schema

package
v0.44.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 17, 2025 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// DefaultNamespace is the default namespace for predefined entities
	DefaultNamespace = "app"

	// Global IDs
	PlatformID = "platform"

	// namespace
	PlatformNamespace     = "app/platform"
	OrganizationNamespace = "app/organization"
	ProjectNamespace      = "app/project"
	GroupNamespace        = "app/group"
	RoleBindingNamespace  = "app/rolebinding"
	RoleNamespace         = "app/role"
	InvitationNamespace   = "app/invitation"

	// relations
	PlatformRelationName     = "platform"
	AdminRelationName        = "admin"
	OrganizationRelationName = "org"
	UserRelationName         = "user"
	ProjectRelationName      = "project"
	GroupRelationName        = "group"
	MemberRelationName       = "member"
	OwnerRelationName        = "owner"
	RoleRelationName         = "role"
	RoleGrantRelationName    = "granted"
	RoleBearerRelationName   = "bearer"

	// permissions
	ListPermission              = "list"
	GetPermission               = "get"
	CreatePermission            = "create"
	UpdatePermission            = "update"
	DeletePermission            = "delete"
	RoleManagePermission        = "rolemanage"
	PolicyManagePermission      = "policymanage"
	ProjectListPermission       = "projectlist"
	GroupListPermission         = "grouplist"
	ProjectCreatePermission     = "projectcreate"
	GroupCreatePermission       = "groupcreate"
	ResourceListPermission      = "resourcelist"
	InvitationListPermission    = "invitationlist"
	InvitationCreatePermission  = "invitationcreate"
	AcceptPermission            = "accept"
	ServiceUserManagePermission = "serviceusermanage"
	ManagePermission            = "manage"
	BillingViewPermission       = "billingview"
	BillingManagePermission     = "billingmanage"

	// platform permissions
	PlatformSudoPermission  = "superuser"
	PlatformCheckPermission = "check"

	// synthetic permission
	MembershipPermission = "membership"

	// principals
	UserPrincipal        = "app/user"
	ServiceUserPrincipal = "app/serviceuser"
	GroupPrincipal       = "app/group"
	SuperUserPrincipal   = "app/superuser"

	// Roles
	RoleOrganizationViewer  = "app_organization_viewer"
	RoleOrganizationManager = "app_organization_manager"
	RoleOrganizationOwner   = "app_organization_owner"

	RoleProjectOwner   = "app_project_owner"
	RoleProjectManager = "app_project_manager"
	RoleProjectViewer  = "app_project_viewer"

	GroupOwnerRole  = "app_group_owner"
	GroupMemberRole = "app_group_member"
)

SpiceDB readable format is stored in predefined_schema.txt

Variables

View Source
var (
	ErrMigration    = errors.New("error in migrating authz schema")
	ErrBadNamespace = errors.New("bad namespace, format should namespace:uuid")
)
View Source
var BaseSchemaZed string
View Source
var (
	PlatformOrgID = uuid.Nil
)
View Source
var PredefinedRoles = []RoleDefinition{

	{
		Title: "Organization Owner",
		Name:  RoleOrganizationOwner,
		Permissions: []string{
			"app_organization_administer",
		},
		Scopes: []string{OrganizationNamespace},
	},
	{
		Title: "Organization Manager",
		Name:  RoleOrganizationManager,
		Permissions: []string{
			"app_organization_update",
			"app_organization_get",
			"app_organization_projectcreate",
			"app_organization_projectlist",
			"app_organization_groupcreate",
			"app_organization_grouplist",
			"app_organization_serviceusermanage",
			"app_project_get",
			"app_project_update",
		},
		Scopes: []string{OrganizationNamespace},
	},
	{
		Title: "Organization Access Manager",
		Name:  "app_organization_accessmanager",
		Permissions: []string{
			"app_organization_invitationcreate",
			"app_organization_invitationlist",
			"app_organization_rolemanage",
			"app_organization_policymanage",
		},
		Scopes: []string{OrganizationNamespace},
	},
	{
		Title: "Organization Viewer",
		Name:  RoleOrganizationViewer,
		Permissions: []string{
			"app_organization_get",
		},
		Scopes: []string{OrganizationNamespace},
	},
	{
		Title: "Organization Group Viewer",
		Name:  RoleOrganizationViewer,
		Permissions: []string{
			"app_organization_get",
		},
		Scopes: []string{OrganizationNamespace},
	},

	{
		Title: "Project Owner",
		Name:  RoleProjectOwner,
		Permissions: []string{
			"app_project_administer",
		},
		Scopes: []string{ProjectNamespace},
	},
	{
		Title: "Project Manager",
		Name:  RoleProjectManager,
		Permissions: []string{
			"app_project_update",
			"app_project_get",
			"app_project_resourcelist",
			"app_organization_projectcreate",
			"app_organization_projectlist",
			"app_organization_grouplist",
		},
		Scopes: []string{ProjectNamespace},
	},
	{
		Title: "Project Viewer",
		Name:  RoleProjectViewer,
		Permissions: []string{
			"app_project_get",
		},
		Scopes: []string{ProjectNamespace},
	},

	{
		Title: "Group Owner",
		Name:  GroupOwnerRole,
		Permissions: []string{
			"app_group_administer",
		},
		Scopes: []string{GroupNamespace},
	},
	{
		Title: "Group Member",
		Name:  GroupMemberRole,
		Permissions: []string{
			"app_group_get",
		},
		Scopes: []string{GroupNamespace},
	},

	{
		Title: "Billing Manager",
		Name:  "app_billing_manager",
		Permissions: []string{
			"app_organization_billingview",
			"app_organization_billingmanage",
		},
		Scopes: []string{OrganizationNamespace},
	},
}

Functions

func BuildNamespaceName

func BuildNamespaceName(service, resource string) string

func FQPermissionNameFromNamespace

func FQPermissionNameFromNamespace(namespace, verb string) string

func IsPlatformPermission added in v0.8.0

func IsPlatformPermission(name string) bool

func IsPlatformRelation added in v0.8.0

func IsPlatformRelation(name string) bool

func IsSystemNamespace

func IsSystemNamespace(namespace string) bool

func IsValidPermissionName added in v0.7.2

func IsValidPermissionName(name string) bool

IsValidPermissionName checks if the provided name is a valid permission name

func JoinNamespaceAndResourceID

func JoinNamespaceAndResourceID(namespace, id string) string

func ParseNamespaceAliasIfRequired

func ParseNamespaceAliasIfRequired(n string) string

func PermissionKeyFromNamespaceAndName

func PermissionKeyFromNamespaceAndName(namespace, name string) string

func PermissionNamespaceAndNameFromKey

func PermissionNamespaceAndNameFromKey(key string) (string, string)

func SplitNamespaceAndResourceID

func SplitNamespaceAndResourceID(namespace string) (string, string, error)

SplitNamespaceAndResourceID splits ns/something:uuid into ns/something and uuid

func SplitNamespaceResource

func SplitNamespaceResource(ns string) (string, string)

Types

type ResourcePermission

type ResourcePermission struct {
	// simple name
	Name string

	// Namespace is an object over which authz rules will be applied
	Namespace   string
	Description string

	// Key is a unique identifier composed of namespace and name
	// for example: "app.platform.list" which is composed as service.resource.verb
	// here app.platform is namespace and list is name of the permission
	Key string
}

ResourcePermission with which roles will be created. Whenever an action is performed subject access permissions are checked with subject required permissions

func (ResourcePermission) GetName

func (r ResourcePermission) GetName() string

func (ResourcePermission) GetNamespace

func (r ResourcePermission) GetNamespace() string

func (ResourcePermission) Slug

func (r ResourcePermission) Slug() string

type RoleDefinition

type RoleDefinition struct {
	Title       string   `yaml:"title"`
	Name        string   `yaml:"name"`
	Description string   `yaml:"description"`
	Scopes      []string `yaml:"scopes"`
	Permissions []string `yaml:"permissions"`
}

RoleDefinition are a set of permissions which can be assigned to a user or group

type ServiceDefinition

type ServiceDefinition struct {
	Roles       []RoleDefinition     `yaml:"roles"`
	Permissions []ResourcePermission `yaml:"permissions"`
}

ServiceDefinition is provided by user for a service

func MergeServiceDefinitions

func MergeServiceDefinitions(definitions ...ServiceDefinition) *ServiceDefinition

MergeServiceDefinitions merges multiple service definitions into one and deduplicate roles and permissions

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL