resolvers

package

v0.5.0-rc10 Latest Latest Go to latest Published: Jun 28, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/rancher/webhook

Documentation ¶

Overview ¶

Package resolvers resolves what rules different users and roleTemplates our bound to

Index ¶

func GetGroupKey(groupName, namespace string) string
func GetUserKey(userName, namespace string) string
type AggregateRuleResolver
- func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver
type CRTBRuleResolver
- func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, ...) *CRTBRuleResolver
type GRBRuleResolver
type GRBRuleResolvers
- func NewGRBRuleResolvers(grbCache v3.GlobalRoleBindingCache, grResolver *auth.GlobalRoleResolver) *GRBRuleResolvers
type PRTBRuleResolver
- func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, ...) *PRTBRuleResolver

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetGroupKey ¶ added in v0.2.9

func GetGroupKey(groupName, namespace string) string

GetGroupKey creates a indexer key based on the groupName, and namespace of an object.

func GetUserKey ¶ added in v0.2.9

func GetUserKey(userName, namespace string) string

GetUserKey creates a indexer key based on the userName, and namespace of an object.

Types ¶

type AggregateRuleResolver ¶

type AggregateRuleResolver struct {
	// contains filtered or unexported fields
}

AggregateRuleResolver conforms to the rbac/validation.AuthorizationRuleResolver interface and is used to aggregate multiple other AuthorizationRuleResolver into one resolver.

func NewAggregateRuleResolver ¶

func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver

NewAggregateRuleResolver creates a new AggregateRuleResolver that will combine the outputs of all resolvers provided.

func (*AggregateRuleResolver) GetRoleReferenceRules ¶

func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors.

func (*AggregateRuleResolver) RulesFor ¶

func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*AggregateRuleResolver) VisitRulesFor ¶

func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes VisitRulesFor() on each resolver. If visitor() returns false, visiting is short-circuited for that resolver.

type CRTBRuleResolver ¶

type CRTBRuleResolver struct {
	ClusterRoleTemplateBindings v3.ClusterRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

CRTBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface.

func NewCRTBRuleResolver ¶

func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *CRTBRuleResolver

NewCRTBRuleResolver returns a new resolver for resolving rules given through ClusterRoleTemplateBindings. This function can only be called once for each unique instance of crtbCache.

func (*CRTBRuleResolver) GetRoleReferenceRules ¶

func (c *CRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*CRTBRuleResolver) RulesFor ¶

func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*CRTBRuleResolver) VisitRulesFor ¶

func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

type GRBRuleResolver ¶ added in v0.5.0

type GRBRuleResolver struct {
	// contains filtered or unexported fields
}

GRBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface. Provides rule resolution for the permissions a GRB gives that apply in a given cluster (or all clusters).

func (*GRBRuleResolver) GetRoleReferenceRules ¶ added in v0.5.0

func (g *GRBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which rules are granted by a rolebinding/clusterRoleBinding. Since we don't use these primitives to refer to the globalRoles, this function returns an empty slice.

func (*GRBRuleResolver) RulesFor ¶ added in v0.5.0

func (g *GRBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of Cluster rules that apply in a given namespace (usually either the namespace of a specific cluster or "" for all clusters). If an error is returned, the slice of PolicyRules may not be complete, but contains all retrievable rules.

func (*GRBRuleResolver) VisitRulesFor ¶ added in v0.5.0

func (g *GRBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited. This will return different rules for the "local" namespace.

type GRBRuleResolvers ¶ added in v0.5.0

type GRBRuleResolvers struct {
	// ICRResolver resolves rules for GlobalRole rules defined in InheritedClusterRoles.
	ICRResolver *GRBRuleResolver
	// FWRulesResolver resolves rules for GlobalRole rules defined in InheritedFleetWorkspacePermissions.ResourceRules.
	FWRulesResolver *GRBRuleResolver
	// FWVerbsResolver resolves rules for GlobalRole rules defined in InheritedFleetWorkspacePermissions.WorkspaceVerbs.
	FWVerbsResolver *GRBRuleResolver
}

GRBRuleResolvers contains three rule resolvers for: InheritedClusterRules, FleetWorkspaceRules, FleetWorkspaceVerbs. InheritedClusterRules grants permissions to all cluster except local. FleetWorkspaceRules grants permissions to all fleetworkspaces except local. FleetWorkspaceVerbs grants permissions to fleetworkspaces cluster-wide resource except local. To ensure that rules are resolved without interference, we require separate resolvers for each of them.

func NewGRBRuleResolvers ¶ added in v0.5.0

func NewGRBRuleResolvers(grbCache v3.GlobalRoleBindingCache, grResolver *auth.GlobalRoleResolver) *GRBRuleResolvers

NewGRBRuleResolvers returns resolvers for resolving rules given through GlobalRoleBindings which apply to cluster(s). This function can only be called once for each unique instance of grbCache.

type PRTBRuleResolver ¶

type PRTBRuleResolver struct {
	ProjectRoleTemplateBindings v3.ProjectRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

PRTBRuleResolver implements the validation.AuthorizationRuleResolver interface.

func NewPRTBRuleResolver ¶

func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *PRTBRuleResolver

NewPRTBRuleResolver will create a new PRTBRuleResolver. This function can only be called once for each unique instance of prtbCache.

func (*PRTBRuleResolver) GetRoleReferenceRules ¶

func (p *PRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*PRTBRuleResolver) RulesFor ¶

func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*PRTBRuleResolver) VisitRulesFor ¶

func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL