Documentation
¶
Index ¶
Examples ¶
Constants ¶
const ( // EffectAllow describes a rule that adds permissions EffectAllow = Effect("allow") // EffectDeny describes a rule that removes permissions EffectDeny = Effect("deny") )
Variables ¶
var ( // ErrAccessDenied is returned by policy enforce ErrAccessDenied = fmt.Errorf("access denied") // DefaultAccessControlPolicyFilename is the file name for the policy // expected file is format yaml DefaultAccessControlPolicyFilename = "access_control_policy.yaml" )
Functions ¶
func ResourceStrFromRef ¶
ResourceStrFromRef takes a dsref.Ref and returns a string that can be parsed as a resource
Types ¶
type Action ¶
type Action []string
Action is a description of the action the Subject is attempting to take on the Resource
func MustParseAction ¶
MustParseAction parses a string into an Action. It panics if the string cannot be parsed correctly
func ParseAction ¶
ParseAction parses a string into an Action
func (Action) Contains ¶
Contains determines if the given action is described in the rule's Action it returns true if the action matches using the glob `*` pattern
func (Action) MarshalJSON ¶
MarshalJSON marshals the Action into a string separated by ":"
func (*Action) UnmarshalJSON ¶
UnmarshalJSON unmarshals the given slice of bytes into an Action
type Policy ¶
type Policy []Rule
Policy is a set of rules
Example ¶
const examplePolicy = `
[
{
"title": "pull any dataset",
"effect": "allow",
"subject": "*",
"resources": [
"dataset:*"
],
"actions": [
"remote:pull"
]
},
{
"title": "push and delete user-owned datasets",
"effect": "allow",
"subject": "*",
"resources": [
"dataset:_subject:*"
],
"actions": [
"remote:push",
"remote:remove"
]
}
]
`
p := &Policy{}
if err := json.Unmarshal([]byte(examplePolicy), p); err != nil {
panic(err)
}
bob := &profile.Profile{
ID: profile.IDB58DecodeOrEmpty("QmZePf5LeXow3RW5U1AgEiNbW46YnRGhZ7HPvm1UmPFPwt"),
Peername: "bob",
}
if err := p.Enforce(bob, "dataset:someone_else:world_bank_population", "remote:pull"); err == nil {
fmt.Println("bob can pull someone_else/world_bank_population")
}
if err := p.Enforce(bob, "dataset:bob:bobs_dataset", "remote:remove"); err == nil {
fmt.Println("bob can remote-delete his own dataset")
}
if err := p.Enforce(bob, "dataset:someone_else:dataset", "remote:remove"); err == ErrAccessDenied {
fmt.Println("bob can't remote-delete someone else's dataset")
}
Output: bob can pull someone_else/world_bank_population bob can remote-delete his own dataset bob can't remote-delete someone else's dataset
type Resource ¶
type Resource []string
Resource is a stateful thing in qri
func MustParseResource ¶
MustParseResource wraps ParseResource, panics on error. Useful for tests
func ParseResource ¶
ParseResource constructs a resource from a string
func (Resource) Contains ¶
Contains determins if the subject is referenced in the resource returns true if the rule's resource contains the `matchAll` symbol and returns true if the rule's resource contains the `matchSubject` and the subjectUsername is in the given resource (allows us to create rules that say, "only allow subjects to do this action, if the resource matches the subject's name"
func (Resource) MarshalJSON ¶
MarshalJSON marshals the resource into a string separated by ":"
func (*Resource) UnmarshalJSON ¶
UnmarshalJSON unmarshals a slice of bytes into a Resource
type Rule ¶
type Rule struct {
Title string // human-legible title for the rule, informative only
Subject string // User this rule is about
Resources Resources // Thing being accessed. eg: a dataset,
Actions Actions // Thing user can do
Effect Effect // "allow" or "deny"
}
Rule is a permissions statement. It determines who (subject) can/can't (effect) do something (actions) to things (resources)
func (*Rule) UnmarshalJSON ¶
UnmarshalJSON unmarshals the slice of bytes into a Rule
Source Files