accesscontrol

package
v11.1.4-modfix Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 20, 2024 License: AGPL-3.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrAuthorizationBase = errutil.Forbidden("alerting.unauthorized")
)

Functions

func NewAuthorizationErrorGeneric 

func NewAuthorizationErrorGeneric(action string) error

func NewAuthorizationErrorWithPermissions 

func NewAuthorizationErrorWithPermissions(action string, eval accesscontrol.Evaluator) error

Types

type Namespaced 

type Namespaced interface {
	GetNamespaceUID() string
}

type RuleService 

type RuleService struct {
	// contains filtered or unexported fields
}

func NewRuleService 

func NewRuleService(ac accesscontrol.AccessControl) *RuleService

func (*RuleService) AuthorizeAccessInFolder 

func (r *RuleService) AuthorizeAccessInFolder(ctx context.Context, user identity.Requester, rule Namespaced) error

AuthorizeAccessInFolder checks that the identity.Requester has permissions to read alert rules in the given folder, which requires the following permissions: - ("folders:read") read the folder - ("alert.rules:read") read alert rules in the folder Returns error if at least one permission is missing or if something went wrong during the permission evaluation

func (*RuleService) AuthorizeAccessToRuleGroup 

func (r *RuleService) AuthorizeAccessToRuleGroup(ctx context.Context, user identity.Requester, rules models.RulesGroup) error

AuthorizeAccessToRuleGroup checks that the identity.Requester has permissions to all rules, which means that it has permissions to: - ("folders:read") read folders which contain the rules - ("alert.rules:read") read alert rules in the folders Returns error if at least one permission is missing or if something went wrong during the permission evaluation

func (*RuleService) AuthorizeDatasourceAccessForRule 

func (r *RuleService) AuthorizeDatasourceAccessForRule(ctx context.Context, user identity.Requester, rule *models.AlertRule) error

AuthorizeDatasourceAccessForRule checks that user has access to all data sources declared by the rule

func (*RuleService) AuthorizeDatasourceAccessForRuleGroup 

func (r *RuleService) AuthorizeDatasourceAccessForRuleGroup(ctx context.Context, user identity.Requester, rules models.RulesGroup) error

AuthorizeDatasourceAccessForRuleGroup checks that user has access to all data sources declared by the rules in the group

func (*RuleService) AuthorizeRuleChanges 

func (r *RuleService) AuthorizeRuleChanges(ctx context.Context, user identity.Requester, change *store.GroupDelta) error

AuthorizeRuleChanges analyzes changes in the rule group, and checks whether the changes are authorized. NOTE: if there are rules for deletion, and the user does not have access to data sources that a rule uses, the rule is removed from the list. If the user is not authorized to perform the changes the function returns ErrAuthorization with a description of what action is not authorized.

func (RuleService) HasAccess 

func (r RuleService) HasAccess(ctx context.Context, user identity.Requester, evaluator accesscontrol.Evaluator) (bool, error)

HasAccess returns true if the identity.Requester has all permissions specified by the evaluator. Returns error if access control backend could not evaluate permissions

func (*RuleService) HasAccessInFolder 

func (r *RuleService) HasAccessInFolder(ctx context.Context, user identity.Requester, rule Namespaced) (bool, error)

HasAccessInFolder checks that the identity.Requester has permissions to read alert rules in the given folder, which requires the following permissions: - ("folders:read") read the folder - ("alert.rules:read") read alert rules in the folder Returns false if the requester does not have enough permissions, and error if something went wrong during the permission evaluation.

func (RuleService) HasAccessOrError 

func (r RuleService) HasAccessOrError(ctx context.Context, user identity.Requester, evaluator accesscontrol.Evaluator, action func() string) error

HasAccessOrError returns nil if the identity.Requester has enough permissions to pass the accesscontrol.Evaluator. Otherwise, returns authorization error that contains action that was performed

func (*RuleService) HasAccessToRuleGroup 

func (r *RuleService) HasAccessToRuleGroup(ctx context.Context, user identity.Requester, rules models.RulesGroup) (bool, error)

HasAccessToRuleGroup checks that the identity.Requester has permissions to all rules, which means that it has permissions to: - ("folders:read") read folders which contain the rules - ("alert.rules:read") read alert rules in the folders Returns false if the requester does not have enough permissions, and error if something went wrong during the permission evaluation.

type RuleUIDToNamespaceStore 

type RuleUIDToNamespaceStore interface {
	GetNamespacesByRuleUID(ctx context.Context, orgID int64, uids ...string) (map[string]string, error)
}

type SilenceService 

type SilenceService struct {
	// contains filtered or unexported fields
}

func NewSilenceService 

func NewSilenceService(ac ac.AccessControl, store RuleUIDToNamespaceStore) *SilenceService

func (SilenceService) AuthorizeCreateSilence 

func (s SilenceService) AuthorizeCreateSilence(ctx context.Context, user identity.Requester, silence *models.Silence) error

AuthorizeCreateSilence checks if user has access to create a silence. Returns ErrAuthorizationBase if user is not authorized

func (SilenceService) AuthorizeReadSilence 

func (s SilenceService) AuthorizeReadSilence(ctx context.Context, user identity.Requester, silence *models.Silence) error

AuthorizeReadSilence checks if user has access to read a silence.

func (SilenceService) AuthorizeUpdateSilence 

func (s SilenceService) AuthorizeUpdateSilence(ctx context.Context, user identity.Requester, silence *models.Silence) error

AuthorizeUpdateSilence checks if user has access to update\expire a silence. Returns ErrAuthorizationBase if user is not authorized

func (SilenceService) FilterByAccess 

func (s SilenceService) FilterByAccess(ctx context.Context, user identity.Requester, silences ...*models.Silence) ([]*models.Silence, error)

FilterByAccess filters the given list of silences based on the access control permissions of the user. Global silence (one that is not attached to a particular rule) is considered available to all users. For silences that are not attached to a rule, are checked against authorization. This method is more preferred when many silences need to be checked.

func (SilenceService) HasAccess 

func (r SilenceService) HasAccess(ctx context.Context, user identity.Requester, evaluator accesscontrol.Evaluator) (bool, error)

HasAccess returns true if the identity.Requester has all permissions specified by the evaluator. Returns error if access control backend could not evaluate permissions

func (SilenceService) HasAccessOrError 

func (r SilenceService) HasAccessOrError(ctx context.Context, user identity.Requester, evaluator accesscontrol.Evaluator, action func() string) error

HasAccessOrError returns nil if the identity.Requester has enough permissions to pass the accesscontrol.Evaluator. Otherwise, returns authorization error that contains action that was performed

func (SilenceService) SilenceAccess 

func (s SilenceService) SilenceAccess(ctx context.Context, user identity.Requester, silences []*models.Silence) (map[*models.Silence]models.SilencePermissionSet, error)

SilenceAccess returns the permission sets for a slice of silences. The permission set includes read, write, and create which corresponds the given user being able to read, write, and create each given silence, respectively.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.