Documentation
¶
Index ¶
- Constants
- Variables
- func BuildNamespaceName(service, resource string) string
- func FQPermissionNameFromNamespace(namespace, verb string) string
- func IsPlatformPermission(name string) bool
- func IsPlatformRelation(name string) bool
- func IsSystemNamespace(namespace string) bool
- func IsValidPermissionName(name string) bool
- func JoinNamespaceAndResourceID(namespace, id string) string
- func ParseNamespaceAliasIfRequired(n string) string
- func PermissionKeyFromNamespaceAndName(namespace, name string) string
- func PermissionNamespaceAndNameFromKey(key string) (string, string)
- func SplitNamespaceAndResourceID(namespace string) (string, string, error)
- func SplitNamespaceResource(ns string) (string, string)
- type ResourcePermission
- type RoleDefinition
- type ServiceDefinition
Constants ¶
View Source
const ( // DefaultNamespace is the default namespace for predefined entities DefaultNamespace = "app" // Global IDs PlatformID = "platform" // namespace PlatformNamespace = "app/platform" OrganizationNamespace = "app/organization" ProjectNamespace = "app/project" GroupNamespace = "app/group" RoleBindingNamespace = "app/rolebinding" RoleNamespace = "app/role" InvitationNamespace = "app/invitation" // relations PlatformRelationName = "platform" AdminRelationName = "admin" OrganizationRelationName = "org" UserRelationName = "user" ProjectRelationName = "project" GroupRelationName = "group" MemberRelationName = "member" OwnerRelationName = "owner" RoleRelationName = "role" RoleGrantRelationName = "granted" RoleBearerRelationName = "bearer" // permissions ListPermission = "list" GetPermission = "get" CreatePermission = "create" UpdatePermission = "update" DeletePermission = "delete" RoleManagePermission = "rolemanage" PolicyManagePermission = "policymanage" ProjectListPermission = "projectlist" GroupListPermission = "grouplist" ProjectCreatePermission = "projectcreate" GroupCreatePermission = "groupcreate" ResourceListPermission = "resourcelist" InvitationListPermission = "invitationlist" InvitationCreatePermission = "invitationcreate" AcceptPermission = "accept" ServiceUserManagePermission = "serviceusermanage" ManagePermission = "manage" BillingViewPermission = "billingview" BillingManagePermission = "billingmanage" // platform permissions PlatformSudoPermission = "superuser" PlatformCheckPermission = "check" // synthetic permission MembershipPermission = "membership" // principals UserPrincipal = "app/user" ServiceUserPrincipal = "app/serviceuser" GroupPrincipal = "app/group" SuperUserPrincipal = "app/superuser" // Roles RoleOrganizationViewer = "app_organization_viewer" RoleOrganizationManager = "app_organization_manager" RoleOrganizationOwner = "app_organization_owner" RoleProjectOwner = "app_project_owner" RoleProjectManager = "app_project_manager" RoleProjectViewer = "app_project_viewer" GroupOwnerRole = "app_group_owner" GroupMemberRole = "app_group_member" )
SpiceDB readable format is stored in predefined_schema.txt
Variables ¶
View Source
var ( ErrMigration = errors.New("error in migrating authz schema") ErrBadNamespace = errors.New("bad namespace, format should namespace:uuid") )
View Source
var BaseSchemaZed string
View Source
var (
PlatformOrgID = uuid.Nil
)
View Source
var PredefinedRoles = []RoleDefinition{ { Title: "Organization Owner", Name: RoleOrganizationOwner, Permissions: []string{ "app_organization_administer", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Manager", Name: RoleOrganizationManager, Permissions: []string{ "app_organization_update", "app_organization_get", "app_organization_projectcreate", "app_organization_projectlist", "app_organization_groupcreate", "app_organization_grouplist", "app_organization_serviceusermanage", "app_project_get", "app_project_update", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Access Manager", Name: "app_organization_accessmanager", Permissions: []string{ "app_organization_invitationcreate", "app_organization_invitationlist", "app_organization_rolemanage", "app_organization_policymanage", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Viewer", Name: RoleOrganizationViewer, Permissions: []string{ "app_organization_get", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Group Viewer", Name: RoleOrganizationViewer, Permissions: []string{ "app_organization_get", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Project Owner", Name: RoleProjectOwner, Permissions: []string{ "app_project_administer", }, Scopes: []string{ProjectNamespace}, }, { Title: "Project Manager", Name: RoleProjectManager, Permissions: []string{ "app_project_update", "app_project_get", "app_project_resourcelist", "app_organization_projectcreate", "app_organization_projectlist", "app_organization_grouplist", }, Scopes: []string{ProjectNamespace}, }, { Title: "Project Viewer", Name: RoleProjectViewer, Permissions: []string{ "app_project_get", }, Scopes: []string{ProjectNamespace}, }, { Title: "Group Owner", Name: GroupOwnerRole, Permissions: []string{ "app_group_administer", }, Scopes: []string{GroupNamespace}, }, { Title: "Group Member", Name: GroupMemberRole, Permissions: []string{ "app_group_get", }, Scopes: []string{GroupNamespace}, }, { Title: "Billing Manager", Name: "app_billing_manager", Permissions: []string{ "app_organization_billingview", "app_organization_billingmanage", }, Scopes: []string{OrganizationNamespace}, }, }
Functions ¶
func BuildNamespaceName ¶
func IsPlatformPermission ¶ added in v0.8.0
func IsPlatformRelation ¶ added in v0.8.0
func IsSystemNamespace ¶
func IsValidPermissionName ¶ added in v0.7.2
IsValidPermissionName checks if the provided name is a valid permission name
func SplitNamespaceAndResourceID ¶
SplitNamespaceAndResourceID splits ns/something:uuid into ns/something and uuid
func SplitNamespaceResource ¶
Types ¶
type ResourcePermission ¶
type ResourcePermission struct {
// simple name
Name string
// Namespace is an object over which authz rules will be applied
Namespace string
Description string
// Key is a unique identifier composed of namespace and name
// for example: "app.platform.list" which is composed as service.resource.verb
// here app.platform is namespace and list is name of the permission
Key string
}
ResourcePermission with which roles will be created. Whenever an action is performed subject access permissions are checked with subject required permissions
func (ResourcePermission) GetName ¶
func (r ResourcePermission) GetName() string
func (ResourcePermission) GetNamespace ¶
func (r ResourcePermission) GetNamespace() string
func (ResourcePermission) Slug ¶
func (r ResourcePermission) Slug() string
type RoleDefinition ¶
type RoleDefinition struct {
Title string `yaml:"title"`
Name string `yaml:"name"`
Description string `yaml:"description"`
Scopes []string `yaml:"scopes"`
Permissions []string `yaml:"permissions"`
}
RoleDefinition are a set of permissions which can be assigned to a user or group
type ServiceDefinition ¶
type ServiceDefinition struct {
Roles []RoleDefinition `yaml:"roles"`
Permissions []ResourcePermission `yaml:"permissions"`
}
ServiceDefinition is provided by user for a service
func MergeServiceDefinitions ¶
func MergeServiceDefinitions(definitions ...ServiceDefinition) *ServiceDefinition
MergeServiceDefinitions merges multiple service definitions into one and deduplicate roles and permissions
Source Files
Click to show internal directories.
Click to hide internal directories.