scope

package
v3.7.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 15, 2018 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	UserIndicator        = "user:"
	ClusterRoleIndicator = "role:"
)
View Source
const (
	UserInfo        = UserIndicator + "info"
	UserAccessCheck = UserIndicator + "check-access"

	// UserListScopedProjects gives explicit permission to see the projects that this token can see.
	UserListScopedProjects = UserIndicator + "list-scoped-projects"

	// UserListAllProjects gives explicit permission to see the projects a user can see.  This is often used to prime secondary ACL systems
	// unrelated to openshift and to display projects for selection in a secondary UI.
	UserListAllProjects = UserIndicator + "list-projects"

	// UserFull includes all permissions of the user
	UserFull = UserIndicator + "full"
)

Variables

View Source
var ScopeEvaluators = []ScopeEvaluator{
	userEvaluator{},
	clusterRoleEvaluator{},
}

ScopeEvaluators map prefixes to a function that handles that prefix

Functions

func DefaultSupportedScopes

func DefaultSupportedScopes() []string

func DefaultSupportedScopesMap

func DefaultSupportedScopesMap() map[string]string

func NewAuthorizer

func NewAuthorizer(delegate authorizer.Authorizer, clusterRoleGetter rbaclisters.ClusterRoleLister, forbiddenMessageMaker defaultauthorizer.ForbiddenMessageMaker) authorizer.Authorizer

func ParseClusterRoleScope

func ParseClusterRoleScope(scope string) (string, string, bool, error)

func ScopesToRules

func ScopesToRules(scopes []string, namespace string, clusterRoleGetter rbaclisters.ClusterRoleLister) ([]rbac.PolicyRule, error)

ScopesToRules takes the scopes and return the rules back. We ALWAYS add the discovery rules and it is possible to get some rules and and an error since errors aren't fatal to evaluation

func ScopesToVisibleNamespaces

func ScopesToVisibleNamespaces(scopes []string, clusterRoleGetter rbaclisters.ClusterRoleLister) (sets.String, error)

ScopesToVisibleNamespaces returns a list of namespaces that the provided scopes have "get" access to. This exists only to support efficiently list/watch of projects (ACLed namespaces)

func ValidateClusterRoleScopeRestrictions

func ValidateClusterRoleScopeRestrictions(scope string, restriction oauthapi.ClusterRoleScopeRestriction) error

func ValidateLiteralScopeRestrictions

func ValidateLiteralScopeRestrictions(scope string, literals []string) error

func ValidateScopeRestrictions

func ValidateScopeRestrictions(client *oauthapi.OAuthClient, scopes ...string) error

Types

type ScopeEvaluator

type ScopeEvaluator interface {
	// Handles returns true if this evaluator can evaluate this scope
	Handles(scope string) bool
	// Validate returns an error if the scope is malformed
	Validate(scope string) error
	// Describe returns a description, warning (typically used to warn about escalation dangers), or an error if the scope is malformed
	Describe(scope string) (description string, warning string, err error)
	// ResolveRules returns the policy rules that this scope allows
	ResolveRules(scope, namespace string, clusterRoleGetter rbaclisters.ClusterRoleLister) ([]rbac.PolicyRule, error)
	ResolveGettableNamespaces(scope string, clusterRoleGetter rbaclisters.ClusterRoleLister) ([]string, error)
}

ScopeEvaluator takes a scope and returns the rules that express it

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL