 
const (
	MaximalPermissionPolicyAccessNotPermittedReason = "access not permitted by maximal permission policy"
)
View Source 
const (
	// RequiredGroupsAnnotationKey is a comma-separated list (OR'ed) of semicolon separated
	// groups (AND'ed) that a user must be a member of to be able to access the workspace.
	RequiredGroupsAnnotationKey = "authorization.kcp.io/required-groups"
)
View Source 
const (
	WorkspaceAccessNotPermittedReason = "workspace access not permitted"
)

Variables

This section is empty.

Functions

func DelegateAuthorization added in v0.10.0 

func DelegateAuthorization(delegationReason string, delegate authorizer.Authorizer) authorizer.Authorizer

DelegateAuthorization delegates authorization to the given delegate authorizer and prefixes the given reason with the reason after the given delegate authorizer executed.

func IsDeepSubjectAccessReviewFrom added in v0.8.0 

func IsDeepSubjectAccessReviewFrom(ctx context.Context, attr authorizer.Attributes) bool

IsDeepSubjectAccessReviewFrom returns whether this is a deep SAR request. If true, top-level workspace and workspace content authorization checks have to be skipped.

func NewBootstrapPolicyAuthorizer 

func NewBootstrapPolicyAuthorizer(informers kcpkubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewGlobalAuthorizer added in v0.11.0 

func NewGlobalAuthorizer(localKubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewLocalAuthorizer 

func NewLocalAuthorizer(versionedInformers kcpkubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewMaximalPermissionPolicyAuthorizer added in v0.10.0 

func NewMaximalPermissionPolicyAuthorizer(kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) authorizer.Authorizer

NewMaximalPermissionPolicyAuthorizer returns an authorizer that first checks if the request is for a bound resource or not. If the resource is bound it checks the maximal permission policy of the underlying API export.

func NewRequiredGroupsAuthorizer added in v0.11.0 

func NewRequiredGroupsAuthorizer(local, global corev1alpha1listers.LogicalClusterClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer

NewRequiredGroupsAuthorizer returns an authorizer that a set of groups stored on the LogicalCluster object. Service account by-pass this.

func NewSystemCRDAuthorizer added in v0.6.0 

func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer

func NewWorkspaceContentAuthorizer 

func NewWorkspaceContentAuthorizer(localInformers, globalInformers kcpkubernetesinformers.SharedInformerFactory, localLogicalClusterLister, globalLogicalClusterLister corev1alpha1listers.LogicalClusterClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer

func WithAuditLogging added in v0.11.0 

func WithAuditLogging(annotationDomain string, delegate authorizer.Authorizer) authorizer.Authorizer

WithAuditLogging stores the given domain in the context to be used when logging audit events in the given authorizer chain. The annotations will have the format <prefix>.<domain>/<key>. If that context is not set, audit logging is skipped. Note that this is only respected by authorizers that have been decorated using Decorator.AddAuditLogging.

func WithDeepSARConfig added in v0.8.0 

func WithDeepSARConfig(config *rest.Config) *rest.Config

WithDeepSARConfig modifies and returns the input rest.Config with an additional header making SARs to be deep.

func WithDeepSubjectAccessReview added in v0.8.0 

func WithDeepSubjectAccessReview(handler http.Handler) http.Handler

WithDeepSubjectAccessReview attaches to the context that this request has set the DeepSubjectAccessReview header. The header is ignored for non-system:master users and for non-SAR request.

A deep SAR request skips top-level workspace and workspace content authorization checks.

func WithSubjectAccessReviewAuditAnnotations added in v0.11.0 

func WithSubjectAccessReviewAuditAnnotations(handler http.Handler) http.Handler

Types

type BootstrapPolicyAuthorizer added in v0.8.0 

type BootstrapPolicyAuthorizer struct {
	// contains filtered or unexported fields
}

func (*BootstrapPolicyAuthorizer) Authorize added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*BootstrapPolicyAuthorizer) RulesFor added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type Decorator added in v0.10.0 

type Decorator struct {
	// contains filtered or unexported fields
}

func NewDecorator added in v0.10.0 

func NewDecorator(key string, target authorizer.Authorizer) *Decorator

NewDecorator returns a new authorizer which is associated with the given key. The prefix key must not contain a slash `/`. Decorating functions are applied in the order they have been invoked.

func (*Decorator) AddAnonymization added in v0.10.0 

func (d *Decorator) AddAnonymization() *Decorator

AddAnonymization anonymizes authorization decisions, returning "access granted" reason in case of an allow decision and "access denied" reason otherwise to the next decoration. Previous decorations are not anonymized.

func (*Decorator) AddAuditLogging added in v0.10.0 

func (d *Decorator) AddAuditLogging() *Decorator

AddAuditLogging logs every decision of the target authorizer for the given audit prefix key if the decision is not allowed. All authorizer decisions are being logged in the audit log if the context was set using WithAuditLogging. This prevents double audit log entries by multiple invocations of the authorizer chain.

func (*Decorator) AddReasonAnnotation added in v0.10.0 

func (d *Decorator) AddReasonAnnotation() *Decorator

AddReasonAnnotation adds the authorizer key as a prefix to the authorizer reason and passes that to the next decoration. This is useful where AddAnonymization was used as a decoration, but we still want to identify the authorizer in audit logs when this decorator is passed as a delegate in an authorizer chains.

func (*Decorator) Authorize added in v0.10.0 

func (d *Decorator) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error)

type GlobalAuthorizer added in v0.11.0 

type GlobalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*GlobalAuthorizer) Authorize added in v0.11.0 

func (a *GlobalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*GlobalAuthorizer) RulesFor added in v0.11.0 

func (a *GlobalAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type LocalAuthorizer 

type LocalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*LocalAuthorizer) Authorize 

func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*LocalAuthorizer) RulesFor 

func (a *LocalAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type MaximalPermissionPolicyAuthorizer added in v0.10.0 

type MaximalPermissionPolicyAuthorizer struct {
	// contains filtered or unexported fields
}

func (*MaximalPermissionPolicyAuthorizer) Authorize added in v0.10.0 

func (a *MaximalPermissionPolicyAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error)

type SystemCRDAuthorizer added in v0.6.0 

type SystemCRDAuthorizer struct {
	// contains filtered or unexported fields
}

SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.

func (*SystemCRDAuthorizer) Authorize added in v0.6.0 

func (a *SystemCRDAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.