Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var NoMatch = errors.New("did not match any rule")
Functions ¶
func StringSetIntersection ¶
func ValidateACL ¶
Types ¶
type ACLEntry ¶
type ACLEntry struct {
Match *MatchConditions `yaml:"match"`
Actions *[]string `yaml:"actions,flow"`
Comment *string `yaml:"comment,omitempty"`
}
func (*ACLEntry) Matches ¶
func (e *ACLEntry) Matches(ai *AuthRequestInfo) bool
type ACLMongoConfig ¶
type ACLMongoConfig struct {
MongoConfig *mgo_session.Config `yaml:"dial_info,omitempty"`
Collection string `yaml:"collection,omitempty"`
CacheTTL time.Duration `yaml:"cache_ttl,omitempty"`
}
func (*ACLMongoConfig) Validate ¶
func (c *ACLMongoConfig) Validate(configKey string) error
Validate ensures that any custom config options in a Config are set correctly.
type AuthRequestInfo ¶
type AuthRequestInfo struct {
Account string
Type string
Name string
Service string
IP net.IP
Actions []string
Labels authn.Labels
}
func (AuthRequestInfo) String ¶
func (ai AuthRequestInfo) String() string
type Authorizer ¶
type Authorizer interface {
// Authorize performs authorization given the request information.
// It returns a set of authorized actions (of the set requested), which can be empty/nil.
// Error should only be reported if request could not be serviced, not if it should be denied.
// A special NoMatch error is returned if the authorizer could not reach a decision,
// e.g. none of the rules matched.
// Implementations must be goroutine-safe.
Authorize(ai *AuthRequestInfo) ([]string, error)
// Finalize resources in preparation for shutdown.
// When this call is made there are guaranteed to be no Authenticate requests in flight
// and there will be no more calls made to this instance.
Stop()
// Human-readable name of the authenticator.
Name() string
}
Authorizer interface performs authorization of the request. It is invoked after authentication so it can be assumed that the requestor has presented satisfactory credentials for Account. Principally, it answers the question: is this Account allowed to perform these Actions on this Type.Name subject in the give Service?
func NewACLAuthorizer ¶
func NewACLAuthorizer(acl ACL) (Authorizer, error)
NewACLAuthorizer Creates a new static authorizer with ACL that have been read from the config file
func NewACLMongoAuthorizer ¶
func NewACLMongoAuthorizer(c *ACLMongoConfig) (Authorizer, error)
NewACLMongoAuthorizer creates a new ACL MongoDB authorizer
type ExtAuthz ¶
type ExtAuthz struct {
// contains filtered or unexported fields
}
func NewExtAuthzAuthorizer ¶
func NewExtAuthzAuthorizer(cfg *ExtAuthzConfig) *ExtAuthz
type ExtAuthzConfig ¶
func (*ExtAuthzConfig) Validate ¶
func (c *ExtAuthzConfig) Validate() error
type ExtAuthzStatus ¶
type ExtAuthzStatus int
const ( ExtAuthzAllowed ExtAuthzStatus = 0 ExtAuthzDenied ExtAuthzStatus = 1 ExtAuthzError ExtAuthzStatus = 2 )
type MatchConditions ¶
type MatchConditions struct {
Account *string `yaml:"account,omitempty" json:"account,omitempty"`
Type *string `yaml:"type,omitempty" json:"type,omitempty"`
Name *string `yaml:"name,omitempty" json:"name,omitempty"`
IP *string `yaml:"ip,omitempty" json:"ip,omitempty"`
Service *string `yaml:"service,omitempty" json:"service,omitempty"`
Labels map[string]string `yaml:"labels,omitempty" json:"labels,omitempty"`
}
func (*MatchConditions) Matches ¶
func (mc *MatchConditions) Matches(ai *AuthRequestInfo) bool
type MongoACL ¶
type MongoACL []MongoACLEntry
type MongoACLEntry ¶
Source Files
Click to show internal directories.
Click to hide internal directories.