rbac

package
v0.0.0-...-1d80bfb Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 25, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsAllowResourceAccess

func IsAllowResourceAccess(rbac Interface, user, resource, verb, namespace string) (bool, error)

IsAllowResourceAccess give a decision by auth attributes

func RuleAllows

func RuleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool

func User2UserInfo

func User2UserInfo(u string) user.Info

todo: need a better way

Types

type Authorizer

type Authorizer interface {
	Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)
}

Authorizer makes an authorization decision based on information gained by making zero or more calls to methods of the Attributes interface. It returns nil when an action is authorized, otherwise it returns an error.

type DefaultResolver

type DefaultResolver struct {
	// resources get or list from cache
	// sync by informer
	cache.Cache
}

DefaultResolver resolve rules of rbac

func NewDefaultResolver

func NewDefaultResolver(cluster string) *DefaultResolver

func (*DefaultResolver) Authorize

func (r *DefaultResolver) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error)

func (*DefaultResolver) GetClusterRole

func (r *DefaultResolver) GetClusterRole(name string) (rbacv1.ClusterRole, error)

func (*DefaultResolver) GetRole

func (r *DefaultResolver) GetRole(namespace, name string) (rbacv1.Role, error)

func (*DefaultResolver) GetRoleReferenceRules

func (r *DefaultResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.

func (*DefaultResolver) GetUser

func (r *DefaultResolver) GetUser(name string) (userv1.User, error)

func (*DefaultResolver) ListClusterRoleBindings

func (r *DefaultResolver) ListClusterRoleBindings() ([]rbacv1.ClusterRoleBinding, error)

func (*DefaultResolver) ListRoleBindings

func (r *DefaultResolver) ListRoleBindings(namespace string) ([]rbacv1.RoleBinding, error)

func (*DefaultResolver) ListUser

func (r *DefaultResolver) ListUser() ([]userv1.User, error)

func (*DefaultResolver) RolesFor

func (r *DefaultResolver) RolesFor(user user.Info, namespace string) ([]*rbacv1.Role, []*rbacv1.ClusterRole, error)

func (*DefaultResolver) User2UserRole

func (r *DefaultResolver) User2UserRole(user user.Info) []string

func (*DefaultResolver) UsersFor

func (r *DefaultResolver) UsersFor(role rbacv1.RoleRef, namespace string) ([]*userv1.User, error)

func (*DefaultResolver) VisitRolesFor

func (r *DefaultResolver) VisitRolesFor(user user.Info, namespace string, visitor visitor)

func (*DefaultResolver) VisitRulesFor

func (r *DefaultResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

func (*DefaultResolver) VisitUsersFor

func (r *DefaultResolver) VisitUsersFor(role rbacv1.RoleRef, namespace string, visitor visitor)

type Interface

type Interface interface {
	RoleExtractor
	RoleResolver
	Authorizer
}

Interface aggregate rbac extractor and resolver

type RoleExtractor

type RoleExtractor interface {
	GetUser(name string) (userv1.User, error)
	ListUser() ([]userv1.User, error)

	GetRole(namespace, name string) (rbacv1.Role, error)
	ListRoleBindings(namespace string) ([]rbacv1.RoleBinding, error)

	GetClusterRole(name string) (rbacv1.ClusterRole, error)
	ListClusterRoleBindings() ([]rbacv1.ClusterRoleBinding, error)
}

type RoleResolver

type RoleResolver interface {
	// RolesFor get all of roles and cluster roles bind to user, with non empty
	// namespace will match both Role and ClusterRole, otherwise only clusterRole
	// will be matched.
	RolesFor(user user.Info, namespace string) ([]*rbacv1.Role, []*rbacv1.ClusterRole, error)

	// UsersFor get all of users bind to role reference, if Role with namespace,
	// will match RoleBindings and ClusterRoleBindings, otherwise only Cluster
	// will be matched.
	UsersFor(role rbacv1.RoleRef, namespace string) ([]*userv1.User, error)

	// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace,
	// and each error encountered resolving those rules. Rule may be nil if err is non-nil.
	// If visitor() returns false, visiting is short-circuited.
	VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL