authz

package
v1.8.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 22, 2024 License: MPL-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package authz is adopted from Talos.

Index

Constants

This section is empty.

Variables

View Source
var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")

ErrNotAuthorized should be returned to the client when they are not authorized.

Functions

func ContextWithRoles

func ContextWithRoles(ctx context.Context, roles role.Set) context.Context

ContextWithRoles returns derived context with roles set.

func GetRoles

func GetRoles(ctx context.Context) role.Set

GetRoles returns roles stored in the context by the Injector interceptor. May be used for additional checks in the API method handler.

func HasRole

func HasRole(ctx context.Context, r role.Role) bool

HasRole returns true if the context includes the given role.

func SetMetadata

func SetMetadata(md metadata.MD, roles role.Set)

SetMetadata sets given roles in gRPC metadata.

Types

type Authorizer

type Authorizer struct {
	// Maps full gRPC method names to roles. The user should have at least one of them.
	Rules map[string]role.Set

	// Defines roles for gRPC methods not present in Rules.
	FallbackRoles role.Set

	// Logger.
	Logger func(format string, v ...interface{})
}

Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method. User roles should be set the Injector interceptor.

func (*Authorizer) StreamInterceptor

func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Authorizer) UnaryInterceptor

func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type Injector

type Injector struct {
	// Mode.
	Mode InjectorMode

	// SideroLinkPeerCheckFunc checks if the peer is a SideroLink peer.
	// When not specified, it defaults to isSideroLinkPeer.
	SideroLinkPeerCheckFunc SideroLinkPeerCheckFunc

	// Logger.
	Logger func(format string, v ...interface{})
}

Injector sets roles to the context.

func (*Injector) StreamInterceptor

func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Injector) UnaryInterceptor

func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type InjectorMode

type InjectorMode int

InjectorMode specifies how roles are extracted.

const (
	// Disabled is used when RBAC is disabled in the machine configuration. All roles are assumed.
	Disabled InjectorMode = iota

	// ReadOnly is used to inject only the Reader role.
	ReadOnly

	// ReadOnlyWithAdminOnSiderolink is used to inject the Admin role if the peer is a SideroLink peer.
	// Otherwise, the Reader role is injected.
	ReadOnlyWithAdminOnSiderolink

	// MetadataOnly is used internally. Checks only metadata.
	MetadataOnly

	// Enabled is used when RBAC is enabled in the machine configuration. Roles are extracted normally.
	Enabled
)

type SideroLinkPeerCheckFunc

type SideroLinkPeerCheckFunc func(ctx context.Context) (netip.Addr, bool)

SideroLinkPeerCheckFunc checks if the peer is a SideroLink peer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL