defaultauth

package
v1.17.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 15, 2023 License: Apache-2.0, BSD-2-Clause, BSD-3-Clause, + 3 more Imports: 34 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// TokenPattern token 的格式 随机字符串::[uid/xxx | groupid/xxx]
	TokenPattern string = "%s::%s"
	// TokenSplit token 的分隔符
	TokenSplit string = "::"
)

Variables

View Source
var (
	// ErrorNotAllowedAccess 鉴权失败
	ErrorNotAllowedAccess error = errors.New(api.Code2Info(api.NotAllowedAccess))
	// ErrorInvalidParameter 不合法的参数
	ErrorInvalidParameter error = errors.New(api.Code2Info(api.InvalidParameter))
	// ErrorNotPermission .
	ErrorNotPermission = errors.New("no permission")
)
View Source
var (
	// MustOwner 必须超级账户 or 主账户
	MustOwner = true
	// NotOwner 任意账户
	NotOwner = false
	// WriteOp 写操作
	WriteOp = true
	// ReadOp 读操作
	ReadOp = false
)
View Source
var AuthOption = DefaultAuthConfig()

AuthOption 鉴权的配置信息

View Source
var (
	// StrategyFilterAttributes strategy filter attributes
	StrategyFilterAttributes = map[string]bool{
		"id":             true,
		"name":           true,
		"owner":          true,
		"offset":         true,
		"limit":          true,
		"principal_id":   true,
		"principal_type": true,
		"res_id":         true,
		"res_type":       true,
		"default":        true,
		"show_detail":    true,
	}
)
View Source
var (

	// UserFilterAttributes 查询用户所能允许的参数查询列表
	UserFilterAttributes = map[string]bool{
		"id":         true,
		"name":       true,
		"owner":      true,
		"source":     true,
		"offset":     true,
		"group_id":   true,
		"limit":      true,
		"hide_admin": true,
	}
)
View Source
var (
	// UserLinkGroupAttributes is the user link group attributes
	UserLinkGroupAttributes = map[string]bool{
		"id":        true,
		"user_id":   true,
		"user_name": true,
		"group_id":  true,
		"name":      true,
		"offset":    true,
		"limit":     true,
	}
)

Functions

func IsEmptyOperator

func IsEmptyOperator(t OperatorInfo) bool

IsEmptyOperator token 是否是一个空类型

func IsSubAccount

func IsSubAccount(t OperatorInfo) bool

IsSubAccount 当前 token 对应的账户类型

func TestCheckName added in v1.17.3

func TestCheckName(password *wrappers.StringValue) error

func TestCheckPassword added in v1.17.3

func TestCheckPassword(password *wrappers.StringValue) error

func TestCreateToken added in v1.17.3

func TestCreateToken(uid, gid string) (string, error)

func TestDecryptMessage added in v1.17.3

func TestDecryptMessage(key []byte, message string) (string, error)

func TestParseStrategySearchArgs added in v1.17.3

func TestParseStrategySearchArgs(ctx context.Context, searchFilters map[string]string) map[string]string

Types

type AuthConfig

type AuthConfig struct {
	// ConsoleOpen 控制台是否开启鉴权
	ConsoleOpen bool `json:"consoleOpen" xml:"consoleOpen"`
	// ClientOpen 是否开启客户端接口鉴权
	ClientOpen bool `json:"clientOpen" xml:"clientOpen"`
	// Salt 相关密码、token加密的salt
	Salt string `json:"salt" xml:"salt"`
	// Strict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
	// Deprecated
	Strict bool `json:"strict"`
	// ConsoleStrict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
	ConsoleStrict bool `json:"consoleStrict"`
	// ClientStrict 是否启用鉴权的严格模式,即对于没有任何鉴权策略的资源,也必须带上正确的token才能操作, 默认关闭
	ClientStrict bool `json:"clientStrict"`
}

AuthConfig 鉴权配置

func DefaultAuthConfig

func DefaultAuthConfig() *AuthConfig

DefaultAuthConfig 返回一个默认的鉴权配置

func (*AuthConfig) Verify

func (cfg *AuthConfig) Verify() error

Verify 检查配置是否合法

type DefaultAuthChecker added in v1.17.3

type DefaultAuthChecker struct {
	// contains filtered or unexported fields
}

DefaultAuthChecker 北极星自带的默认鉴权中心

func (*DefaultAuthChecker) Cache added in v1.17.3

Cache 获取缓存统一管理

func (*DefaultAuthChecker) CheckClientPermission added in v1.17.3

func (d *DefaultAuthChecker) CheckClientPermission(preCtx *model.AcquireContext) (bool, error)

CheckClientPermission 执行检查客户端动作判断是否有权限,并且对 RequestContext 注入操作者数据

func (*DefaultAuthChecker) CheckConsolePermission added in v1.17.3

func (d *DefaultAuthChecker) CheckConsolePermission(preCtx *model.AcquireContext) (bool, error)

CheckConsolePermission 执行检查控制台动作判断是否有权限,并且对 RequestContext 注入操作者数据

func (*DefaultAuthChecker) CheckPermission added in v1.17.3

func (d *DefaultAuthChecker) CheckPermission(authCtx *model.AcquireContext) (bool, error)

CheckPermission 执行检查动作判断是否有权限

step 1. 判断是否开启了鉴权
step 2. 对token进行检查判断
	case 1. 如果 token 被禁用
			a. 读操作,直接放通
			b. 写操作,快速失败
step 3. 拉取token对应的操作者相关信息,注入到请求上下文中
step 4. 进行权限检查

func (*DefaultAuthChecker) DecodeToken added in v1.17.3

func (d *DefaultAuthChecker) DecodeToken(t string) (OperatorInfo, error)

DecodeToken

func (*DefaultAuthChecker) Initialize added in v1.17.3

func (d *DefaultAuthChecker) Initialize(options *auth.Config, s store.Store, cacheMgn *cache.CacheManager) error

Initialize 执行初始化动作

func (*DefaultAuthChecker) IsOpenAuth added in v1.17.3

func (d *DefaultAuthChecker) IsOpenAuth() bool

IsOpenAuth 返回对于控制台/客户端任意其中的一个是否开启了操作鉴权

func (*DefaultAuthChecker) IsOpenClientAuth added in v1.17.3

func (d *DefaultAuthChecker) IsOpenClientAuth() bool

IsOpenClientAuth 针对客户端是否开启了操作鉴权

func (*DefaultAuthChecker) IsOpenConsoleAuth added in v1.17.3

func (d *DefaultAuthChecker) IsOpenConsoleAuth() bool

IsOpenConsoleAuth 针对控制台是否开启了操作鉴权

func (*DefaultAuthChecker) SetCacheMgr added in v1.17.3

func (d *DefaultAuthChecker) SetCacheMgr(mgr *cache.CacheManager)

func (*DefaultAuthChecker) VerifyCredential added in v1.17.3

func (d *DefaultAuthChecker) VerifyCredential(authCtx *model.AcquireContext) error

VerifyCredential 对 token 进行检查验证,并将 verify 过程中解析出的数据注入到 model.AcquireContext 中 step 1. 首先对 token 进行解析,获取相关的数据信息,注入到整个的 AcquireContext 中 step 2. 最后对 token 进行一些验证步骤的执行 step 3. 兜底措施:如果开启了鉴权的非严格模式,则根据错误的类型,判断是否转为匿名用户进行访问

  • 如果是访问权限控制相关模块(用户、用户组、权限策略),不得转为匿名用户

type GroupAuthAbility added in v1.17.3

type GroupAuthAbility struct {
	// contains filtered or unexported fields
}

func NewGroupAuthAbility added in v1.17.3

func NewGroupAuthAbility(authMgn *DefaultAuthChecker, target *Server) *GroupAuthAbility

func (*GroupAuthAbility) CreateGroup added in v1.17.3

func (svr *GroupAuthAbility) CreateGroup(ctx context.Context, group *apisecurity.UserGroup) *apiservice.Response

CreateGroup creates a group.

func (*GroupAuthAbility) DeleteGroups added in v1.17.3

DeleteGroups deletes groups.

func (*GroupAuthAbility) GetGroup added in v1.17.3

GetGroup 查看用户组

func (*GroupAuthAbility) GetGroupToken added in v1.17.3

func (svr *GroupAuthAbility) GetGroupToken(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

GetGroupToken 获取用户组token

func (*GroupAuthAbility) GetGroups added in v1.17.3

func (svr *GroupAuthAbility) GetGroups(ctx context.Context,
	query map[string]string) *apiservice.BatchQueryResponse

GetGroups 查看用户组列表

func (*GroupAuthAbility) ResetGroupToken added in v1.17.3

func (svr *GroupAuthAbility) ResetGroupToken(ctx context.Context, group *apisecurity.UserGroup) *apiservice.Response

ResetGroupToken 重置用户组token

func (*GroupAuthAbility) UpdateGroupToken added in v1.17.3

func (svr *GroupAuthAbility) UpdateGroupToken(ctx context.Context, group *apisecurity.UserGroup) *apiservice.Response

UpdateGroupToken 更新用户组token

func (*GroupAuthAbility) UpdateGroups added in v1.17.3

UpdateGroups updates groups.

type OperatorInfo

type OperatorInfo struct {

	// Origin 原始 token 字符串
	Origin string

	// OperatorID 当前 token 绑定的 用户/用户组 ID
	OperatorID string

	// OwnerID 当前用户/用户组对应的 owner
	OwnerID string

	// Role 如果当前是 user token 的话,该值才能有信息
	Role model.UserRoleType

	// IsUserToken 当前 token 是否是 user 的 token
	IsUserToken bool

	// Disable 标识用户 token 是否被禁用
	Disable bool

	// 是否属于匿名操作者
	Anonymous bool
}

OperatorInfo 根据 token 解析出来的具体额外信息

func (*OperatorInfo) String

func (t *OperatorInfo) String() string

type Server added in v1.17.3

type Server struct {
	// contains filtered or unexported fields
}

func NewServer added in v1.17.3

func NewServer(storage store.Store,
	history plugin.History,
	cacheMgn *cache.CacheManager,
	authMgn *DefaultAuthChecker) *Server

func (*Server) AfterResourceOperation added in v1.17.3

func (svr *Server) AfterResourceOperation(afterCtx *model.AcquireContext) error

AfterResourceOperation 对于资源的添加删除操作,需要执行后置逻辑 所有子用户或者用户分组,都默认获得对所创建的资源的写权限

func (*Server) CreateGroup added in v1.17.3

func (svr *Server) CreateGroup(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

CreateGroup create a group

func (*Server) CreateStrategy added in v1.17.3

func (svr *Server) CreateStrategy(ctx context.Context, req *apisecurity.AuthStrategy) *apiservice.Response

CreateStrategy 创建鉴权策略

func (*Server) CreateUser added in v1.17.3

func (svr *Server) CreateUser(ctx context.Context, req *apisecurity.User) *apiservice.Response

CreateUser 创建用户

func (*Server) CreateUsers added in v1.17.3

func (svr *Server) CreateUsers(ctx context.Context, req []*apisecurity.User) *apiservice.BatchWriteResponse

CreateUsers 批量创建用户

func (*Server) DeleteGroup added in v1.17.3

func (svr *Server) DeleteGroup(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

DeleteGroup 删除用户组

func (*Server) DeleteGroups added in v1.17.3

func (svr *Server) DeleteGroups(ctx context.Context, reqs []*apisecurity.UserGroup) *apiservice.BatchWriteResponse

DeleteGroups 批量删除用户组

func (*Server) DeleteStrategies added in v1.17.3

func (svr *Server) DeleteStrategies(
	ctx context.Context, reqs []*apisecurity.AuthStrategy) *apiservice.BatchWriteResponse

DeleteStrategies 批量删除鉴权策略

func (*Server) DeleteStrategy added in v1.17.3

func (svr *Server) DeleteStrategy(ctx context.Context, req *apisecurity.AuthStrategy) *apiservice.Response

DeleteStrategy 删除鉴权策略 Case 1. 只有该策略的 owner 账户可以删除策略 Case 2. 默认策略不能被删除,默认策略只能随着账户的删除而被清理

func (*Server) DeleteUser added in v1.17.3

func (svr *Server) DeleteUser(ctx context.Context, req *apisecurity.User) *apiservice.Response

DeleteUser 删除用户 Case 1. 删除主账户,主账户不能自己删除自己 Case 2. 删除主账户,如果主账户下还存在子账户,必须先删除子账户,才能删除主账户 Case 3. 主账户角色下,只能删除自己创建的子账户 Case 4. 超级账户角色下,可以删除任意账户

func (*Server) DeleteUsers added in v1.17.3

func (svr *Server) DeleteUsers(ctx context.Context, reqs []*apisecurity.User) *apiservice.BatchWriteResponse

DeleteUsers 批量删除用户

func (*Server) GetGroup added in v1.17.3

func (svr *Server) GetGroup(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

GetGroup 查看对应用户组下的用户信息

func (*Server) GetGroupToken added in v1.17.3

func (svr *Server) GetGroupToken(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

GetGroupToken 查看用户组的token

func (*Server) GetGroups added in v1.17.3

func (svr *Server) GetGroups(ctx context.Context, query map[string]string) *apiservice.BatchQueryResponse

GetGroups 查看用户组

func (*Server) GetPrincipalResources added in v1.17.3

func (svr *Server) GetPrincipalResources(ctx context.Context, query map[string]string) *apiservice.Response

GetPrincipalResources 获取某个principal可以获取到的所有资源ID数据信息

func (*Server) GetStrategies added in v1.17.3

func (svr *Server) GetStrategies(ctx context.Context, query map[string]string) *apiservice.BatchQueryResponse

GetStrategies 查询鉴权策略列表 Case 1. 如果是以资源视角来查询鉴权策略,那么就会忽略自动根据账户类型进行数据查看的限制

eg. 比如当前子账户A想要查看资源R的相关的策略,那么不在会自动注入 principal_id 以及 principal_type 的查询条件

Case 2. 如果是以用户视角来查询鉴权策略,如果没有带上 principal_id,那么就会根据账户类型自动注入 principal_id 以

及 principal_type 的查询条件,从而限制该账户的数据查看
eg.
	a. 如果当前是超级管理账户,则按照传入的 query 进行查询即可
	b. 如果当前是主账户,则自动注入 owner 字段,即只能查看策略的 owner 是自己的策略
	c. 如果当前是子账户,则自动注入 principal_id 以及 principal_type 字段,即稚嫩查询与自己有关的策略

func (*Server) GetStrategy added in v1.17.3

func (svr *Server) GetStrategy(ctx context.Context, req *apisecurity.AuthStrategy) *apiservice.Response

GetStrategy 根据策略ID获取详细的鉴权策略 Case 1 如果当前操作者是该策略 principal 中的一员,则可以查看 Case 2 如果当前操作者是该策略的 owner,则可以查看 Case 3 如果当前操作者是admin角色,直接查看

func (*Server) GetUserToken added in v1.17.3

func (svr *Server) GetUserToken(ctx context.Context, req *apisecurity.User) *apiservice.Response

GetUserToken 获取用户 token

func (*Server) GetUsers added in v1.17.3

func (svr *Server) GetUsers(ctx context.Context, query map[string]string) *apiservice.BatchQueryResponse

GetUsers 查询用户列表

func (*Server) Login added in v1.17.3

Login 登录动作

func (*Server) RecordHistory added in v1.17.3

func (svr *Server) RecordHistory(entry *model.RecordEntry)

RecordHistory Server对外提供history插件的简单封装

func (*Server) ResetGroupToken added in v1.17.3

func (svr *Server) ResetGroupToken(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

ResetGroupToken 刷新用户组的token

func (*Server) ResetUserToken added in v1.17.3

func (svr *Server) ResetUserToken(ctx context.Context, req *apisecurity.User) *apiservice.Response

ResetUserToken 重置用户 token

func (*Server) UpdateGroup added in v1.17.3

func (svr *Server) UpdateGroup(ctx context.Context, req *apisecurity.ModifyUserGroup) *apiservice.Response

UpdateGroup 更新用户组

func (*Server) UpdateGroupToken added in v1.17.3

func (svr *Server) UpdateGroupToken(ctx context.Context, req *apisecurity.UserGroup) *apiservice.Response

UpdateGroupToken 调整用户组 token 的使用状态 (禁用|开启)

func (*Server) UpdateGroups added in v1.17.3

func (svr *Server) UpdateGroups(
	ctx context.Context, groups []*apisecurity.ModifyUserGroup) *apiservice.BatchWriteResponse

UpdateGroups 批量修改用户组

func (*Server) UpdateStrategies added in v1.17.3

func (svr *Server) UpdateStrategies(
	ctx context.Context, reqs []*apisecurity.ModifyAuthStrategy) *apiservice.BatchWriteResponse

UpdateStrategies 批量修改鉴权

func (*Server) UpdateStrategy added in v1.17.3

func (svr *Server) UpdateStrategy(ctx context.Context, req *apisecurity.ModifyAuthStrategy) *apiservice.Response

UpdateStrategy 实现鉴权策略的变更 Case 1. 修改的是默认鉴权策略的话,只能修改资源,不能添加、删除用户 or 用户组 Case 2. 鉴权策略只能被自己的 owner 对应的用户修改 Case 3. 主账户的默认策略不得修改

func (*Server) UpdateUser added in v1.17.3

func (svr *Server) UpdateUser(ctx context.Context, req *apisecurity.User) *apiservice.Response

UpdateUser 更新用户信息,仅能修改 comment 以及账户密码

func (*Server) UpdateUserPassword added in v1.17.3

func (svr *Server) UpdateUserPassword(ctx context.Context, req *apisecurity.ModifyUserPassword) *apiservice.Response

UpdateUserPassword 更新用户密码信息

func (*Server) UpdateUserToken added in v1.17.3

func (svr *Server) UpdateUserToken(ctx context.Context, req *apisecurity.User) *apiservice.Response

UpdateUserToken 更新用户 token

type StrategyAuthAbility added in v1.17.3

type StrategyAuthAbility struct {
	// contains filtered or unexported fields
}

func NewStrategyAuthAbility added in v1.17.3

func NewStrategyAuthAbility(authMgn *DefaultAuthChecker, target *Server) *StrategyAuthAbility

func (*StrategyAuthAbility) AfterResourceOperation added in v1.17.3

func (svr *StrategyAuthAbility) AfterResourceOperation(afterCtx *model.AcquireContext) error

AfterResourceOperation is called after resource operation

func (*StrategyAuthAbility) CreateStrategy added in v1.17.3

func (svr *StrategyAuthAbility) CreateStrategy(
	ctx context.Context, strategy *apisecurity.AuthStrategy) *apiservice.Response

CreateStrategy creates a new strategy.

func (*StrategyAuthAbility) DeleteStrategies added in v1.17.3

DeleteStrategies delete strategy.

func (*StrategyAuthAbility) GetAuthChecker added in v1.17.3

func (svr *StrategyAuthAbility) GetAuthChecker() auth.AuthChecker

GetAuthChecker 获取鉴权管理器

func (*StrategyAuthAbility) GetPrincipalResources added in v1.17.3

func (svr *StrategyAuthAbility) GetPrincipalResources(ctx context.Context, query map[string]string) *apiservice.Response

GetPrincipalResources get principal resources.

func (*StrategyAuthAbility) GetStrategies added in v1.17.3

func (svr *StrategyAuthAbility) GetStrategies(ctx context.Context,
	query map[string]string) *apiservice.BatchQueryResponse

GetStrategies get strategy list .

func (*StrategyAuthAbility) GetStrategy added in v1.17.3

func (svr *StrategyAuthAbility) GetStrategy(
	ctx context.Context, strategy *apisecurity.AuthStrategy) *apiservice.Response

GetStrategy get strategy.

func (*StrategyAuthAbility) Initialize added in v1.17.3

func (svr *StrategyAuthAbility) Initialize(authOpt *auth.Config, storage store.Store,
	cacheMgn *cache.CacheManager) error

Initialize 执行初始化动作

func (*StrategyAuthAbility) Name added in v1.17.3

func (svr *StrategyAuthAbility) Name() string

Name of the user operator plugin

func (*StrategyAuthAbility) UpdateStrategies added in v1.17.3

UpdateStrategies update a strategy.

type StrategyDetail2Api

type StrategyDetail2Api func(user *model.StrategyDetail) *apisecurity.AuthStrategy

StrategyDetail2Api strategy detail to *apisecurity.AuthStrategy func

type User2Api

type User2Api func(user *model.User) *apisecurity.User

User2Api convert user to api.User

type UserAuthAbility added in v1.17.3

type UserAuthAbility struct {
	*GroupAuthAbility
	// contains filtered or unexported fields
}

func NewUserAuthAbility added in v1.17.3

func NewUserAuthAbility(authMgn *DefaultAuthChecker, target *Server) *UserAuthAbility

func (*UserAuthAbility) CreateUsers added in v1.17.3

CreateUsers 创建用户,只能由超级账户 or 主账户调用

case 1. 超级账户调用:创建的是主账户
case 2. 主账户调用:创建的是子账户

func (*UserAuthAbility) DeleteUser added in v1.17.3

func (svr *UserAuthAbility) DeleteUser(ctx context.Context, user *apisecurity.User) *apiservice.Response

DeleteUser 删除用户,只能由超级账户 or 主账户操作

func (*UserAuthAbility) DeleteUsers added in v1.17.3

func (svr *UserAuthAbility) DeleteUsers(
	ctx context.Context, reqs []*apisecurity.User) *apiservice.BatchWriteResponse

DeleteUsers 批量删除用户,只能由超级账户 or 主账户操作

func (*UserAuthAbility) GetUserToken added in v1.17.3

func (svr *UserAuthAbility) GetUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response

GetUserToken 获取用户token,任意账户均可以操作

func (*UserAuthAbility) GetUsers added in v1.17.3

func (svr *UserAuthAbility) GetUsers(ctx context.Context, filter map[string]string) *apiservice.BatchQueryResponse

GetUsers 获取用户列表,任意账户均可以操作

func (*UserAuthAbility) Initialize added in v1.17.3

func (svr *UserAuthAbility) Initialize(authOpt *auth.Config, storage store.Store,
	cacheMgn *cache.CacheManager) error

Initialize 执行初始化动作

func (*UserAuthAbility) Login added in v1.17.3

Login login Servers

func (*UserAuthAbility) Name added in v1.17.3

func (svr *UserAuthAbility) Name() string

Name of the user operator plugin

func (*UserAuthAbility) ResetUserToken added in v1.17.3

func (svr *UserAuthAbility) ResetUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response

ResetUserToken 重置用户token,允许子账户进行操作

func (*UserAuthAbility) UpdateUser added in v1.17.3

func (svr *UserAuthAbility) UpdateUser(ctx context.Context, user *apisecurity.User) *apiservice.Response

UpdateUser 更新用户,任意账户均可以操作 用户token被禁止也只是表示不能对北极星资源执行写操作,但是改用户信息还是可以执行的

func (*UserAuthAbility) UpdateUserPassword added in v1.17.3

func (svr *UserAuthAbility) UpdateUserPassword(
	ctx context.Context, req *apisecurity.ModifyUserPassword) *apiservice.Response

UpdateUserPassword 更新用户信息

func (*UserAuthAbility) UpdateUserToken added in v1.17.3

func (svr *UserAuthAbility) UpdateUserToken(ctx context.Context, user *apisecurity.User) *apiservice.Response

UpdateUserToken 更新用户的 token 状态,只允许超级、主账户进行操作

type UserGroup2Api

type UserGroup2Api func(user *model.UserGroup) *apisecurity.UserGroup

UserGroup2Api is the user group to api

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL