Documentation ¶
Overview ¶
Package authz is adopted from Talos.
Index ¶
- Variables
- func ContextWithRoles(ctx context.Context, roles role.Set) context.Context
- func GetRoles(ctx context.Context) role.Set
- func HasRole(ctx context.Context, r role.Role) bool
- func SetMetadata(md metadata.MD, roles role.Set)
- type Authorizer
- type Injector
- type InjectorMode
- type SideroLinkPeerCheckFunc
Constants ¶
This section is empty.
Variables ¶
var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")
ErrNotAuthorized should be returned to the client when they are not authorized.
Functions ¶
func ContextWithRoles ¶
ContextWithRoles returns derived context with roles set.
func GetRoles ¶
GetRoles returns roles stored in the context by the Injector interceptor. May be used for additional checks in the API method handler.
Types ¶
type Authorizer ¶
type Authorizer struct { // Maps full gRPC method names to roles. The user should have at least one of them. Rules map[string]role.Set // Defines roles for gRPC methods not present in Rules. FallbackRoles role.Set // Logger. Logger func(format string, v ...interface{}) }
Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method. User roles should be set the Injector interceptor.
func (*Authorizer) StreamInterceptor ¶
func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor
StreamInterceptor returns grpc StreamServerInterceptor.
func (*Authorizer) UnaryInterceptor ¶
func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor
UnaryInterceptor returns grpc UnaryServerInterceptor.
type Injector ¶
type Injector struct { // Mode. Mode InjectorMode // SideroLinkPeerCheckFunc checks if the peer is a SideroLink peer. // When not specified, it defaults to isSideroLinkPeer. SideroLinkPeerCheckFunc SideroLinkPeerCheckFunc // Logger. Logger func(format string, v ...interface{}) }
Injector sets roles to the context.
func (*Injector) StreamInterceptor ¶
func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor
StreamInterceptor returns grpc StreamServerInterceptor.
func (*Injector) UnaryInterceptor ¶
func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor
UnaryInterceptor returns grpc UnaryServerInterceptor.
type InjectorMode ¶
type InjectorMode int
InjectorMode specifies how roles are extracted.
const ( // Disabled is used when RBAC is disabled in the machine configuration. All roles are assumed. Disabled InjectorMode = iota // ReadOnly is used to inject only the Reader role. ReadOnly // ReadOnlyWithAdminOnSiderolink is used to inject the Admin role if the peer is a SideroLink peer. // Otherwise, the Reader role is injected. ReadOnlyWithAdminOnSiderolink // MetadataOnly is used internally. Checks only metadata. MetadataOnly // Enabled is used when RBAC is enabled in the machine configuration. Roles are extracted normally. Enabled )