rbacconversion

package
v0.0.0-...-5b87a2c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// TODO: Compile these constants into the DSL authz model directly
	TypeUser                  = "user"
	TypeGroup                 = "group"
	TypeClusterRole           = "clusterrole"
	TypeClusterRoleBinding    = "clusterrolebinding"
	TypeNamespacedRole        = "role"
	TypeNamespacedRoleBinding = "rolebinding"
	TypeNamespace             = "namespace"
	// TODO: this should be called resource collection or something like object and collection scoped terminology
	TypeResource                    = "resource"
	TypeNonResource                 = "nonresourceurls"
	TypeClusterRoleLabelAggregation = "clusterrole_label"
	TypeResourceInstance            = "resourceinstance"

	RBACMatchAllVerbs = rbacv1.VerbAll

	// ZanzibarMatchAllNonResources = "/*"
	RelationResourceAnyVerb = "anyverb"

	// RelationClusterRoleLabelSelector specifies the relation when "clusterrole:edit#assignee selects clusterrole_label:aggregate-to-edit=true"
	// TODO: Unify these with the other ZanzibarRelation... names
	RelationClusterRoleLabelSelector = "selects"
	// RelationClusterRoleAssignee specifies the relation between some kind of user, group or userset of user or group type, e.g.
	// - "user:lucas assignee clusterrole:foo"
	// - "group:admin assignee clusterrole:admin"
	// - "clusterrole_label:aggregate-to-edit=true#selected assignee clusterrole:my-aggregated-edit-role"
	// - "clusterrole:admin#assignee assignee clusterrole:view"
	RelationClusterRoleAssignee = "assignee"
	// RelationNamespacedRoleAssignee defines what relation a user and group can have to the role, in order to be matched for getting privileges
	// like read and write access to namespaced APIs, e.g.
	// - "role:foo#assignee is related to resource:core.pods as get"
	RelationNamespacedRoleAssignee           = "assignee"
	RelationNamespacedRoleNamespacedAssignee = "namespaced_assignee"

	// RelationNamespaceContainsRole defines the relation between a role and its namespace
	RelationNamespaceContainsRole = "contains"

	ContextualRelationWildcardMatch       = "wildcardmatch"
	ContextualRelationOperatesInNamespace = "operates_in"
	ContextualRelationResourceMatch       = "resourcematch"
	ContextualRelationUserInGroup         = "members"

	APIGroupKubernetesCore = "core"
	KindClusterRole        = "ClusterRole"
	KindClusterRoleBinding = "ClusterRoleBinding"
	KindRole               = "Role"
)

Variables

View Source 
var (

	// TODO: distinguish between what can be asked for in authorizer or specified in RBAC
	InstanceRelationsOnly   = sets.New[string]() // TODO: "impersonate", "approve", "sign", "attest" // These are not used in the API server, only in Authorizer APIs/SARs
	CollectionRelationsOnly = sets.New("list", "create", "deletecollection")
	CommonRelations         = sets.New("get", "watch", "update", "patch", "delete") // TODO: Do we have to add "proxy" as well?

	InstanceRelations   = InstanceRelationsOnly.Union(CommonRelations)
	CollectionRelations = CollectionRelationsOnly.Union(CommonRelations)

	ResourceRelations    = CommonRelations.Union(InstanceRelationsOnly).Union(CollectionRelationsOnly)
	NonResourceRelations = sets.New("get")
)

Functions

func ClusterRoleBindingNode 

func ClusterRoleBindingNode(clusterRoleBindingName string) zanzibar.Node

func ClusterRoleLabelAggregationKeyNode 

func ClusterRoleLabelAggregationKeyNode(key string) zanzibar.Node

func ClusterRoleLabelAggregationKeyValueNode 

func ClusterRoleLabelAggregationKeyValueNode(key, value string) zanzibar.Node

func ClusterRoleLabelAggregationNodes 

func ClusterRoleLabelAggregationNodes(key, value string) zanzibar.Nodes

func ClusterRoleNode 

func ClusterRoleNode(clusterRoleName string) zanzibar.Node

func EscapedNode 

func EscapedNode(typeName, instanceName string) zanzibar.Node

EscapedNode escapes the instance name for resources with sloppy specifications; like RBAC names

func GetSchema 

func GetSchema() zanzibar.AuthorizationSchema

func GroupNode 

func GroupNode(groupname string) zanzibar.Node

GroupNode returns the node name for a group node TODO: Do we really have to escape this? Are there any guarantees for group names? Probably not

func NamespaceNode 

func NamespaceNode(namespace string) zanzibar.Node

TODO: I'm pretty sure namespaces only can have sensible DNS1123 label conformant names and thus don't need escaping

func NamespacedRoleBindingNode 

func NamespacedRoleBindingNode(namespaceName, roleBindingName string) zanzibar.Node

func NamespacedRoleNode 

func NamespacedRoleNode(namespaceName, roleName string) zanzibar.Node

NamespacedRoleNode returns the zanzibar node for a namespaced role. As it is namespaced, it is fully qualified only with a given namespace. Only the role name is escaped in openfga, the namespace is known to be ok.

func NonResourceNode 

func NonResourceNode(nonResourceURL string) zanzibar.Node

NonResourceNode escapes the tuple name, as the path is not validated in Kubernetes and can be anything, including have whitespace and ":" TODO: Validate this properly, and don't escape. In OpenFGA, a "/" prefix is always enforced, thus "*" in Kubernetes maps to "/*" in OpenFGA.

func ResourceInstanceNode 

func ResourceInstanceNode(apiGroup, resource, instanceName string) zanzibar.Node

TODO: verify that query escaping here is ok TODO: need namespace here too

func ResourceNode 

func ResourceNode(apiGroup, resource string) zanzibar.Node

ResourceNode returns the node for resource requests, such as "resource:core.pods", to which a user can have e.g. a get relation to. "resource:*.pods", "resource:apps.*" and "resource:*.*" are also possible. No query escaping takes place here.

func TypedNode 

func TypedNode(typeName, instanceName string) zanzibar.Node

func UserNode 

func UserNode(username string) zanzibar.Node

UserNode returns the node name for a user node TODO: Do we really have to escape this? Are there any guarantees for user names? Probably not

Types

type GenericConverter 

type GenericConverter struct {
}

func (GenericConverter) ConvertClusterRoleBindingToTuples 

func (GenericConverter) ConvertClusterRoleBindingToTuples(ctx context.Context, clusterrolebinding rbacv1.ClusterRoleBinding) ([]Tuple, error)

func (GenericConverter) ConvertClusterRoleToTuples 

func (GenericConverter) ConvertClusterRoleToTuples(ctx context.Context, clusterrole rbacv1.ClusterRole) ([]zanzibar.Tuple, error)

func (GenericConverter) ConvertRoleBindingToTuples 

func (GenericConverter) ConvertRoleBindingToTuples(ctx context.Context, rolebinding rbacv1.RoleBinding) ([]Tuple, error)

func (GenericConverter) ConvertRoleToTuples 

func (GenericConverter) ConvertRoleToTuples(ctx context.Context, role rbacv1.Role) ([]Tuple, error)

type RBACTupleConverter 

type RBACTupleConverter interface {
	// ConvertClusterRoleToTuples produces Tuples related to the given ClusterRole. The tuples are produced
	// as following:
	// - One incoming Tuple from clusterrole_label#selected through the assignee relation per label
	// - One outgoing Tuple from clusterrole#assignee to the clusterrole_label type through the selected relation
	// - Per Resource Rule OR
	//    - len(apiGroups)*len(verbs)*len(resources) outgoing tuples from clusterrole#assignee to resource type
	//      through the relation related to the verb, OR
	//    - len(apiGroups)*len(verbs)*len(resources)*len(resourceNames) outgoing tuples from clusterrole#assignee
	//      to the resourceinstance type through the relation related to the verb
	// - Per Non-resource Rule:
	//    - len(nonResourceURLs)*len(verbs) outgoing tuples from clusterrole#assignee to the nonresourceurls type
	//      through the relation related to the verb
	ConvertClusterRoleToTuples(ctx context.Context, clusterrole rbacv1.ClusterRole) ([]Tuple, error)

	// ConvertRoleToTuples produces Tuples related to the given ClusterRole. The tuples are produced
	// as following:
	// - One incoming Tuple from clusterrole_label#selected through the assignee relation per label
	// - One outgoing Tuple from clusterrole#assignee to the clusterrole_label type through the selected relation
	// - Per Resource Rule OR
	//    - len(apiGroups)*len(verbs)*len(resources) outgoing tuples from clusterrole#assignee to resource type
	//      through the relation related to the verb, OR
	//    - len(apiGroups)*len(verbs)*len(resources)*len(resourceNames) outgoing tuples from clusterrole#assignee
	//      to the resourceinstance type through the relation related to the verb
	// - Per Non-resource Rule:
	//    - len(nonResourceURLs)*len(verbs) outgoing tuples from clusterrole#assignee to the nonresourceurls type
	//      through the relation related to the verb
	// TODO: Finish this documentation for all methods
	ConvertRoleToTuples(ctx context.Context, role rbacv1.Role) ([]Tuple, error)

	// RolesBinding
	ConvertClusterRoleBindingToTuples(ctx context.Context, clusterrolebinding rbacv1.ClusterRoleBinding) ([]Tuple, error)
	ConvertRoleBindingToTuples(ctx context.Context, rolebinding rbacv1.RoleBinding) ([]Tuple, error)
}

TODO: With or without pointers?

type Tuple 

type Tuple = zanzibar.Tuple

Tuple is so often used in this package we make a shorthand for it

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.