Documentation ¶
Index ¶
- Variables
- func NewStore(sql db.DB, features featuremgmt.FeatureToggles) *store
- type Assignments
- type BuiltinResourceHookFunc
- type DeleteResourcePermissionsCmd
- type Description
- type GetResourcePermissionsQuery
- type InheritedScopesSolver
- type Options
- type ResourceHooks
- type ResourceValidator
- type Service
- func (s *Service) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error
- func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
- func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetPermissions(ctx context.Context, orgID int64, resourceID string, ...) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, ...) (*accesscontrol.ResourcePermission, error)
- type SetResourcePermissionCommand
- type SetResourcePermissionsCommand
- type Store
- type TeamResourceHookFunc
- type User
- type UserResourceHookFunc
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrInvalidPermission = errors.New("invalid permission") ErrInvalidAssignment = errors.New("invalid assignment") )
Functions ¶
func NewStore ¶
func NewStore(sql db.DB, features featuremgmt.FeatureToggles) *store
Types ¶
type Assignments ¶
type BuiltinResourceHookFunc ¶
type Description ¶
type Description struct { Assignments Assignments `json:"assignments"` Permissions []string `json:"permissions"` }
type InheritedScopesSolver ¶
type Options ¶
type Options struct { // Resource is the action and scope prefix that is generated Resource string // ResourceAttribute is the attribute the scope should be based on (e.g. id or uid) ResourceAttribute string // OnlyManaged will tell the service to return all permissions if set to false and only managed permissions if set to true OnlyManaged bool // ResourceValidator is a validator function that will be called before each assignment. // If set to nil the validator will be skipped ResourceValidator ResourceValidator // Assignments decides what we can assign permissions to (users/teams/builtInRoles) Assignments Assignments // PermissionsToAction is a map of friendly named permissions and what access control actions they should generate. // E.g. Edit permissions should generate dashboards:read, dashboards:write and dashboards:delete PermissionsToActions map[string][]string // ReaderRoleName is the display name for the generated fixed reader role ReaderRoleName string // WriterRoleName is the display name for the generated fixed writer role WriterRoleName string // RoleGroup is the group name for the generated fixed roles RoleGroup string // OnSetUser if configured will be called each time a permission is set for a user OnSetUser func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error // OnSetTeam if configured will be called each time a permission is set for a team OnSetTeam func(session *db.Session, orgID, teamID int64, resourceID, permission string) error // OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role OnSetBuiltInRole func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error // InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource InheritedScopesSolver InheritedScopesSolver // LicenseMV if configured is applied to endpoints that can modify permissions LicenseMW web.Handler }
type ResourceHooks ¶
type ResourceHooks struct { User UserResourceHookFunc Team TeamResourceHookFunc BuiltInRole BuiltinResourceHookFunc }
type ResourceValidator ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is used to create access control sub system including api / and service for managed resource permission
func New ¶
func New( options Options, features featuremgmt.FeatureToggles, router routing.RouteRegister, license licensing.Licensing, ac accesscontrol.AccessControl, service accesscontrol.Service, sqlStore db.DB, teamService team.Service, userService user.Service, ) (*Service, error)
func (*Service) DeleteResourcePermissions ¶
func (*Service) GetPermissions ¶
func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)
func (*Service) MapActions ¶
func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
func (*Service) SetBuiltInRolePermission ¶
func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetPermissions ¶
func (s *Service) SetPermissions( ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand, ) ([]accesscontrol.ResourcePermission, error)
func (*Service) SetTeamPermission ¶
func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetUserPermission ¶
func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
type SetResourcePermissionsCommand ¶
type SetResourcePermissionsCommand struct { User accesscontrol.User TeamID int64 BuiltinRole string SetResourcePermissionCommand }
type Store ¶
type Store interface { // SetUserResourcePermission sets permission for managed user role on a resource SetUserResourcePermission( ctx context.Context, orgID int64, user accesscontrol.User, cmd SetResourcePermissionCommand, hook UserResourceHookFunc, ) (*accesscontrol.ResourcePermission, error) // SetTeamResourcePermission sets permission for managed team role on a resource SetTeamResourcePermission( ctx context.Context, orgID, teamID int64, cmd SetResourcePermissionCommand, hook TeamResourceHookFunc, ) (*accesscontrol.ResourcePermission, error) // SetBuiltInResourcePermission sets permissions for managed builtin role on a resource SetBuiltInResourcePermission( ctx context.Context, orgID int64, builtinRole string, cmd SetResourcePermissionCommand, hook BuiltinResourceHookFunc, ) (*accesscontrol.ResourcePermission, error) SetResourcePermissions( ctx context.Context, orgID int64, commands []SetResourcePermissionsCommand, hooks ResourceHooks, ) ([]accesscontrol.ResourcePermission, error) // GetResourcePermissions will return all permission for supplied resource id GetResourcePermissions(ctx context.Context, orgID int64, query GetResourcePermissionsQuery) ([]accesscontrol.ResourcePermission, error) // DeleteResourcePermissions will delete all permissions for supplied resource id DeleteResourcePermissions(ctx context.Context, orgID int64, cmd *DeleteResourcePermissionsCmd) error }
type TeamResourceHookFunc ¶
type UserResourceHookFunc ¶
Click to show internal directories.
Click to hide internal directories.