authorization

package

v0.6.2 Latest Latest Go to latest Published: Jul 21, 2022 License: Apache-2.0 Imports: 34 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kcp-dev/kcp

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authorization provides mechanisms for enforcing authorization to Workspace resources in KCP This package is largely inspired from openshift/openshift-apiserver/pkg/project/auth https://github.com/openshift/openshift-apiserver/blob/9271466bfd02a9eb02fb5a43c8b9ff1ced76aca9/pkg/project/auth

Index ¶

func NewUserWorkspaceWatcher(user user.Info, lclusterName logicalcluster.Name, ...) *userWorkspaceWatcher
type AttributesBuilder
- func NewAttributesBuilder() *AttributesBuilder
type AuthorizationCache
- func NewAuthorizationCache(workspaceLister workspacelisters.ClusterWorkspaceLister, ...) *AuthorizationCache
type CacheWatcher
type LastSyncResourceVersioner
type Lister
type Review
- func (r Review) Allows(user user.Info) bool
type Reviewer
- func NewReviewer(subjectLocator rbac.SubjectLocator) *Reviewer
- func (r *Reviewer) Authorize(ctx context.Context, attributes kauthorizer.Attributes) (authorized kauthorizer.Decision, reason string, err error)
- func (r *Reviewer) Review(attributes kauthorizer.Attributes) Review
type SyncedClusterRoleBindingLister
type SyncedClusterRoleLister
type WatchableCache

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewUserWorkspaceWatcher ¶

func NewUserWorkspaceWatcher(user user.Info, lclusterName logicalcluster.Name, clusterWorkspaceCache *workspacecache.ClusterWorkspaceCache, authCache WatchableCache, includeAllExistingWorkspaces bool, predicate kstorage.SelectionPredicate) *userWorkspaceWatcher

Types ¶

type AttributesBuilder ¶

type AttributesBuilder struct {
	*authorizer.AttributesRecord
}

AttributesBuilder is a helper for creating an authorizer.AttributesRecord.

func NewAttributesBuilder ¶

func NewAttributesBuilder() *AttributesBuilder

NewAttributesBuilder creates a new AttributesBuilder with a zero-value authorizer.AttributesRecord.

func (*AttributesBuilder) Name ¶

func (b *AttributesBuilder) Name(name string) *AttributesBuilder

Name sets the name on the builder's AttributesRecord.

func (*AttributesBuilder) Resource ¶

func (b *AttributesBuilder) Resource(gvr schema.GroupVersionResource, subresources ...string) *AttributesBuilder

Resource sets APIVersion, APIGroup, Resource, and Subresource on the builder's AttributesRecord.

func (*AttributesBuilder) Verb ¶

func (b *AttributesBuilder) Verb(verb string) *AttributesBuilder

Verb sets the verb on the builder's AttributesRecord.

type AuthorizationCache ¶

type AuthorizationCache struct {
	// contains filtered or unexported fields
}

AuthorizationCache maintains a cache on the set of workspaces a user or group can access.

func NewAuthorizationCache ¶

func NewAuthorizationCache(
	workspaceLister workspacelisters.ClusterWorkspaceLister,
	workspaceLastSyncResourceVersioner LastSyncResourceVersioner,
	reviewer *Reviewer,
	reviewTemplate authorizer.AttributesRecord,
	informers rbacv1informers.Interface,
) *AuthorizationCache

NewAuthorizationCache creates a new AuthorizationCache

func (*AuthorizationCache) AddWatcher ¶

func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)

func (*AuthorizationCache) GetClusterRoleLister ¶

func (ac *AuthorizationCache) GetClusterRoleLister() SyncedClusterRoleLister

func (*AuthorizationCache) List ¶

func (ac *AuthorizationCache) List(userInfo user.Info, labelSelector labels.Selector, fieldSelector fields.Selector) (*workspaceapi.ClusterWorkspaceList, error)

List returns the set of workspace names the user has access to view

func (*AuthorizationCache) ListAllWorkspaces ¶

func (ac *AuthorizationCache) ListAllWorkspaces(selector labels.Selector) (*workspaceapi.ClusterWorkspaceList, error)

List returns the set of workspace names for all workspaces that match the given selector

func (*AuthorizationCache) ReadyForAccess ¶

func (ac *AuthorizationCache) ReadyForAccess() bool

func (*AuthorizationCache) RemoveWatcher ¶

func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)

func (*AuthorizationCache) Run ¶

func (ac *AuthorizationCache) Run(period time.Duration, stopCh <-chan struct{})

Run begins watching and synchronizing the cache

type CacheWatcher ¶

type CacheWatcher interface {
	// GroupMembershipChanged is called serially for all changes for all watchers.  This method MUST NOT BLOCK.
	// The serial nature makes reasoning about the code easy, but if you block in this method you will doom all watchers.
	GroupMembershipChanged(workspaceName string, users, groups sets.String)
}

type LastSyncResourceVersioner ¶

type LastSyncResourceVersioner interface {
	LastSyncResourceVersion() string
}

LastSyncResourceVersioner is any object that can divulge a LastSyncResourceVersion

type Lister ¶

type Lister interface {
	// List returns the list of ClusterWorkspace items that the user can access
	List(user user.Info, labelSelector labels.Selector, fieldSelector fields.Selector) (*workspaceapi.ClusterWorkspaceList, error)
}

Lister enforces ability to enumerate a resource based on role

type Review ¶

type Review struct {
	Users           []string
	Groups          []string
	EvaluationError error
}

Review is a list of users and groups that can access a resource. It is also possible that the authorization check encountered some errors (e.g. if it couldn't resolve certain role bindings). Any errors encountered are stored in EvaluationError.

func (Review) Allows ¶

func (r Review) Allows(user user.Info) bool

Allows returns true if there is an intersection between either the Review's groups and the user's groups, or the Review's users and the user's name.

type Reviewer ¶

type Reviewer struct {
	// contains filtered or unexported fields
}

Reviewer is a wrapper around rbac.SubjectLocator that parses the allowed subjects and splits them into users and groups.

func NewReviewer ¶

func NewReviewer(subjectLocator rbac.SubjectLocator) *Reviewer

NewReviewer returns a new Reviewer that uses subjectLocator.

func (*Reviewer) Authorize ¶

func (r *Reviewer) Authorize(ctx context.Context, attributes kauthorizer.Attributes) (authorized kauthorizer.Decision, reason string, err error)

func (*Reviewer) Review ¶

func (r *Reviewer) Review(attributes kauthorizer.Attributes) Review

Review returns a Review for attributes.

type SyncedClusterRoleBindingLister ¶

type SyncedClusterRoleBindingLister interface {
	rbacv1listers.ClusterRoleBindingLister
	LastSyncResourceVersioner
}

type SyncedClusterRoleLister ¶

type SyncedClusterRoleLister interface {
	rbacv1listers.ClusterRoleLister
	LastSyncResourceVersioner
}

type WatchableCache ¶

type WatchableCache interface {
	// RemoveWatcher removes a watcher
	RemoveWatcher(CacheWatcher)
	// List returns the set of workspace names the user has access to view
	List(userInfo user.Info, labelSelector labels.Selector, fieldSelector fields.Selector) (*workspaceapi.ClusterWorkspaceList, error)
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL