resolvers

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 17, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package resolvers resolves what rules different users and roleTemplates our bound to

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetGroupKey added in v0.2.9

func GetGroupKey(groupName, namespace string) string

GetGroupKey creates a indexer key based on the groupName, and namespace of an object.

func GetUserKey added in v0.2.9

func GetUserKey(userName, namespace string) string

GetUserKey creates a indexer key based on the userName, and namespace of an object.

Types

type AggregateRuleResolver

type AggregateRuleResolver struct {
	// contains filtered or unexported fields
}

AggregateRuleResolver conforms to the rbac/validation.AuthorizationRuleResolver interface and is used to aggregate multiple other AuthorizationRuleResolver into one resolver.

func NewAggregateRuleResolver

func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver

NewAggregateRuleResolver creates a new AggregateRuleResolver that will combine the outputs of all resolvers provided.

func (*AggregateRuleResolver) GetRoleReferenceRules

func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors.

func (*AggregateRuleResolver) RulesFor

func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*AggregateRuleResolver) VisitRulesFor

func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes VisitRulesFor() on each resolver. If visitor() returns false, visiting is short-circuited for that resolver.

type CRTBRuleResolver

type CRTBRuleResolver struct {
	ClusterRoleTemplateBindings v3.ClusterRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

CRTBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface.

func NewCRTBRuleResolver

func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *CRTBRuleResolver

NewCRTBRuleResolver returns a new resolver for resolving rules given through ClusterRoleTemplateBindings. This function can only be called once for each unique instance of crtbCache.

func (*CRTBRuleResolver) GetRoleReferenceRules

func (c *CRTBRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*CRTBRuleResolver) RulesFor

func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*CRTBRuleResolver) VisitRulesFor

func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

type PRTBRuleResolver

type PRTBRuleResolver struct {
	ProjectRoleTemplateBindings v3.ProjectRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

PRTBRuleResolver implements the validation.AuthorizationRuleResolver interface.

func NewPRTBRuleResolver

func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *PRTBRuleResolver

NewPRTBRuleResolver will create a new PRTBRuleResolver. This function can only be called once for each unique instance of prtbCache.

func (*PRTBRuleResolver) GetRoleReferenceRules

func (p *PRTBRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*PRTBRuleResolver) RulesFor

func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*PRTBRuleResolver) VisitRulesFor

func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL