rbac

package
v0.0.0-...-90a45de Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2025 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Admin                     Role = "admin"
	BaseUser                  Role = "user-base"
	StandardUser              Role = "user"
	ClusterOwner              Role = "cluster-owner"
	ClusterMember             Role = "cluster-member"
	ProjectOwner              Role = "project-owner"
	ProjectMember             Role = "project-member"
	CreateNS                  Role = "create-ns"
	ReadOnly                  Role = "read-only"
	CustomManageProjectMember Role = "projectroletemplatebindings-manage"
	CrtbView                  Role = "clusterroletemplatebindings-view"
	ProjectsCreate            Role = "projects-create"
	ProjectsView              Role = "projects-view"
	ManageWorkloads           Role = "workloads-manage"
	ActiveStatus                   = "active"
	ForbiddenError                 = "403 Forbidden"
	DefaultNamespace               = "fleet-default"
	LocalCluster                   = "local"
	UserKind                       = "User"
	ImageName                      = "nginx"
	ManageUsersVerb                = "manage-users"
	ManagementAPIGroup             = "management.cattle.io"
	UsersResource                  = "users"
	UserAttributeResource          = "userattribute"
	GroupsResource                 = "groups"
	GroupMembersResource           = "groupmembers"
)
View Source 
const (
	ConfigurationFileKey = "rbacInput"
)

Variables

This section is empty.

Functions

func AddUserWithRoleToCluster 

func AddUserWithRoleToCluster(client *rancher.Client, globalRole, role string, cluster *management.Cluster, project *v3.Project) (*management.User, *rancher.Client, error)

AddUserWithRoleToCluster creates a user based on the global role and then adds the user to cluster with provided permissions.

func CreateClusterRoleTemplateBinding 

func CreateClusterRoleTemplateBinding(client *rancher.Client, clusterID string, user *management.User, roleTemplateID string) (*v3.ClusterRoleTemplateBinding, error)

CreateClusterRoleTemplateBinding creates a cluster role template binding for the user with the provided role template using wrangler context

func CreateProjectRoleTemplateBinding 

func CreateProjectRoleTemplateBinding(client *rancher.Client, user *management.User, project *v3.Project, roleTemplateID string) (*v3.ProjectRoleTemplateBinding, error)

CreateProjectRoleTemplateBinding creates a project role template binding for the user with the provided role template using wrangler context

func CreateRoleTemplate 

func CreateRoleTemplate(client *rancher.Client, context string, rules []rbacv1.PolicyRule, inheritedRoles []*v3.RoleTemplate, external bool, externalRules []rbacv1.PolicyRule) (*v3.RoleTemplate, error)

CreateRoleTemplate creates a cluster or project role template with the provided rules using wrangler context

func GetBindings 

func GetBindings(rancherClient *rancher.Client, userID string) (map[string]interface{}, error)

GetBindings is a helper function to fetch bindings for a user

func GetClusterRoleRules 

func GetClusterRoleRules(client *rancher.Client, clusterID string, clusterRoleName string) ([]rbacv1.PolicyRule, error)

GetClusterRoleRules is a helper function to fetch rules for a cluster role

func GetGlobalRoleBindingByName 

func GetGlobalRoleBindingByName(client *rancher.Client, globalRoleBindingName string) (*v3.GlobalRoleBinding, error)

GetGlobalRoleBindingByName is a helper function to fetch global role binding by name

func GetGlobalRoleBindingByUserAndRole 

func GetGlobalRoleBindingByUserAndRole(client *rancher.Client, userID, globalRoleName string) (*v3.GlobalRoleBinding, error)

GetGlobalRoleBindingByUserAndRole is a helper function to fetch global role binding for a user associated with a specific global role

func GetGlobalRoleByName 

func GetGlobalRoleByName(client *rancher.Client, globalRoleName string) (*v3.GlobalRole, error)

GetGlobalRoleByName is a helper function to fetch global role by name

func GetRoleBindings 

func GetRoleBindings(rancherClient *rancher.Client, clusterID string, userID string) ([]rbacv1.RoleBinding, error)

GetRoleBindings is a helper function to fetch rolebindings for a user

func GetRoleTemplateByName 

func GetRoleTemplateByName(client *rancher.Client, roleTemplateName string) (*v3.RoleTemplate, error)

GetRoleTemplateByName is a helper function to fetch role template by name using wrangler context

func SetupUser 

func SetupUser(client *rancher.Client, globalRoles ...string) (user *management.User, userClient *rancher.Client, err error)

SetupUser is a helper to create a user with the specified global role and a client for the user.

func VerifyClusterRoleTemplateBindingForUser 

func VerifyClusterRoleTemplateBindingForUser(client *rancher.Client, username string, expectedCount int) ([]v3.ClusterRoleTemplateBinding, error)

VerifyClusterRoleTemplateBindingForUser is a helper function to verify the number of cluster role template bindings for a user

func VerifyGlobalRoleBindingsForUser 

func VerifyGlobalRoleBindingsForUser(t *testing.T, user *management.User, adminClient *rancher.Client)

VerifyGlobalRoleBindingsForUser validates that a global role bindings is created for a user when the user is created

func VerifyProjectRoleTemplateBindingForUser 

func VerifyProjectRoleTemplateBindingForUser(client *rancher.Client, username string, expectedCount int) ([]v3.ProjectRoleTemplateBinding, error)

VerifyProjectRoleTemplateBindingForUser is a helper function to verify the number of project role template bindings for a user

func VerifyRoleBindingsForUser 

func VerifyRoleBindingsForUser(t *testing.T, user *management.User, adminClient *rancher.Client, clusterID string, role Role, expectedCount int)

VerifyRoleBindingsForUser validates that the corresponding role bindings are created for the user

func VerifyRoleRules 

func VerifyRoleRules(expected, actual map[string][]string) error

VerifyRoleRules checks if the expected role rules match the actual rules.

func VerifyUserCanAddClusterRoles 

func VerifyUserCanAddClusterRoles(t *testing.T, client, memberClient *rancher.Client, cluster *management.Cluster, role Role)

VerifyUserCanAddClusterRoles validates a user with the required cluster permissions are able/not able to add other users in the cluster

func VerifyUserCanAddProjectRoles 

func VerifyUserCanAddProjectRoles(t *testing.T, client *rancher.Client, project *v3.Project, additionalUser *management.User, projectRole, clusterID string, role Role)

VerifyUserCanAddProjectRoles validates a user with the required cluster permissions are able/not able to add other users in a project on the downstream cluster

func VerifyUserCanCreateNamespace 

func VerifyUserCanCreateNamespace(t *testing.T, client, standardClient *rancher.Client, project *v3.Project, clusterID string, role Role)

VerifyUserCanCreateNamespace validates a user with the required cluster permissions are able/not able to create namespaces in the project they do not own

func VerifyUserCanCreateProjects 

func VerifyUserCanCreateProjects(t *testing.T, client, standardClient *rancher.Client, clusterID string, role Role)

VerifyUserCanCreateProjects validates a user with the required cluster permissions are able/not able to create projects in the downstream cluster

func VerifyUserCanDeleteNamespace 

func VerifyUserCanDeleteNamespace(t *testing.T, client, standardClient *rancher.Client, project *v3.Project, clusterID string, role Role)

VerifyUserCanDeleteNamespace validates a user with the required cluster permissions are able/not able to delete namespaces in the project they do not own

func VerifyUserCanDeleteProject 

func VerifyUserCanDeleteProject(t *testing.T, client *rancher.Client, project *v3.Project, role Role)

VerifyUserCanDeleteProject validates a user with the required cluster/project permissions are able/not able to delete projects in the downstream cluster

func VerifyUserCanGetProject 

func VerifyUserCanGetProject(t *testing.T, client, standardClient *rancher.Client, clusterID, adminProjectName string, role Role)

VerifyUserCanGetProject validates a user with the required cluster permissions are able/not able to get the specific project in the downstream cluster

func VerifyUserCanListCluster 

func VerifyUserCanListCluster(t *testing.T, client, standardClient *rancher.Client, clusterID string, role Role)

VerifyUserCanListCluster validates a user with the required global permissions are able to/not able to list the clusters in rancher server

func VerifyUserCanListNamespace 

func VerifyUserCanListNamespace(t *testing.T, client, standardClient *rancher.Client, project *v3.Project, clusterID string, role Role)

VerifyUserCanListNamespace validates a user with the required cluster permissions are able/not able to list namespaces in the project they do not own

func VerifyUserCanListProject 

func VerifyUserCanListProject(t *testing.T, client, standardClient *rancher.Client, clusterID, adminProjectName string, role Role)

VerifyUserCanListProject validates a user with the required cluster permissions are able/not able to list projects in the downstream cluster

func VerifyUserCanRemoveClusterRoles 

func VerifyUserCanRemoveClusterRoles(t *testing.T, client *rancher.Client, user *management.User)

VerifyUserCanRemoveClusterRoles validates a user with the required cluster/project permissions are able/not able to remove cluster roles in the downstream cluster

func WaitForCrtbStatus 

func WaitForCrtbStatus(client *rancher.Client, crtbNamespace, crtbName string) error

WaitForCrtbStatus waits for the CRTB to reach the Completed status or checks for its existence if status field is not supported (older Rancher versions)

func WaitForPrtbExistence 

func WaitForPrtbExistence(client *rancher.Client, project *v3.Project, prtbObj *v3.ProjectRoleTemplateBinding, user *management.User) (*v3.ProjectRoleTemplateBinding, error)

WaitForPrtbExistence waits for the PRTB to exist with the correct user and project

Types

type Config 

type Config struct {
	Role     Role   `json:"role" yaml:"role"`
	Username string `json:"username" yaml:"username"`
	Password string `json:"password" yaml:"password"`
}

type Role 

type Role string

func (Role) String 

func (r Role) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.