Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ReadOnlyRole = Role{ Name: "readonly", DisplayName: "ReadOnly", Rules: []Rule{ { Resources: []Resource{BucketResource, ObjectResource}, Actions: []Action{List, Get}, }, }, } UserRole = Role{ Name: "user", DisplayName: "User", Rules: []Rule{ { Resources: []Resource{BucketResource}, Actions: []Action{List, Get}, }, { Resources: []Resource{ObjectResource}, Actions: []Action{List, Get, Create, Delete, Update}, }, }, } EditorRole = Role{ Name: "editor", DisplayName: "Editor", Rules: []Rule{ { Resources: []Resource{BucketResource}, Actions: []Action{List, Get, Create, Delete, Update, Publish, Unpublish}, }, { Resources: []Resource{ObjectResource}, Actions: []Action{List, Get, Create, Delete, Update}, }, }, } AdminRole = Role{ Name: "admin", DisplayName: "Admin", Rules: []Rule{ { Resources: []Resource{BucketResource}, Actions: []Action{List, Get, Create, Delete, Update, Publish, Unpublish}, }, { Resources: []Resource{ObjectResource}, Actions: []Action{List, Get, Create, Delete, Update}, }, { Resources: []Resource{RoleResource}, Actions: []Action{List, Get}, }, { Resources: []Resource{BucketAclResource}, Actions: []Action{List, Get, Create, Delete, Update}, }, { Resources: []Resource{RoleBindingResource}, Actions: []Action{List, Get, Update, Create, Delete}, }, }, } )
View Source
var DefaultRoles = []Role{ ReadOnlyRole, UserRole, EditorRole, AdminRole, }
TODO manage roles in etcd store (TIPC-958)
Functions ¶
This section is empty.
Types ¶
type Engine ¶
type Engine interface {
// Evaluate returns the decision of the engine against the given request
Evaluate(r Request) Decision
}
Engine defines the API for RBAC engine
func NewEngine ¶
func NewEngine(roles []Role, roleBindings []RoleBinding) Engine
NewEngine creates a new RBAC evaluation engine with defined roles and role-bindings
type Request ¶
type Request struct {
UserID string `json:"userId"` // user identifier, i.e. KPN ruisnaam
Groups []string `json:"groups"` // available groups that the user belongs to
Action Action `json:"action"`
Target Resource `json:"target"`
}
Request represents the RBAC authorization request
type Resource ¶
type Resource string
const ( BucketResource Resource = "oss:bucket" BucketAclResource Resource = "oss:bucket-acl" ObjectResource Resource = "oss:object" RoleResource Resource = "oss:role" RoleBindingResource Resource = "oss:role-binding" CustomerResource Resource = "oss:customer" UnknownResource Resource = "oss:unknown" )
func Str2Resource ¶
type Role ¶
type Role struct {
Name string `json:"name"`
DisplayName string `json:"displayName"`
Rules []Rule `json:"rules"`
}
Role represents a role element in the RBAC model
type RoleBinding ¶
type RoleBinding struct {
Name string `json:"name"`
CreatedAt time.Time `json:"createdAt,omitempty"` // default is IS8601 (RFC3339) date format
Subjects []Subject `json:"subjects"`
RoleRef string `json:"roleRef"`
}
RoleBinding defines the link from Role with specific permissions to the given subjects, which can be either users or group of users
func NewRoleBindingFromBytes ¶
func NewRoleBindingFromBytes(data []byte) (*RoleBinding, error)
NewRoleBindingFromBytes deserializes RoleBinding object from byte array
type Subject ¶
type Subject struct {
Type SubjectType `json:"type"`
Value string `json:"value"`
}
type SubjectType ¶
type SubjectType string
const ( UserType SubjectType = "user" GroupType SubjectType = "group" )
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.