auth

package
v0.0.0-...-d3d374b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 15, 2018 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package auth provides mechanisms for enforcing authorization to Project resources in OpenShift

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewUserProjectWatcher

func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool) *userProjectWatcher

Types

type AuthorizationCache

type AuthorizationCache struct {
	// contains filtered or unexported fields
}

AuthorizationCache maintains a cache on the set of namespaces a user or group can access.

func NewAuthorizationCache

func NewAuthorizationCache(reviewer Reviewer, namespaceInterface kclient.NamespaceInterface,
	clusterPolicyLister client.SyncedClusterPoliciesListerInterface, clusterPolicyBindingLister client.SyncedClusterPolicyBindingsListerInterface,
	policyNamespacer client.SyncedPoliciesListerNamespacer, policyBindingNamespacer client.SyncedPolicyBindingsListerNamespacer,
) *AuthorizationCache

NewAuthorizationCache creates a new AuthorizationCache

func (*AuthorizationCache) AddWatcher

func (ac *AuthorizationCache) AddWatcher(watcher CacheWatcher)

func (*AuthorizationCache) GetClusterPolicyLister

func (ac *AuthorizationCache) GetClusterPolicyLister() client.SyncedClusterPoliciesListerInterface

func (*AuthorizationCache) List

func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error)

List returns the set of namespace names the user has access to view

func (*AuthorizationCache) ReadyForAccess

func (ac *AuthorizationCache) ReadyForAccess() bool

func (*AuthorizationCache) RemoveWatcher

func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher)

func (*AuthorizationCache) Run

func (ac *AuthorizationCache) Run(period time.Duration)

Run begins watching and synchronizing the cache

type CacheWatcher

type CacheWatcher interface {
	// GroupMembershipChanged is called serially for all changes for all watchers.  This method MUST NOT BLOCK.
	// The serial nature makes reasoning about the code easy, but if you block in this method you will doom all watchers.
	GroupMembershipChanged(namespaceName string, users, groups sets.String)
}

type LastSyncResourceVersioner

type LastSyncResourceVersioner interface {
	LastSyncResourceVersion() string
}

LastSyncResourceVersioner is any object that can divulge a LastSyncResourceVersion

type Lister

type Lister interface {
	// List returns the list of Namespace items that the user can access
	List(user user.Info) (*kapi.NamespaceList, error)
}

Lister enforces ability to enumerate a resource based on policy

type Review

type Review interface {
	Users() []string
	Groups() []string
	EvaluationError() string
}

Review is a list of users and groups that can access a resource

type Reviewer

type Reviewer interface {
	Review(name string) (Review, error)
}

Reviewer performs access reviews for a project by name

func NewAuthorizerReviewer

func NewAuthorizerReviewer(policyChecker authorizer.Authorizer) Reviewer

func NewReviewer

func NewReviewer(resourceAccessReviewsNamespacer client.LocalResourceAccessReviewsNamespacer) Reviewer

NewReviewer knows how to make access control reviews for a resource by name

type WatchableCache

type WatchableCache interface {
	// RemoveWatcher removes a watcher
	RemoveWatcher(CacheWatcher)
	// List returns the set of namespace names the user has access to view
	List(userInfo user.Info) (*kapi.NamespaceList, error)
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL