auth

package
v0.5.0-rc11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 2, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package auth is holds common webhook code used during authentication

Index

Constants

View Source
const (
	// CreatorIDAnn is an annotation key for the id of the creator.
	CreatorIDAnn = "field.cattle.io/creatorId"
)

Variables

This section is empty.

Functions

func ConfirmNoEscalation added in v0.1.6

func ConfirmNoEscalation(request *admission.Request, rules []rbacv1.PolicyRule, namespace string, ruleResolver validation.AuthorizationRuleResolver) error

ConfirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting to grant.

func RequestUserHasVerb added in v0.4.0

func RequestUserHasVerb(request *admission.Request, gvr schema.GroupVersionResource, sar authorizationv1.SubjectAccessReviewInterface, verb, name, namespace string) (bool, error)

RequestUserHasVerb checks if the user associated with the context has a given verb on a given gvr for a specified name/namespace

func SetEscalationResponse added in v0.1.6

func SetEscalationResponse(response *admissionv1.AdmissionResponse, err error)

SetEscalationResponse will update the given webhook response based on the provided error from an escalation request. Deprecated: use admission.ResponseFailedEscalation() instead.

func ToExtraString

func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string

ToExtraString will convert a map of map[string]authenticationv1.ExtraValue to map[string]string.

Types

type GlobalRoleResolver added in v0.4.0

type GlobalRoleResolver struct {
	// contains filtered or unexported fields
}

GlobalRoleResolver provides utilities to determine which rules a globalRoles gives in various contexts.

func NewGlobalRoleResolver added in v0.4.0

func NewGlobalRoleResolver(roleTemplateResolver *RoleTemplateResolver, grCache controllerv3.GlobalRoleCache) *GlobalRoleResolver

NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches

func (*GlobalRoleResolver) ClusterRulesFromRole added in v0.4.0

func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error)

ClusterRulesFromRole finds all rules which this gr gives on downstream clusters.

func (*GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole added in v0.5.0

func (g *GlobalRoleResolver) FleetWorkspacePermissionsResourceRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule

FleetWorkspacePermissionsResourceRulesFromRole finds rules which this GlobalRole gives on fleet resources in the workspace backing namespace. This is assuming a user has permissions in all workspaces (including fleet-local), which is not true. That's fine if we use it to evaluate InheritedFleetWorkspacePermissions.ResourceRules. However, it shouldn't be used in a more generic evaluation of permissions on the workspace backing namespace.

func (*GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole added in v0.5.0

func (g *GlobalRoleResolver) FleetWorkspacePermissionsWorkspaceVerbsFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule

FleetWorkspacePermissionsWorkspaceVerbsFromRole finds rules which this GlobalRole gives on the fleetworkspace cluster-wide resources. This is assuming a user has permissions in all workspaces (including fleet-local), which is not true. That's fine if we use it to evaluate InheritedFleetWorkspacePermissions.WorkspaceVerbs. However, it shouldn't be used in a more generic evaluation of permissions on the workspace object.

func (*GlobalRoleResolver) GetRoleTemplatesForGlobalRole added in v0.4.0

func (g *GlobalRoleResolver) GetRoleTemplatesForGlobalRole(gr *v3.GlobalRole) ([]*v3.RoleTemplate, error)

GetRoleTemplate allows the caller to retrieve the roleTemplates in use by a given global role. Does not recursively evaluate roleTemplates - only returns the top-level resources.

func (*GlobalRoleResolver) GlobalRoleCache added in v0.4.0

func (g *GlobalRoleResolver) GlobalRoleCache() controllerv3.GlobalRoleCache

GlobalRoleCache allows caller to retrieve the globalRoleCache used by the resolver.

func (*GlobalRoleResolver) GlobalRulesFromRole added in v0.4.0

func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule

GlobalRulesFromRole finds all rules which apply globally - meaning valid for escalation checks at the cluster scope in the local cluster.

type RBACRestGetter

type RBACRestGetter struct {
	Roles               wranglerv1.RoleCache
	RoleBindings        wranglerv1.RoleBindingCache
	ClusterRoles        wranglerv1.ClusterRoleCache
	ClusterRoleBindings wranglerv1.ClusterRoleBindingCache
}

RBACRestGetter is used to encapsulate Getters for core RBAC resource types.

func (RBACRestGetter) GetClusterRole

func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

GetClusterRole gets the clusterRole with the given name.

func (RBACRestGetter) GetRole

func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error)

GetRole gets role within the given namespace that matches the provided name.

func (RBACRestGetter) ListClusterRoleBindings

func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

ListClusterRoleBindings list all clusterRoleBindings.

func (RBACRestGetter) ListRoleBindings

func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

ListRoleBindings list all roleBindings in the given namespace.

type RoleTemplateResolver added in v0.1.6

type RoleTemplateResolver struct {
	// contains filtered or unexported fields
}

RoleTemplateResolver provides an interface to flatten role templates into slice of rules.

func NewRoleTemplateResolver added in v0.1.6

func NewRoleTemplateResolver(roleTemplates v3.RoleTemplateCache, clusterRoles v1.ClusterRoleCache) *RoleTemplateResolver

NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches

func (*RoleTemplateResolver) RoleTemplateCache added in v0.1.6

func (r *RoleTemplateResolver) RoleTemplateCache() v3.RoleTemplateCache

RoleTemplateCache allows caller to retrieve the roleTemplateCache used by the resolver.

func (*RoleTemplateResolver) RulesFromTemplate added in v0.1.6

func (r *RoleTemplateResolver) RulesFromTemplate(roleTemplate *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error)

RulesFromTemplate gets all rules from the template and all referenced templates.

func (*RoleTemplateResolver) RulesFromTemplateName added in v0.1.6

func (r *RoleTemplateResolver) RulesFromTemplateName(name string) ([]rbacv1.PolicyRule, error)

RulesFromTemplateName gets the rules for a roleTemplate with a given name. Simple wrapper around RulesFromTemplate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL