resolvers

package
v0.6.1-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 22, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package resolvers resolves what rules different users and roleTemplates our bound to

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetGroupKey added in v0.2.9

func GetGroupKey(groupName, namespace string) string

GetGroupKey creates a indexer key based on the groupName, and namespace of an object.

func GetUserKey added in v0.2.9

func GetUserKey(userName, namespace string) string

GetUserKey creates a indexer key based on the userName, and namespace of an object.

Types

type AggregateRuleResolver

type AggregateRuleResolver struct {
	// contains filtered or unexported fields
}

AggregateRuleResolver conforms to the rbac/validation.AuthorizationRuleResolver interface and is used to aggregate multiple other AuthorizationRuleResolver into one resolver.

func NewAggregateRuleResolver

func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) *AggregateRuleResolver

NewAggregateRuleResolver creates a new AggregateRuleResolver that will combine the outputs of all resolvers provided.

func (*AggregateRuleResolver) GetRoleReferenceRules

func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors.

func (*AggregateRuleResolver) RulesFor

func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*AggregateRuleResolver) VisitRulesFor

func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes VisitRulesFor() on each resolver. If visitor() returns false, visiting is short-circuited for that resolver.

type CRTBRuleResolver

type CRTBRuleResolver struct {
	ClusterRoleTemplateBindings v3.ClusterRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

CRTBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface.

func NewCRTBRuleResolver

func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *CRTBRuleResolver

NewCRTBRuleResolver returns a new resolver for resolving rules given through ClusterRoleTemplateBindings. This function can only be called once for each unique instance of crtbCache.

func (*CRTBRuleResolver) GetRoleReferenceRules

func (c *CRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*CRTBRuleResolver) RulesFor

func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*CRTBRuleResolver) VisitRulesFor

func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

type GRBRuleResolver added in v0.5.0

type GRBRuleResolver struct {
	// contains filtered or unexported fields
}

GRBRuleResolver implements the rbacv1.AuthorizationRuleResolver interface. Provides rule resolution for the permissions a GRB gives that apply in a given cluster (or all clusters).

func (*GRBRuleResolver) GetRoleReferenceRules added in v0.5.0

func (g *GRBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which rules are granted by a rolebinding/clusterRoleBinding. Since we don't use these primitives to refer to the globalRoles, this function returns an empty slice.

func (*GRBRuleResolver) RulesFor added in v0.5.0

func (g *GRBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of Cluster rules that apply in a given namespace (usually either the namespace of a specific cluster or "" for all clusters). If an error is returned, the slice of PolicyRules may not be complete, but contains all retrievable rules.

func (*GRBRuleResolver) VisitRulesFor added in v0.5.0

func (g *GRBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited. This will return different rules for the "local" namespace.

type GRBRuleResolvers added in v0.5.0

type GRBRuleResolvers struct {
	// ICRResolver resolves rules for GlobalRole rules defined in InheritedClusterRoles.
	ICRResolver *GRBRuleResolver
	// FWRulesResolver resolves rules for GlobalRole rules defined in InheritedFleetWorkspacePermissions.ResourceRules.
	FWRulesResolver *GRBRuleResolver
	// FWVerbsResolver resolves rules for GlobalRole rules defined in InheritedFleetWorkspacePermissions.WorkspaceVerbs.
	FWVerbsResolver *GRBRuleResolver
}

GRBRuleResolvers contains three rule resolvers for: InheritedClusterRules, FleetWorkspaceRules, FleetWorkspaceVerbs. InheritedClusterRules grants permissions to all cluster except local. FleetWorkspaceRules grants permissions to all fleetworkspaces except local. FleetWorkspaceVerbs grants permissions to fleetworkspaces cluster-wide resource except local. To ensure that rules are resolved without interference, we require separate resolvers for each of them.

func NewGRBRuleResolvers added in v0.5.0

func NewGRBRuleResolvers(grbCache v3.GlobalRoleBindingCache, grResolver *auth.GlobalRoleResolver) *GRBRuleResolvers

NewGRBRuleResolvers returns resolvers for resolving rules given through GlobalRoleBindings which apply to cluster(s). This function can only be called once for each unique instance of grbCache.

type PRTBRuleResolver

type PRTBRuleResolver struct {
	ProjectRoleTemplateBindings v3.ProjectRoleTemplateBindingCache
	RoleTemplateResolver        *auth.RoleTemplateResolver
}

PRTBRuleResolver implements the validation.AuthorizationRuleResolver interface.

func NewPRTBRuleResolver

func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, roleTemplateResolver *auth.RoleTemplateResolver) *PRTBRuleResolver

NewPRTBRuleResolver will create a new PRTBRuleResolver. This function can only be called once for each unique instance of prtbCache.

func (*PRTBRuleResolver) GetRoleReferenceRules

func (p *PRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't use these primitives to refer to role templates return empty list.

func (*PRTBRuleResolver) RulesFor

func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations can be made on the basis of those rules that are found.

func (*PRTBRuleResolver) VisitRulesFor

func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. If visitor() returns false, visiting is short-circuited.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL