opsuser

package

v1.4.1 Latest Latest Go to latest Published: Jun 28, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/lorbuschris/vic

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GrantDCReadOnlyPerms(ctx context.Context, session *session.Session, ...) error
func GrantOpsUserPerms(ctx context.Context, session *session.Session, ...) error
type RBACManager
- func NewRBACManager(ctx context.Context, session *session.Session, rbacConfig *rbac.Config, ...) (*RBACManager, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var ClusterConf = buildConfig(RoleCluster)

Configuration for the ops-user with increased cluster-level permissions, required for managing DRS VM Groups

View Source

var DCReadOnlyConf = rbac.Config{
	Resources: []rbac.Resource{
		{
			Type:      rbac.DatacenterReadOnly,
			Propagate: false,
			Role:      RoleReadOnly,
		},
	},
}

View Source

var DRSConf = buildConfig(RoleDataStore)

DRSConf stores the RBAC configuration for the ops-user's roles in a DRS environment.

View Source

var NoDRSConf = buildConfig(RoleEndpointDatastore)

NoDRSConf stores the configuration for the ops-user's roles in a non-DRS environment. It is different from DRSConf in that RoleEndpointDatastore is used for the cluster instead of RoleDataStore. In a non-DRS environment, we need to apply the Endpoint and Datastore roles at the cluster level since there are no resource pools.

View Source

var RoleCluster = types.AuthorizationRole{
	Name: "cluster",
	Privilege: []string{
		"Datastore.AllocateSpace",
		"Datastore.Browse",
		"Datastore.Config",
		"Datastore.DeleteFile",
		"Datastore.FileManagement",
		"Host.Config.SystemManagement",
		"Host.Inventory.EditCluster",
	},
}

View Source

var RoleDataCenter = types.AuthorizationRole{
	Name: "datacenter",
	Privilege: []string{
		"Datastore.Config",
		"Datastore.FileManagement",
	},
}

View Source

var RoleDataStore = types.AuthorizationRole{
	Name: "datastore",
	Privilege: []string{
		"Datastore.AllocateSpace",
		"Datastore.Browse",
		"Datastore.Config",
		"Datastore.DeleteFile",
		"Datastore.FileManagement",
		"Host.Config.SystemManagement",
	},
}

View Source

var RoleEndpoint = types.AuthorizationRole{
	Name: "endpoint",
	Privilege: []string{
		"DVPortgroup.Modify",
		"DVPortgroup.PolicyOp",
		"DVPortgroup.ScopeOp",
		"Resource.AssignVMToPool",
		"Resource.ColdMigrate",
		"VirtualMachine.Config.AddExistingDisk",
		"VirtualMachine.Config.AddNewDisk",
		"VirtualMachine.Config.AddRemoveDevice",
		"VirtualMachine.Config.AdvancedConfig",
		"VirtualMachine.Config.EditDevice",
		"VirtualMachine.Config.RemoveDisk",
		"VirtualMachine.Config.Rename",
		"VirtualMachine.GuestOperations.Execute",
		"VirtualMachine.GuestOperations.Modify",
		"VirtualMachine.GuestOperations.Query",
		"VirtualMachine.Interact.DeviceConnection",
		"VirtualMachine.Interact.PowerOff",
		"VirtualMachine.Interact.PowerOn",
		"VirtualMachine.Inventory.Create",
		"VirtualMachine.Inventory.Delete",
		"VirtualMachine.Inventory.Register",
		"VirtualMachine.Inventory.Unregister",
	},
}

View Source

var RoleEndpointDatastore = types.AuthorizationRole{
	Name:      "endpoint-datastore",
	Privilege: append(RoleDataStore.Privilege, RoleEndpoint.Privilege...),
}

RoleEndpointDatastore combines the privileges of RoleDataStore and RoleEndpoint and is applied to the cluster in a non-DRS environment.

View Source

var RoleNetwork = types.AuthorizationRole{
	Name: "network",
	Privilege: []string{
		"Network.Assign",
	},
}

View Source

var RoleReadOnly = types.AuthorizationRole{
	Name:      "ReadOnly",
	Privilege: []string{},
}

Pre-existing ReadOnly Role, no need to specify the privileges

View Source

var RoleVCenter = types.AuthorizationRole{
	Name: "vcenter",
	Privilege: []string{
		"Datastore.Config",
		"Global.EnableMethods",
		"Global.DisableMethods",
	},
}

Functions ¶

func GrantDCReadOnlyPerms ¶

func GrantDCReadOnlyPerms(ctx context.Context, session *session.Session, configSpec *config.VirtualContainerHostConfigSpec) error

func GrantOpsUserPerms ¶

func GrantOpsUserPerms(ctx context.Context, session *session.Session, configSpec *config.VirtualContainerHostConfigSpec) error

Types ¶

type RBACManager ¶

type RBACManager struct {
	AuthzManager *rbac.AuthzManager
	// contains filtered or unexported fields
}

func NewRBACManager ¶

func NewRBACManager(ctx context.Context, session *session.Session, rbacConfig *rbac.Config, configSpec *config.VirtualContainerHostConfigSpec) (*RBACManager, error)

func (*RBACManager) SetupDCReadOnlyPermissions ¶

func (mgr *RBACManager) SetupDCReadOnlyPermissions(ctx context.Context) (*rbac.ResourcePermission, error)

func (*RBACManager) SetupPermissions ¶

func (mgr *RBACManager) SetupPermissions(ctx context.Context) ([]rbac.ResourcePermission, error)

func (*RBACManager) SetupRolesAndPermissions ¶

func (mgr *RBACManager) SetupRolesAndPermissions(ctx context.Context) ([]rbac.ResourcePermission, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL