Documentation
¶
Overview ¶
Package role manages roles in Kvdb and provides validation Copyright 2022 Pure Storage
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package role manages roles in Kvdb and provides validation Copyright 2018 Portworx
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
Constants ¶
const ( SystemAdminRoleName = "system.admin" SystemGuestRoleName = "system.guest" )
Variables ¶
var ( // Roles are the default roles to load on system startup // Should be prefixed by `system.` to avoid collisions DefaultRoles = map[string]*Role{ SystemAdminRoleName: &Role{ Rules: []*Rule{ &Rule{ Services: []string{"*"}, Apis: []string{"*"}, }, }, }, SystemGuestRoleName: &Role{ Rules: []*Rule{ &Rule{ Services: []string{"!*"}, Apis: []string{"!*"}, }, }, }, } )
var File_role_proto protoreflect.FileDescriptor
Functions ¶
Types ¶
type GenericRoleManager ¶
type GenericRoleManager struct {
// contains filtered or unexported fields
}
GenericRoleManager contains roles to verify for RBAC
func NewDefaultGenericRoleManager ¶
func NewDefaultGenericRoleManager() *GenericRoleManager
NewDefaultGenericRoleManager returns an RBAC API role manager that supports only the roles as defined by DefaultRoles
func NewGenericRoleManager ¶
func NewGenericRoleManager(tag string, roles map[string]*Role) *GenericRoleManager
NewGenericRoleManager returns an RBAC API role manager that supports only the roles as defined by roles. `tag` is the tag in the service name. For example: If the gRPC info.FullMethod is /openstorage.api.OpenStorage<service>/<method> . then the tag is "openstorage.api.OpenStorage". This will make it possible to only use the "<service>" name in the Rule.Service for convenience. If `tag` is "", then the info.FullMethod path must be provided in the Rule.Service
func (*GenericRoleManager) VerifyRules ¶
func (r *GenericRoleManager) VerifyRules(rules []*Rule, rootPath, fullmethod string) error
VerifyRules checks if the rules authorize use of the API called `fullmethod`
type Role ¶
type Role struct {
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
Rules []*Rule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
// contains filtered or unexported fields
}
func (*Role) Descriptor
deprecated
func (*Role) ProtoMessage ¶
func (*Role) ProtoMessage()
func (*Role) ProtoReflect ¶
func (x *Role) ProtoReflect() protoreflect.Message
type RoleManager ¶
type RoleManager interface {
// Verify returns no error if the role exists and is allowed
// to run the requested method
Verify(ctx context.Context, roles []string, method string) error
}
RoleManager provides an implementation of the SDK Role handler and the necessary verification methods
type Rule ¶
type Rule struct {
// The gRPC service name in `[tag]<service name>` in lowercase
Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"`
// The API name in the service in lowercase
Apis []string `protobuf:"bytes,2,rep,name=apis,proto3" json:"apis,omitempty"`
// contains filtered or unexported fields
}
Rule is the message used to construct custom RBAC roles
#### Format The following shows the supported format for Rule:
* Services: Is the gRPC service name in `[tag]<service name>` in lowercase * Apis: Is the API name in the service in lowercase
Values can also be set to `*`, or start or end with `*` to allow multiple matches in services or apis.
Services and APIs can also be denied by prefixing the value with a `!`. Note that on rule conflicts, denial will always be chosen.
#### Examples
* Allow any call:
```yaml Rule:
- Services: ["*"] Apis: ["*"]
```
* Allow only cluster operations:
```yaml Rule:
- services: ["cluster"] apis: ["*"]
```
* Allow inspection of any object and listings of only volumes
```yaml Rule:
- Services: ["volumes"] Apis: ["*enumerate*"]
- Services: ["*"] Apis: ["inspect*"]
```
* Allow all volume call except create
```yaml Rule:
- Services: ["volumes"] Apis: ["*", "!create"]
```
func (*Rule) Descriptor
deprecated
func (*Rule) GetServices ¶
func (*Rule) ProtoMessage ¶
func (*Rule) ProtoMessage()
func (*Rule) ProtoReflect ¶
func (x *Rule) ProtoReflect() protoreflect.Message
Source Files