The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- Variables
- func WithConfig(c map[string]any) func(*Opts)
- func WithProjectsGetFunc(f func(ctx context.Context) (map[int64]string, error)) func(*Opts)
- type Authorizer
- type Entitlement
- type Object
- func NewObject(objectType ObjectType, projectName string, identifierElements ...string) (Object, error)
- func ObjectCertificate(fingerprint string) Object
- func ObjectFromRequest(r *http.Request, objectType ObjectType, muxVars ...string) (Object, error)
- func ObjectFromString(objectstr string) (Object, error)
- func ObjectImage(projectName string, imageFingerprint string) Object
- func ObjectImageAlias(projectName string, aliasName string) Object
- func ObjectInstance(projectName string, instanceName string) Object
- func ObjectNetwork(projectName string, networkName string) Object
- func ObjectNetworkACL(projectName string, networkACLName string) Object
- func ObjectNetworkZone(projectName string, networkZoneName string) Object
- func ObjectProfile(projectName string, profileName string) Object
- func ObjectProject(projectName string) Object
- func ObjectServer() Object
- func ObjectStorageBucket(projectName string, poolName string, bucketName string) Object
- func ObjectStoragePool(storagePoolName string) Object
- func ObjectStorageVolume(projectName string, poolName string, volumeType string, volumeName string) Object
- func ObjectUser(userName string) Object
- type ObjectType
- type Opts
- type Permission
- type PermissionChecker
Constants ¶
View Source
const ( // DriverTLS is the default TLS authorization driver. It is not compatible with OIDC or Candid authentication. DriverTLS string = "tls" )
Variables ¶
View Source
var ErrUnknownDriver = fmt.Errorf("Unknown driver")
ErrUnknownDriver is the "Unknown driver" error.
Functions ¶
func WithConfig ¶ added in v0.2.0
WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.
Types ¶
type Authorizer ¶
type Authorizer interface {
Driver() string
StopService(ctx context.Context) error
CheckPermission(ctx context.Context, r *http.Request, object Object, entitlement Entitlement) error
GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType) (PermissionChecker, error)
AddProject(ctx context.Context, projectID int64, projectName string) error
DeleteProject(ctx context.Context, projectID int64, projectName string) error
RenameProject(ctx context.Context, projectID int64, oldName string, newName string) error
AddCertificate(ctx context.Context, fingerprint string) error
DeleteCertificate(ctx context.Context, fingerprint string) error
AddStoragePool(ctx context.Context, storagePoolName string) error
DeleteStoragePool(ctx context.Context, storagePoolName string) error
AddImage(ctx context.Context, projectName string, fingerprint string) error
DeleteImage(ctx context.Context, projectName string, fingerprint string) error
AddImageAlias(ctx context.Context, projectName string, imageAliasName string) error
DeleteImageAlias(ctx context.Context, projectName string, imageAliasName string) error
RenameImageAlias(ctx context.Context, projectName string, oldAliasName string, newAliasName string) error
AddInstance(ctx context.Context, projectName string, instanceName string) error
DeleteInstance(ctx context.Context, projectName string, instanceName string) error
RenameInstance(ctx context.Context, projectName string, oldInstanceName string, newInstanceName string) error
AddNetwork(ctx context.Context, projectName string, networkName string) error
DeleteNetwork(ctx context.Context, projectName string, networkName string) error
RenameNetwork(ctx context.Context, projectName string, oldNetworkName string, newNetworkName string) error
AddNetworkZone(ctx context.Context, projectName string, networkZoneName string) error
DeleteNetworkZone(ctx context.Context, projectName string, networkZoneName string) error
AddNetworkACL(ctx context.Context, projectName string, networkACLName string) error
DeleteNetworkACL(ctx context.Context, projectName string, networkACLName string) error
RenameNetworkACL(ctx context.Context, projectName string, oldNetworkACLName string, newNetworkACLName string) error
AddProfile(ctx context.Context, projectName string, profileName string) error
DeleteProfile(ctx context.Context, projectName string, profileName string) error
RenameProfile(ctx context.Context, projectName string, oldProfileName string, newProfileName string) error
AddStoragePoolVolume(ctx context.Context, projectName string, storagePoolName string, storageVolumeType string, storageVolumeName string) error
DeleteStoragePoolVolume(ctx context.Context, projectName string, storagePoolName string, storageVolumeType string, storageVolumeName string) error
RenameStoragePoolVolume(ctx context.Context, projectName string, storagePoolName string, storageVolumeType string, oldStorageVolumeName string, newStorageVolumeName string) error
AddStorageBucket(ctx context.Context, projectName string, storagePoolName string, storageBucketName string) error
DeleteStorageBucket(ctx context.Context, projectName string, storagePoolName string, storageBucketName string) error
}
Authorizer is the primary external API for this package.
func LoadAuthorizer ¶
func LoadAuthorizer(ctx context.Context, driver string, logger logger.Logger, certificateCache *certificate.Cache, options ...func(opts *Opts)) (Authorizer, error)
LoadAuthorizer instantiates, configures, and initialises an Authorizer.
type Entitlement ¶ added in v0.2.0
type Entitlement string
Entitlement is a type representation of a permission as it applies to a particular ObjectType.
const ( // Entitlements that apply to all resources. EntitlementCanEdit Entitlement = "can_edit" EntitlementCanView Entitlement = "can_view" // Server entitlements. EntitlementCanCreateStoragePools Entitlement = "can_create_storage_pools" EntitlementCanCreateProjects Entitlement = "can_create_projects" EntitlementCanViewResources Entitlement = "can_view_resources" EntitlementCanCreateCertificates Entitlement = "can_create_certificates" EntitlementCanViewMetrics Entitlement = "can_view_metrics" EntitlementCanOverrideClusterTargetRestriction Entitlement = "can_override_cluster_target_restriction" EntitlementCanViewPrivilegedEvents Entitlement = "can_view_privileged_events" // Project entitlements. EntitlementCanCreateImages Entitlement = "can_create_images" EntitlementCanCreateImageAliases Entitlement = "can_create_image_aliases" EntitlementCanCreateInstances Entitlement = "can_create_instances" EntitlementCanCreateNetworks Entitlement = "can_create_networks" EntitlementCanCreateNetworkACLs Entitlement = "can_create_network_acls" EntitlementCanCreateNetworkZones Entitlement = "can_create_network_zones" EntitlementCanCreateProfiles Entitlement = "can_create_profiles" EntitlementCanCreateStorageVolumes Entitlement = "can_create_storage_volumes" EntitlementCanCreateStorageBuckets Entitlement = "can_create_storage_buckets" EntitlementCanViewOperations Entitlement = "can_view_operations" EntitlementCanViewEvents Entitlement = "can_view_events" // Instance entitlements. EntitlementCanUpdateState Entitlement = "can_update_state" EntitlementCanConnectSFTP Entitlement = "can_connect_sftp" EntitlementCanAccessFiles Entitlement = "can_access_files" EntitlementCanAccessConsole Entitlement = "can_access_console" EntitlementCanExec Entitlement = "can_exec" // Instance and storage volume entitlements. EntitlementCanManageSnapshots Entitlement = "can_manage_snapshots" EntitlementCanManageBackups Entitlement = "can_manage_backups" )
type Object ¶ added in v0.2.0
type Object string
Object is a string alias that represents an authorization object. These are formatted strings that uniquely identify an API resource, and can be constructed/deconstructed reliably. An Object is always of the form <ObjectType>:<identifier> where the identifier is a "/" delimited path containing elements that uniquely identify a resource. If the resource is defined at the project level, the first element of this path is always the project. Some example objects would be:
- `instance:default/c1`: Instance object in project "default" and name "c1".
- `storage_pool:local`: Storage pool object with name "local".
- `storage_volume:default/local/custom/vol1`: Storage volume object in project "default", storage pool "local", type "custom", and name "vol1".
func NewObject ¶ added in v0.2.0
func NewObject(objectType ObjectType, projectName string, identifierElements ...string) (Object, error)
NewObject returns an Object of the given type. The passed in arguments must be in the correct order (as found in the URL for the resource). This function will error if an invalid object type is given, or if the correct number of arguments is not passed in.
func ObjectCertificate ¶ added in v0.2.0
func ObjectFromRequest ¶ added in v0.2.0
ObjectFromRequest returns an object created from the request by evaluating the given mux vars. Mux vars must be provided in the order that they are found in the endpoint path. If the object requires a project name, this is taken from the project query parameter unless the URL begins with /1.0/projects.
func ObjectFromString ¶ added in v0.2.0
ObjectFromString parses a string into an Object. It returns an error if the string is not valid.
func ObjectImage ¶ added in v0.2.0
func ObjectImageAlias ¶ added in v0.2.0
func ObjectInstance ¶ added in v0.2.0
func ObjectNetwork ¶ added in v0.2.0
func ObjectNetworkACL ¶ added in v0.2.0
func ObjectNetworkZone ¶ added in v0.2.0
func ObjectProfile ¶ added in v0.2.0
func ObjectProject ¶ added in v0.2.0
func ObjectServer ¶ added in v0.2.0
func ObjectServer() Object
func ObjectStorageBucket ¶ added in v0.2.0
func ObjectStoragePool ¶ added in v0.2.0
func ObjectStorageVolume ¶ added in v0.2.0
func ObjectUser ¶ added in v0.2.0
func (Object) Elements ¶ added in v0.2.0
Elements returns the elements that uniquely identify the authorization Object.
func (Object) Type ¶ added in v0.2.0
func (o Object) Type() ObjectType
Type returns the ObjectType of the Object.
type ObjectType ¶ added in v0.2.0
type ObjectType string
ObjectType is a type of resource within LXD.
const ( ObjectTypeUser ObjectType = "user" ObjectTypeServer ObjectType = "server" ObjectTypeCertificate ObjectType = "certificate" ObjectTypeStoragePool ObjectType = "storage_pool" ObjectTypeProject ObjectType = "project" ObjectTypeImage ObjectType = "image" ObjectTypeImageAlias ObjectType = "image_alias" ObjectTypeInstance ObjectType = "instance" ObjectTypeNetwork ObjectType = "network" ObjectTypeNetworkACL ObjectType = "network_acl" ObjectTypeNetworkZone ObjectType = "network_zone" ObjectTypeProfile ObjectType = "profile" ObjectTypeStorageBucket ObjectType = "storage_bucket" ObjectTypeStorageVolume ObjectType = "storage_volume" )
type Opts ¶ added in v0.2.0
type Opts struct {
// contains filtered or unexported fields
}
Opts is used as part of the LoadAuthorizer function so that only the relevant configuration fields are passed into a particular driver.
type Permission ¶ added in v0.2.0
type Permission string
Permission is a type representation of general permission levels in LXD. Used with TLS and RBAC drivers.
const ( PermissionAdmin Permission = "admin" PermissionView Permission = "view" PermissionManageProjects Permission = "manage-projects" PermissionManageInstances Permission = "manage-containers" PermissionManageImages Permission = "manage-images" PermissionManageNetworks Permission = "manage-networks" PermissionManageProfiles Permission = "manage-profiles" PermissionManageStorageVolumes Permission = "manage-storage-volumes" PermissionOperateInstances Permission = "operate-containers" )
type PermissionChecker ¶ added in v0.2.0
PermissionChecker is a type alias for a function that returns whether a user has required permissions on an object. It is returned by Authorizer.GetPermissionChecker.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.