Documentation
¶
Index ¶
- Variables
- func ContextWithRoles(ctx context.Context, roles role.Set) context.Context
- func GetRoles(ctx context.Context) role.Set
- func HasRole(ctx context.Context, r role.Role) bool
- func SetMetadata(md metadata.MD, roles role.Set)
- type Authorizer
- type Injector
- type InjectorMode
- type SideroLinkPeerCheckFunc
Constants ¶
This section is empty.
Variables ¶
View Source
var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")
ErrNotAuthorized should be returned to the client when they are not authorized.
Functions ¶
func ContextWithRoles ¶
ContextWithRoles returns derived context with roles set.
func GetRoles ¶
GetRoles returns roles stored in the context by the Injector interceptor. May be used for additional checks in the API method handler.
Types ¶
type Authorizer ¶
type Authorizer struct {
// Maps full gRPC method names to roles. The user should have at least one of them.
Rules map[string]role.Set
// Defines roles for gRPC methods not present in Rules.
FallbackRoles role.Set
// Logger.
Logger func(format string, v ...any)
}
Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method. User roles should be set the Injector interceptor.
func (*Authorizer) StreamInterceptor ¶
func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor
StreamInterceptor returns grpc StreamServerInterceptor.
func (*Authorizer) UnaryInterceptor ¶
func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor
UnaryInterceptor returns grpc UnaryServerInterceptor.
type Injector ¶
type Injector struct {
// Mode.
Mode InjectorMode
// SideroLinkPeerCheckFunc checks if the peer is a SideroLink peer.
// When not specified, it defaults to isSideroLinkPeer.
SideroLinkPeerCheckFunc SideroLinkPeerCheckFunc
// Logger.
Logger func(format string, v ...any)
}
Injector sets roles to the context.
func (*Injector) StreamInterceptor ¶
func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor
StreamInterceptor returns grpc StreamServerInterceptor.
func (*Injector) UnaryInterceptor ¶
func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor
UnaryInterceptor returns grpc UnaryServerInterceptor.
type InjectorMode ¶
type InjectorMode int
InjectorMode specifies how roles are extracted.
const ( // Disabled is used when RBAC is disabled in the machine configuration. All roles are assumed. Disabled InjectorMode = iota // ReadOnly is used to inject only the Reader role. ReadOnly // ReadOnlyWithAdminOnSiderolink is used to inject the Admin role if the peer is a SideroLink peer. // Otherwise, the Reader role is injected. ReadOnlyWithAdminOnSiderolink // MetadataOnly is used internally. Checks only metadata. MetadataOnly // Enabled is used when RBAC is enabled in the machine configuration. Roles are extracted normally. Enabled )
Source Files
Click to show internal directories.
Click to hide internal directories.