role

package
v9.1.3+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 15, 2022 License: Apache-2.0 Imports: 9 Imported by: 16

Documentation

Overview

Package role manages roles in Kvdb and provides validation Copyright 2018 Portworx

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package role manages roles in Kvdb and provides validation Copyright 2018 Portworx

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const (
	SystemAdminRoleName = "system.admin"
	SystemViewRoleName  = "system.view"
	SystemUserRoleName  = "system.user"
	SystemGuestRoleName = "system.guest"
)

Variables

View Source
var (
	// DefaultRoles are the default roles to load on system startup
	// Should be prefixed by `system.` to avoid collisions
	DefaultRoles = map[string]*DefaultRole{

		SystemAdminRoleName: &DefaultRole{
			Rules: []*api.SdkRule{
				&api.SdkRule{
					Services: []string{"*"},
					Apis:     []string{"*"},
				},
			},
			Mutable: false,
		},

		SystemViewRoleName: &DefaultRole{
			Rules: []*api.SdkRule{
				&api.SdkRule{
					Services: []string{"*"},
					Apis: []string{
						"*enumerate*",
						"inspect*",
						"stats",
						"status",
						"validate",
						"capacityusage",
					},
				},
				&api.SdkRule{
					Services: []string{"identity"},
					Apis:     []string{"*"},
				},
			},
			Mutable: false,
		},

		SystemUserRoleName: &DefaultRole{
			Rules: []*api.SdkRule{
				&api.SdkRule{
					Services: []string{
						"volume",
						"cloudbackup",
						"credentials",
						"objectstore",
						"schedulepolicy",
						"mountattach",
						"migrate",
					},
					Apis: []string{"*"},
				},
				&api.SdkRule{
					Services: []string{
						"cluster",
						"node",
					},
					Apis: []string{
						"inspect*",
						"enumerate*",
					},
				},
				&api.SdkRule{
					Services: []string{"identity"},
					Apis:     []string{"*"},
				},
				&api.SdkRule{
					Services: []string{"policy"},
					Apis: []string{
						"*enumerate*",

						"*inspect*",
					},
				},
			},
			Mutable: false,
		},

		SystemGuestRoleName: &DefaultRole{
			Rules: []*api.SdkRule{
				&api.SdkRule{
					Services: []string{"mountattach", "volume", "cloudbackup", "migrate"},
					Apis:     []string{"*"},
				},
				&api.SdkRule{
					Services: []string{"identity"},
					Apis:     []string{"version"},
				},
				&api.SdkRule{
					Services: []string{
						"cluster",
						"node",
					},
					Apis: []string{
						"inspect*",
						"enumerate*",
					},
				},
			},
			Mutable: true,
		},
	}
)

Functions

func VerifyRules

func VerifyRules(rules []*api.SdkRule, rootPath, fullmethod string) error

VerifyRules checks if the rules authorize use of the API called `fullmethod`

Types

type DefaultRole

type DefaultRole struct {
	Rules   []*api.SdkRule
	Mutable bool
}

DefaultRole is a role loaded into the system on startup

type RoleManager

type RoleManager interface {
	api.OpenStorageRoleServer

	// Verify returns no error if the role exists and is allowed
	// to run the requested method
	Verify(ctx context.Context, roles []string, method string) error
}

RoleManager provides an implementation of the SDK Role handler and the necessary verification methods

type SdkRoleManager

type SdkRoleManager struct {
	// contains filtered or unexported fields
}

SdkRoleManager is an implementation of the RoleManager for the SDK

func NewSdkRoleManager

func NewSdkRoleManager(kv kvdb.Kvdb) (*SdkRoleManager, error)

NewSdkRoleManager returns a new SDK role manager

func (*SdkRoleManager) Create

Create saves a role in Kvdb

func (*SdkRoleManager) Delete

Delete removes a role from Kvdb

func (*SdkRoleManager) Enumerate

Enumerate returns a list of role names

func (*SdkRoleManager) Inspect

Inspect returns a role object

func (*SdkRoleManager) Update

Update replaces an existing role.

func (*SdkRoleManager) Verify

func (r *SdkRoleManager) Verify(ctx context.Context, roles []string, fullmethod string) error

Verify determines if the role has access to `fullmethod`

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL