authz

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 15, 2022 License: MPL-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")

ErrNotAuthorized should be returned to the client when they are not authorized.

Functions

func ContextWithRoles

func ContextWithRoles(ctx context.Context, roles role.Set) context.Context

ContextWithRoles returns derived context with roles set.

func GetRoles

func GetRoles(ctx context.Context) role.Set

GetRoles returns roles stored in the context by the Injector interceptor. May be used for additional checks in the API method handler.

func SetMetadata

func SetMetadata(md metadata.MD, roles role.Set)

SetMetadata sets given roles in gRPC metadata.

Types

type Authorizer

type Authorizer struct {
	// Maps full gRPC method names to roles. The user should have at least one of them.
	Rules map[string]role.Set

	// Defines roles for gRPC methods not present in Rules.
	FallbackRoles role.Set

	// Logger.
	Logger func(format string, v ...interface{})
}

Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method. User roles should be set the Injector interceptor.

func (*Authorizer) StreamInterceptor

func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Authorizer) UnaryInterceptor

func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type Injector

type Injector struct {
	// Mode.
	Mode InjectorMode

	// Logger.
	Logger func(format string, v ...interface{})
}

Injector sets roles to the context.

func (*Injector) StreamInterceptor

func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Injector) UnaryInterceptor

func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type InjectorMode

type InjectorMode int

InjectorMode specifies how roles are extracted.

const (
	// Disabled is used when RBAC is disabled in the machine configuration. All roles are assumed.
	Disabled InjectorMode = iota

	// ReadOnly is used to inject only Reader role.
	ReadOnly

	// MetadataOnly is used internally. Checks only metadata.
	MetadataOnly

	// Enabled is used when RBAC is enabled in the machine configuration. Roles are extracted normally.
	Enabled
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL