authz

package

v1.0.0-rc4 Latest Latest Go to latest Published: Nov 3, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/numaproj/numaflow

Documentation ¶

Index ¶

Constants
Variables
func GetRouteMapKey(c *gin.Context) string
type Authorizer
type CasbinObject
- func NewCasbinObject() (*CasbinObject, error)
- func (cas *CasbinObject) Authorize(c *gin.Context, userInfo *authn.UserInfo) bool
type RouteInfo

Constants ¶

View Source

const (

	// Objects for the RBAC policy
	ObjectAll      = "*"
	ObjectPipeline = "pipeline"
	ObjectISBSvc   = "isbsvc"
	ObjectEvents   = "events"

	// Resouces for the RBAC policy
	ResourceAll       = "*"
	ResourceNamespace = "namespace"

	// MatchAll is a wildcard to match all patterns
	MatchAll = "*"

	// RbacProperties contain the different properties for RBAC configuration
	RbacPropertyScopes        = "policy.scopes"
	RbacPropertyDefaultPolicy = "policy.default"

	// Auth scopes supported
	ScopeGroup   = "groups"
	ScopeEmail   = "email"
	ScopeDefault = "default"
)

Variables ¶

View Source

var RouteMap = map[string]*RouteInfo{
	"GET:/api/v1/sysinfo":                                                         newRouteInfo(ObjectPipeline, false),
	"GET:/api/v1/authinfo":                                                        newRouteInfo(ObjectEvents, false),
	"GET:/api/v1/namespaces":                                                      newRouteInfo(ObjectEvents, false),
	"GET:/api/v1/cluster-summary":                                                 newRouteInfo(ObjectPipeline, false),
	"GET:/api/v1/namespaces/:namespace/pipelines":                                 newRouteInfo(ObjectPipeline, true),
	"POST:/api/v1/namespaces/:namespace/pipelines":                                newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline":                       newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline/health":                newRouteInfo(ObjectPipeline, true),
	"PUT:/api/v1/namespaces/:namespace/pipelines/:pipeline":                       newRouteInfo(ObjectPipeline, true),
	"DELETE:/api/v1/namespaces/:namespace/pipelines/:pipeline":                    newRouteInfo(ObjectPipeline, true),
	"PATCH:/api/v1/namespaces/:namespace/pipelines/:pipeline":                     newRouteInfo(ObjectPipeline, true),
	"POST:/api/v1/namespaces/:namespace/isb-services":                             newRouteInfo(ObjectISBSvc, true),
	"GET:/api/v1/namespaces/:namespace/isb-services":                              newRouteInfo(ObjectISBSvc, true),
	"GET:/api/v1/namespaces/:namespace/isb-services/:isb-service":                 newRouteInfo(ObjectISBSvc, true),
	"PUT:/api/v1/namespaces/:namespace/isb-services/:isb-service":                 newRouteInfo(ObjectISBSvc, true),
	"DELETE:/api/v1/namespaces/:namespace/isb-services/:isb-service":              newRouteInfo(ObjectISBSvc, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline/isbs":                  newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline/watermarks":            newRouteInfo(ObjectPipeline, true),
	"PUT:/api/v1/namespaces/:namespace/pipelines/:pipeline/vertices/:vertex":      newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline/vertices/metrics":      newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pipelines/:pipeline/vertices/:vertex/pods": newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/metrics/namespaces/:namespace/pods":                              newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/pods/:pod/logs":                            newRouteInfo(ObjectPipeline, true),
	"GET:/api/v1/namespaces/:namespace/events":                                    newRouteInfo(ObjectEvents, true),
}

RouteMap is a map of routes to their corresponding RouteInfo objects. It saves the object corresponding to the route and a boolean to indicate whether the route requires authorization.

Functions ¶

func GetRouteMapKey ¶

func GetRouteMapKey(c *gin.Context) string

GetRouteMapKey returns the key for the RouteMap. The key is a combination of the HTTP method and the path. The format is "method:path". For example, "GET:/api/v1/namespaces", "POST:/api/v1/namespaces". This key is used to get the RouteInfo object from the RouteMap.

Types ¶

type Authorizer ¶

type Authorizer interface {
	// Authorize checks if a user is authorized to access the resource.
	// Authorize trusts that the user is already authenticated and directly uses the groups to authorize the user.
	// please don't use gin to get the user information again.
	// Authorize returns true if the user is authorized, otherwise false.
	Authorize(c *gin.Context, userInfo *authn.UserInfo) bool
}

type CasbinObject ¶

type CasbinObject struct {
	// contains filtered or unexported fields
}

func NewCasbinObject ¶

func NewCasbinObject() (*CasbinObject, error)

func (*CasbinObject) Authorize ¶

func (cas *CasbinObject) Authorize(c *gin.Context, userInfo *authn.UserInfo) bool

Authorize checks if a user is authorized to access the resource. It returns true if the user is authorized, otherwise false. It also returns the policy count of the user. The policy count is used to check if there are any policies defined for the given user, if not we will allocate a default policy for the user.

type RouteInfo ¶

type RouteInfo struct {
	Object        string
	RequiresAuthZ bool
}

RouteInfo is a struct which contains the route information with the object corresponding to the route and a boolean to indicate whether the route requires authorization.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL