authz

package

v1.4.0 Latest Latest Go to latest Published: Nov 8, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/numaproj/numaflow

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func DefaultOptions() *options
func GetRouteMapKey(c *gin.Context) string
type Authorizer
type CasbinObject
- func NewCasbinObject(ctx context.Context, authRouteMap RouteMap, inputOptions ...Option) (*CasbinObject, error)
- func (cas *CasbinObject) Authorize(c *gin.Context, userInfo *authn.UserInfo) bool
type Option
- func WithPolicyMap(path string) Option
- func WithPropertyFile(path string) Option
type RouteInfo
- func NewRouteInfo(object string, requiresAuthZ bool) *RouteInfo
type RouteMap
- func (r RouteMap) GetRouteFromContext(c *gin.Context) *RouteInfo

Constants ¶

View Source

const (

	// Objects for the RBAC policy
	ObjectAll        = "*"
	ObjectPipeline   = "pipeline"
	ObjectMonoVertex = "mono-vertex"
	ObjectISBSvc     = "isbsvc"
	ObjectEvents     = "events"

	// Resouces for the RBAC policy
	ResourceAll       = "*"
	ResourceNamespace = "namespace"

	// MatchAll is a wildcard to match all patterns
	MatchAll = "*"

	// RbacProperties contain the different properties for RBAC configuration
	RbacPropertyScopes        = "policy.scopes"
	RbacPropertyDefaultPolicy = "policy.default"

	// Auth scopes supported
	ScopeGroup    = "groups"
	ScopeEmail    = "email"
	ScopeUsername = "username"
	ScopeDefault  = "default"
)

Variables ¶

This section is empty.

Functions ¶

func DefaultOptions ¶ added in v1.1.0

func DefaultOptions() *options

func GetRouteMapKey ¶

func GetRouteMapKey(c *gin.Context) string

GetRouteMapKey returns the key for the AuthRouteMap. The key is a combination of the HTTP method and the path. The format is "method:path". For example, "GET:/api/v1/namespaces", "POST:/api/v1/namespaces". This key is used to get the RouteInfo object from the AuthRouteMap.

Types ¶

type Authorizer ¶

type Authorizer interface {
	// Authorize checks if a user is authorized to access the resource.
	// Authorize trusts that the user is already authenticated and directly uses the groups to authorize the user.
	// please don't use gin to get the user information again.
	// Authorize returns true if the user is authorized, otherwise false.
	Authorize(c *gin.Context, userInfo *authn.UserInfo) bool
}

type CasbinObject ¶

type CasbinObject struct {
	// contains filtered or unexported fields
}

CasbinObject is the struct that implements the Authorizer interface. It contains the Casbin Enforcer, the current scopes, the default policy, the config reader and the route map. The config reader is used to watch for changes in the config file. The Casbin Enforcer is used to enforce the authorization policy. The current scopes are used to determine the user identity token to be used for authorization. policyDefault is the default policy to be used when the requested resource is not present in the policy. userPermCount is a cache to store the count of permissions for a user. If the user has permissions in the policy, we store the count in the cache and return based on the value. authRouteMap is a map of routes to their corresponding RouteInfo objects.

func NewCasbinObject ¶

func NewCasbinObject(ctx context.Context, authRouteMap RouteMap, inputOptions ...Option) (*CasbinObject, error)

NewCasbinObject returns a new CasbinObject. It initializes the Casbin Enforcer with the model and policy. It also initializes the config reader to watch for changes in the config file.

func (*CasbinObject) Authorize ¶

func (cas *CasbinObject) Authorize(c *gin.Context, userInfo *authn.UserInfo) bool

Authorize checks if a user is authorized to access the resource. It returns true if the user is authorized, otherwise false. It also returns the policy count of the user. The policy count is used to check if there are any policies defined for the given user, if not we will allocate a default policy for the user.

type Option ¶ added in v1.1.0

type Option func(*options)

Option is the interface to apply options.

func WithPolicyMap ¶ added in v1.1.0

func WithPolicyMap(path string) Option

WithPolicyMap sets the policy map path to be used for the RBAC enforcer

func WithPropertyFile ¶ added in v1.1.0

func WithPropertyFile(path string) Option

WithPropertyFile sets the property file path to be used for the RBAC enforcer

type RouteInfo ¶

type RouteInfo struct {
	Object        string
	RequiresAuthZ bool
}

RouteInfo is a struct which contains the route information with the object corresponding to the route and a boolean to indicate whether the route requires authorization.

func NewRouteInfo ¶ added in v1.1.0

func NewRouteInfo(object string, requiresAuthZ bool) *RouteInfo

NewRouteInfo creates a new RouteInfo object.

type RouteMap ¶

type RouteMap map[string]*RouteInfo

RouteMap type is a map of routes to their corresponding RouteInfo objects. It saves the object corresponding to the route and a boolean to indicate whether the route requires authorization.

func (RouteMap) GetRouteFromContext ¶ added in v1.1.0

func (r RouteMap) GetRouteFromContext(c *gin.Context) *RouteInfo

GetRouteFromContext returns the RouteInfo object from the AuthRouteMap based on the context.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL