Documentation ¶
Index ¶
- Constants
- Variables
- func BuildNamespaceName(service, resource string) string
- func FQPermissionNameFromNamespace(namespace, verb string) string
- func IsSystemNamespace(namespace string) bool
- func IsValidPermissionName(name string) bool
- func JoinNamespaceAndResourceID(namespace, id string) string
- func ParseNamespaceAliasIfRequired(n string) string
- func PermissionKeyFromNamespaceAndName(namespace, name string) string
- func PermissionNamespaceAndNameFromKey(key string) (string, string)
- func SplitNamespaceAndResourceID(namespace string) (string, string, error)
- func SplitNamespaceResource(ns string) (string, string)
- type ResourcePermission
- type RoleDefinition
- type ServiceDefinition
Constants ¶
View Source
const ( // DefaultNamespace is the default namespace for predefined entities DefaultNamespace = "app" // Global IDs PlatformID = "platform" // namespace PlatformNamespace = "app/platform" OrganizationNamespace = "app/organization" ProjectNamespace = "app/project" GroupNamespace = "app/group" RoleBindingNamespace = "app/rolebinding" RoleNamespace = "app/role" InvitationNamespace = "app/invitation" // relations PlatformRelationName = "platform" AdminRelationName = "admin" OrganizationRelationName = "org" UserRelationName = "user" ProjectRelationName = "project" GroupRelationName = "group" MemberRelationName = "member" OwnerRelationName = "owner" RoleRelationName = "role" RoleGrantRelationName = "granted" RoleBearerRelationName = "bearer" // permissions ListPermission = "list" GetPermission = "get" CreatePermission = "create" UpdatePermission = "update" DeletePermission = "delete" SudoPermission = "superuser" RoleManagePermission = "rolemanage" PolicyManagePermission = "policymanage" ProjectListPermission = "projectlist" GroupListPermission = "grouplist" ProjectCreatePermission = "projectcreate" GroupCreatePermission = "groupcreate" ResourceListPermission = "resourcelist" InvitationListPermission = "invitationlist" InvitationCreatePermission = "invitationcreate" AcceptPermission = "accept" ServiceUserManagePermission = "serviceusermanage" ManagePermission = "manage" // synthetic permission MembershipPermission = "membership" // principals UserPrincipal = "app/user" ServiceUserPrincipal = "app/serviceuser" GroupPrincipal = "app/group" SuperUserPrincipal = "app/superuser" // Roles RoleProjectOwner = "app_project_owner" GroupOwnerRole = "app_group_owner" GroupMemberRole = "app_group_member" )
SpiceDB readable format is stored in predefined_schema.txt
Variables ¶
View Source
var ( ErrMigration = errors.New("error in migrating authz schema") ErrBadNamespace = errors.New("bad namespace, format should namespace:uuid") )
View Source
var BaseSchemaZed string
View Source
var (
PlatformOrgID = uuid.Nil
)
View Source
var PredefinedRoles = []RoleDefinition{ { Title: "Organization Owner", Name: "app_organization_owner", Permissions: []string{ "app_organization_administer", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Manager", Name: "app_organization_manager", Permissions: []string{ "app_organization_update", "app_organization_get", "app_organization_projectcreate", "app_organization_projectlist", "app_organization_groupcreate", "app_organization_grouplist", "app_organization_serviceusermanage", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Access Manager", Name: "app_organization_accessmanager", Permissions: []string{ "app_organization_invitationcreate", "app_organization_invitationlist", "app_organization_rolemanage", "app_organization_policymanage", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Organization Viewer", Name: "app_organization_viewer", Permissions: []string{ "app_organization_get", }, Scopes: []string{OrganizationNamespace}, }, { Title: "Project Owner", Name: RoleProjectOwner, Permissions: []string{ "app_project_administer", }, Scopes: []string{ProjectNamespace}, }, { Title: "Project Manager", Name: "app_project_manager", Permissions: []string{ "app_project_update", "app_project_get", "app_project_resourcelist", "app_organization_projectcreate", "app_organization_projectlist", "app_organization_grouplist", }, Scopes: []string{ProjectNamespace}, }, { Title: "Project Viewer", Name: "app_project_viewer", Permissions: []string{ "app_project_get", }, Scopes: []string{ProjectNamespace}, }, { Title: "Group Owner", Name: GroupOwnerRole, Permissions: []string{ "app_group_administer", }, Scopes: []string{GroupNamespace}, }, { Title: "Group Member", Name: GroupMemberRole, Permissions: []string{ "app_group_get", }, Scopes: []string{GroupNamespace}, }, }
Functions ¶
func BuildNamespaceName ¶
func IsSystemNamespace ¶
func IsValidPermissionName ¶ added in v0.7.2
IsValidPermissionName checks if the provided name is a valid permission name
func SplitNamespaceAndResourceID ¶
SplitNamespaceAndResourceID splits ns/something:uuid into ns/something and uuid
func SplitNamespaceResource ¶
Types ¶
type ResourcePermission ¶
type ResourcePermission struct { // simple name Name string // Namespace is an object over which authz rules will be applied Namespace string Description string // Key is a unique identifier composed of namespace and name // for example: "app.platform.list" which is composed as service.resource.verb // here app.platform is namespace and list is name of the permission Key string }
ResourcePermission with which roles will be created. Whenever an action is performed subject access permissions are checked with subject required permissions
func (ResourcePermission) GetName ¶
func (r ResourcePermission) GetName() string
func (ResourcePermission) GetNamespace ¶
func (r ResourcePermission) GetNamespace() string
func (ResourcePermission) Slug ¶
func (r ResourcePermission) Slug() string
type RoleDefinition ¶
type RoleDefinition struct { Title string `yaml:"title"` Name string `yaml:"name"` Description string `yaml:"description"` Scopes []string `yaml:"scopes"` Permissions []string `yaml:"permissions"` }
RoleDefinition are a set of permissions which can be assigned to a user or group
type ServiceDefinition ¶
type ServiceDefinition struct { Roles []RoleDefinition `yaml:"roles"` Permissions []ResourcePermission `yaml:"permissions"` }
ServiceDefinition is provided by user for a service
func MergeServiceDefinitions ¶
func MergeServiceDefinitions(definitions ...ServiceDefinition) *ServiceDefinition
MergeServiceDefinitions merges multiple service definitions into one and deduplicate roles and permissions
Click to show internal directories.
Click to hide internal directories.