Documentation ¶
Overview ¶
Package policy provides methods for parsing RBAC policies to determine if a user has access to a given resource.
TODO: more details about policy trees + "MostRestrictiveParent" + "LeastRestrictiveSibling"
Caveats: - one policy document to match the entire action - list/create are not resource-specific actions, so granting list/create permissions for a scope means that a user can list all resources or create a new resource in that scope.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var AdminPolicy = []*types.PolicyDocument{ { Scope: types.ProjectScope, Verbs: types.ReadWriteVerbGroup(), }, }
View Source
var DeveloperPolicy = []*types.PolicyDocument{ { Scope: types.ProjectScope, Verbs: types.ReadWriteVerbGroup(), Children: map[types.PermissionScope]*types.PolicyDocument{ types.SettingsScope: { Scope: types.SettingsScope, Verbs: types.ReadVerbGroup(), }, }, }, }
View Source
var ViewerPolicy = []*types.PolicyDocument{ { Scope: types.ProjectScope, Verbs: types.ReadVerbGroup(), Children: map[types.PermissionScope]*types.PolicyDocument{ types.SettingsScope: { Scope: types.SettingsScope, Verbs: []types.APIVerb{}, }, }, }, }
Functions ¶
func HasScopeAccess ¶
func HasScopeAccess( policy []*types.PolicyDocument, reqScopes map[types.PermissionScope]*types.RequestAction, ) bool
HasScopeAccess checks that a user can perform an action (`verb`) against a specific resource (`resource+scope`) according to a `policy`.
Types ¶
type BasicPolicyDocumentLoader ¶
type BasicPolicyDocumentLoader struct {
// contains filtered or unexported fields
}
BasicPolicyDocumentLoader loads policy documents simply depending on the
func NewBasicPolicyDocumentLoader ¶
func NewBasicPolicyDocumentLoader(projRepo repository.ProjectRepository) *BasicPolicyDocumentLoader
func (*BasicPolicyDocumentLoader) LoadPolicyDocuments ¶
func (b *BasicPolicyDocumentLoader) LoadPolicyDocuments( userID, projectID uint, ) ([]*types.PolicyDocument, apierrors.RequestError)
type PolicyDocumentLoader ¶
type PolicyDocumentLoader interface {
LoadPolicyDocuments(userID, projectID uint) ([]*types.PolicyDocument, apierrors.RequestError)
}
Click to show internal directories.
Click to hide internal directories.