Documentation
¶
Index ¶
- Variables
- func NewStore(sql db.DB, features featuremgmt.FeatureToggles) *store
- type Assignments
- type BuiltinResourceHookFunc
- type DeleteResourcePermissionsCmd
- type Description
- type GetResourcePermissionsQuery
- type InheritedScopesSolver
- type Options
- type ResourceHooks
- type ResourceValidator
- type Service
- func (s *Service) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error
- func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
- func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetPermissions(ctx context.Context, orgID int64, resourceID string, ...) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, ...) (*accesscontrol.ResourcePermission, error)
- type SetResourcePermissionCommand
- type SetResourcePermissionsCommand
- type Store
- type TeamResourceHookFunc
- type User
- type UserResourceHookFunc
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrInvalidPermission = errors.New("invalid permission") ErrInvalidAssignment = errors.New("invalid assignment") )
Functions ¶
func NewStore ¶
func NewStore(sql db.DB, features featuremgmt.FeatureToggles) *store
Types ¶
type Assignments ¶
type BuiltinResourceHookFunc ¶
type Description ¶
type Description struct {
Assignments Assignments `json:"assignments"`
Permissions []string `json:"permissions"`
}
type InheritedScopesSolver ¶
type Options ¶
type Options struct {
// Resource is the action and scope prefix that is generated
Resource string
// ResourceAttribute is the attribute the scope should be based on (e.g. id or uid)
ResourceAttribute string
// OnlyManaged will tell the service to return all permissions if set to false and only managed permissions if set to true
OnlyManaged bool
// ResourceValidator is a validator function that will be called before each assignment.
// If set to nil the validator will be skipped
ResourceValidator ResourceValidator
// Assignments decides what we can assign permissions to (users/teams/builtInRoles)
Assignments Assignments
// PermissionsToAction is a map of friendly named permissions and what access control actions they should generate.
// E.g. Edit permissions should generate dashboards:read, dashboards:write and dashboards:delete
PermissionsToActions map[string][]string
// ReaderRoleName is the display name for the generated fixed reader role
ReaderRoleName string
// WriterRoleName is the display name for the generated fixed writer role
WriterRoleName string
// RoleGroup is the group name for the generated fixed roles
RoleGroup string
// OnSetUser if configured will be called each time a permission is set for a user
OnSetUser func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error
// OnSetTeam if configured will be called each time a permission is set for a team
OnSetTeam func(session *db.Session, orgID, teamID int64, resourceID, permission string) error
// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
OnSetBuiltInRole func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error
// InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource
InheritedScopesSolver InheritedScopesSolver
// LicenseMV if configured is applied to endpoints that can modify permissions
LicenseMW web.Handler
}
type ResourceHooks ¶
type ResourceHooks struct {
User UserResourceHookFunc
Team TeamResourceHookFunc
BuiltInRole BuiltinResourceHookFunc
}
type ResourceValidator ¶
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is used to create access control sub system including api / and service for managed resource permission
func New ¶
func New( options Options, features featuremgmt.FeatureToggles, router routing.RouteRegister, license licensing.Licensing, ac accesscontrol.AccessControl, service accesscontrol.Service, sqlStore db.DB, teamService team.Service, userService user.Service, ) (*Service, error)
func (*Service) DeleteResourcePermissions ¶
func (*Service) GetPermissions ¶
func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)
func (*Service) MapActions ¶
func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
func (*Service) SetBuiltInRolePermission ¶
func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetPermissions ¶
func (s *Service) SetPermissions( ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand, ) ([]accesscontrol.ResourcePermission, error)
func (*Service) SetTeamPermission ¶
func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
func (*Service) SetUserPermission ¶
func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
type SetResourcePermissionsCommand ¶
type SetResourcePermissionsCommand struct {
User accesscontrol.User
TeamID int64
BuiltinRole string
SetResourcePermissionCommand
}
type Store ¶
type Store interface {
// SetUserResourcePermission sets permission for managed user role on a resource
SetUserResourcePermission(
ctx context.Context, orgID int64,
user accesscontrol.User,
cmd SetResourcePermissionCommand,
hook UserResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
// SetTeamResourcePermission sets permission for managed team role on a resource
SetTeamResourcePermission(
ctx context.Context, orgID, teamID int64,
cmd SetResourcePermissionCommand,
hook TeamResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
// SetBuiltInResourcePermission sets permissions for managed builtin role on a resource
SetBuiltInResourcePermission(
ctx context.Context, orgID int64, builtinRole string,
cmd SetResourcePermissionCommand,
hook BuiltinResourceHookFunc,
) (*accesscontrol.ResourcePermission, error)
SetResourcePermissions(
ctx context.Context, orgID int64,
commands []SetResourcePermissionsCommand,
hooks ResourceHooks,
) ([]accesscontrol.ResourcePermission, error)
// GetResourcePermissions will return all permission for supplied resource id
GetResourcePermissions(ctx context.Context, orgID int64, query GetResourcePermissionsQuery) ([]accesscontrol.ResourcePermission, error)
// DeleteResourcePermissions will delete all permissions for supplied resource id
DeleteResourcePermissions(ctx context.Context, orgID int64, cmd *DeleteResourcePermissionsCmd) error
}
type TeamResourceHookFunc ¶
type UserResourceHookFunc ¶
Source Files
Click to show internal directories.
Click to hide internal directories.