authorization

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 2, 2022 License: Apache-2.0 Imports: 31 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	APIBindingContentAuditPrefix   = "apibinding.authorization.kcp.dev/"
	APIBindingContentAuditDecision = APIBindingContentAuditPrefix + "decision"
	APIBindingContentAuditReason   = APIBindingContentAuditPrefix + "reason"
)
View Source 
const (
	BootstrapPolicyAuditPrefix   = "bootstrap.authorization.kcp.dev/"
	BootstrapPolicyAuditDecision = BootstrapPolicyAuditPrefix + "decision"
	BootstrapPolicyAuditReason   = BootstrapPolicyAuditPrefix + "reason"
)
View Source 
const (
	DecisionNoOpinion = "NoOpinion"
	DecisionAllowed   = "Allowed"
	DecisionDenied    = "Denied"
)
View Source 
const (
	LocalAuditPrefix   = "local.authorization.kcp.dev/"
	LocalAuditDecision = LocalAuditPrefix + "decision"
	LocalAuditReason   = LocalAuditPrefix + "reason"
)
View Source 
const (
	SystemCRDAuditPrefix   = "systemcrd.authorization.kcp.dev/"
	SystemCRDAuditDecision = SystemCRDAuditPrefix + "decision"
	SystemCRDAuditReason   = SystemCRDAuditPrefix + "reason"
)
View Source 
const (
	TopLevelContentAuditPrefix   = "toplevel.authorization.kcp.dev/"
	TopLevelContentAuditDecision = TopLevelContentAuditPrefix + "decision"
	TopLevelContentAuditReason   = TopLevelContentAuditPrefix + "reason"
)
View Source 
const (
	WorkspaceAcccessNotPermittedReason = "workspace access not permitted"

	WorkspaceContentAuditPrefix   = "content.authorization.kcp.dev/"
	WorkspaceContentAuditDecision = WorkspaceContentAuditPrefix + "decision"
	WorkspaceContentAuditReason   = WorkspaceContentAuditPrefix + "reason"
)

Variables

This section is empty.

Functions

func IsDeepSubjectAccessReviewFrom added in v0.8.0 

func IsDeepSubjectAccessReviewFrom(ctx context.Context, attr authorizer.Attributes) bool

IsDeepSubjectAccessReviewFrom returns whether this is a deep SAR request. If true, top-level workspace and workspace content authorization checks have to be skipped.

func NewAPIBindingAccessAuthorizer added in v0.6.0 

func NewAPIBindingAccessAuthorizer(kubeInformers kubernetesinformers.SharedInformerFactory, kcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) (authorizer.Authorizer, error)

NewAPIBindingAccessAuthorizer returns an authorizer that checks if the the request is for a bound resource or not. If the resource is bound we will check the user has RBAC access in the exported resources workspace. If it is not allowed we will return NoDecision, if allowed we will call the delegate authorizer.

func NewBootstrapPolicyAuthorizer 

func NewBootstrapPolicyAuthorizer(informers kubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewLocalAuthorizer 

func NewLocalAuthorizer(versionedInformers kubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewSystemCRDAuthorizer added in v0.6.0 

func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer

func NewTopLevelOrganizationAccessAuthorizer added in v0.6.0 

func NewTopLevelOrganizationAccessAuthorizer(versionedInformers kubernetesinformers.SharedInformerFactory, clusterWorkspaceLister tenancylisters.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.

func NewWorkspaceContentAuthorizer 

func NewWorkspaceContentAuthorizer(versionedInformers kubernetesinformers.SharedInformerFactory, clusterWorkspaceLister tenancylisters.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

func WithDeepSARConfig added in v0.8.0 

func WithDeepSARConfig(config *rest.Config) *rest.Config

WithDeepSARConfig modifies and returns the input rest.Config with an additional header making SARs to be deep.

func WithDeepSubjectAccessReview added in v0.8.0 

func WithDeepSubjectAccessReview(handler http.Handler) http.Handler

WithDeepSubjectAccessReview attaches to the context that this request has set the DeepSubjectAccessReview header. The header is ignored for non-system:master users and for non-SAR request.

A deep SAR request skips top-level workspace and workspace content authorization checks.

Types

type BootstrapPolicyAuthorizer added in v0.8.0 

type BootstrapPolicyAuthorizer struct {
	// contains filtered or unexported fields
}

func (*BootstrapPolicyAuthorizer) Authorize added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*BootstrapPolicyAuthorizer) RulesFor added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type LocalAuthorizer 

type LocalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*LocalAuthorizer) Authorize 

func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*LocalAuthorizer) RulesFor 

func (a *LocalAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type SystemCRDAuthorizer added in v0.6.0 

type SystemCRDAuthorizer struct {
	// contains filtered or unexported fields
}

SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.

func (*SystemCRDAuthorizer) Authorize added in v0.6.0 

func (a *SystemCRDAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.