schema

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 27, 2023 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// DefaultNamespace is the default namespace for predefined entities
	DefaultNamespace = "app"

	// Global IDs
	PlatformID = "platform"

	// namespace
	PlatformNamespace     = "app/platform"
	OrganizationNamespace = "app/organization"
	ProjectNamespace      = "app/project"
	GroupNamespace        = "app/group"
	RoleBindingNamespace  = "app/rolebinding"
	RoleNamespace         = "app/role"
	InvitationNamespace   = "app/invitation"

	// relations
	PlatformRelationName     = "platform"
	AdminRelationName        = "admin"
	OrganizationRelationName = "org"
	UserRelationName         = "user"
	ProjectRelationName      = "project"
	GroupRelationName        = "group"
	MemberRelationName       = "member"
	OwnerRelationName        = "owner"
	RoleRelationName         = "role"
	RoleGrantRelationName    = "granted"
	RoleBearerRelationName   = "bearer"

	// permissions
	ListPermission              = "list"
	GetPermission               = "get"
	CreatePermission            = "create"
	UpdatePermission            = "update"
	DeletePermission            = "delete"
	SudoPermission              = "superuser"
	RoleManagePermission        = "rolemanage"
	PolicyManagePermission      = "policymanage"
	ProjectListPermission       = "projectlist"
	GroupListPermission         = "grouplist"
	ProjectCreatePermission     = "projectcreate"
	GroupCreatePermission       = "groupcreate"
	ResourceListPermission      = "resourcelist"
	InvitationListPermission    = "invitationlist"
	InvitationCreatePermission  = "invitationcreate"
	AcceptPermission            = "accept"
	ServiceUserManagePermission = "serviceusermanage"
	ManagePermission            = "manage"

	// synthetic permission
	MembershipPermission = "membership"

	// principals
	UserPrincipal        = "app/user"
	ServiceUserPrincipal = "app/serviceuser"
	GroupPrincipal       = "app/group"
	SuperUserPrincipal   = "app/superuser"
)

SpiceDB readable format is stored in predefined_schema.txt

Variables

View Source
var (
	ErrMigration    = errors.New("error in migrating authz schema")
	ErrBadNamespace = errors.New("bad namespace, format should namespace:uuid")
)
View Source
var BaseSchemaZed string
View Source
var (
	PlatformOrgID = uuid.Nil
)
View Source
var PredefinedRoles = []RoleDefinition{

	{
		Name: "app_organization_owner",
		Permissions: []string{
			"app_organization_administer",
		},
	},
	{
		Name: "app_organization_manager",
		Permissions: []string{
			"app_organization_update",
			"app_organization_get",
		},
	},
	{
		Name: "app_organization_viewer",
		Permissions: []string{
			"app_organization_get",
		},
	},

	{
		Name: "app_project_owner",
		Permissions: []string{
			"app_project_administer",
		},
	},
	{
		Name: "app_project_manager",
		Permissions: []string{
			"app_project_update",
			"app_project_get",
			"app_organization_projectcreate",
			"app_organization_projectlist",
		},
	},
	{
		Name: "app_project_viewer",
		Permissions: []string{
			"app_project_get",
		},
	},

	{
		Name: "app_group_owner",
		Permissions: []string{
			"app_group_administer",
		},
	},
}

Functions

func BuildNamespaceName

func BuildNamespaceName(service, resource string) string

func FQPermissionNameFromNamespace

func FQPermissionNameFromNamespace(namespace, verb string) string

func IsSystemNamespace

func IsSystemNamespace(namespace string) bool

func JoinNamespaceAndResourceID

func JoinNamespaceAndResourceID(namespace, id string) string

func ParseNamespaceAliasIfRequired

func ParseNamespaceAliasIfRequired(n string) string

func PermissionKeyFromNamespaceAndName

func PermissionKeyFromNamespaceAndName(namespace, name string) string

func PermissionNamespaceAndNameFromKey

func PermissionNamespaceAndNameFromKey(key string) (string, string)

func SplitNamespaceAndResourceID

func SplitNamespaceAndResourceID(namespace string) (string, string, error)

func SplitNamespaceResource

func SplitNamespaceResource(ns string) (string, string)

Types

type ResourcePermission

type ResourcePermission struct {
	// simple name
	Name string

	// Namespace is an object over which authz rules will be applied
	Namespace   string
	Description string

	// Key is a unique identifier composed of namespace and name
	// for example: "app.platform.list" which is composed as service.resource.verb
	// here app.platform is namespace and list is name of the permission
	Key string
}

ResourcePermission with which roles will be created. Whenever an action is performed subject access permissions are checked with subject required permissions

func (ResourcePermission) GetName

func (r ResourcePermission) GetName() string

func (ResourcePermission) GetNamespace

func (r ResourcePermission) GetNamespace() string

func (ResourcePermission) Slug

func (r ResourcePermission) Slug() string

type RoleDefinition

type RoleDefinition struct {
	Name        string   `yaml:"name"`
	Description string   `yaml:"description"`
	Permissions []string `yaml:"permissions"`
}

RoleDefinition are a set of permissions which can be assigned to a user or group

type ServiceDefinition

type ServiceDefinition struct {
	Roles       []RoleDefinition     `yaml:"roles"`
	Permissions []ResourcePermission `yaml:"permissions"`
}

ServiceDefinition is provided by user for a service

func MergeServiceDefinitions

func MergeServiceDefinitions(definitions ...ServiceDefinition) *ServiceDefinition

MergeServiceDefinitions merges multiple service definitions into one and deduplicate roles and permissions

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL