resolvers

package
v0.4.0-rc5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 8, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package resolvers resolves what rules different users and roleTemplates our bound to

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetGroupKey added in v0.2.9

func GetGroupKey(groupName, namespace string) string

GetGroupKey creates a indexer key based on the groupName, and namespace of an object.

func GetUserKey added in v0.2.9

func GetUserKey(userName, namespace string) string

GetUserKey creates a indexer key based on the userName, and namespace of an object.

Types

type AggregateRuleResolver

type AggregateRuleResolver struct {
	// contains filtered or unexported fields
}

AggregateRuleResolver conforms to the rbac/validation.AuthorizationRuleResolver interface and is used to aggregate multiple other AuthorizationRuleResolver into one resolver.

func NewAggregateRuleResolver

func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver

NewAggregateRuleResolver creates a new AggregateRuleResolver that will combine the outputs of all resolvers provided.

func (*AggregateRuleResolver) GetRoleReferenceRules

func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors.

func (*AggregateRuleResolver) RulesFor

func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*AggregateRuleResolver) VisitRulesFor

func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes VisitRulesFor() on each resolver. If visitor() returns false, visiting is short-circuited for that resolver.

type CRTBRuleResolver

type CRTBRuleResolver struct {
	ClusterRoleTemplateBindings v3.ClusterRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

CRTBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface.

func NewCRTBRuleResolver

func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *CRTBRuleResolver

NewCRTBRuleResolver returns a new resolver for resolving rules given through ClusterRoleTemplateBindings. This function can only be called once for each unique instance of crtbCache.

func (*CRTBRuleResolver) GetRoleReferenceRules

func (c *CRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*CRTBRuleResolver) RulesFor

func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*CRTBRuleResolver) VisitRulesFor

func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

type GRBClusterRuleResolver added in v0.4.0

type GRBClusterRuleResolver struct {
	GlobalRoleBindings v3.GlobalRoleBindingCache
	GlobalRoleResolver *auth.GlobalRoleResolver
}

GRBClusterRuleResolver implements the rbacv1.AuthorizationRuleResolver interface. Provides rule resolution for the permissions a GRB gives that apply in a given cluster (or all clusters).

func NewGRBClusterRuleResolver added in v0.4.0

func NewGRBClusterRuleResolver(grbCache v3.GlobalRoleBindingCache, grResolver *auth.GlobalRoleResolver) *GRBClusterRuleResolver

New NewGRBClusterRuleResolver returns a new resolver for resolving rules given through GlobalRoleBindings which apply to cluster(s). This function can only be called once for each unique instance of grbCache.

func (*GRBClusterRuleResolver) GetRoleReferenceRules added in v0.4.0

func (g *GRBClusterRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which rules are granted by a rolebinding/clusterRoleBinding. Since we don't use these primitives to refer to the globalRoles, this function returns an empty slice.

func (*GRBClusterRuleResolver) RulesFor added in v0.4.0

func (g *GRBClusterRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of Cluster rules that apply in a given namespace (usually either the namespace of a specific cluster or "" for all clusters). If an error is returned, the slice of PolicyRules may not be complete, but contains all retrievable rules.

func (*GRBClusterRuleResolver) VisitRulesFor added in v0.4.0

func (g *GRBClusterRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited. This will return different rules for the "local" namespace.

type PRTBRuleResolver

type PRTBRuleResolver struct {
	ProjectRoleTemplateBindings v3.ProjectRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

PRTBRuleResolver implements the validation.AuthorizationRuleResolver interface.

func NewPRTBRuleResolver

func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *PRTBRuleResolver

NewPRTBRuleResolver will create a new PRTBRuleResolver. This function can only be called once for each unique instance of prtbCache.

func (*PRTBRuleResolver) GetRoleReferenceRules

func (p *PRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*PRTBRuleResolver) RulesFor

func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*PRTBRuleResolver) VisitRulesFor

func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL