authz

package

v1.5.1 Latest Latest Go to latest Published: Aug 22, 2023 License: MPL-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/siderolabs/talos

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ContextWithRoles(ctx context.Context, roles role.Set) context.Context
func GetRoles(ctx context.Context) role.Set
func SetMetadata(md metadata.MD, roles role.Set)
type Authorizer
- func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor
- func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor
type Injector
- func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor
- func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor
type InjectorMode

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNotAuthorized = status.Error(codes.PermissionDenied, "not authorized")

ErrNotAuthorized should be returned to the client when they are not authorized.

Functions ¶

func ContextWithRoles ¶

func ContextWithRoles(ctx context.Context, roles role.Set) context.Context

ContextWithRoles returns derived context with roles set.

func GetRoles ¶

func GetRoles(ctx context.Context) role.Set

GetRoles returns roles stored in the context by the Injector interceptor. May be used for additional checks in the API method handler.

func SetMetadata ¶

func SetMetadata(md metadata.MD, roles role.Set)

SetMetadata sets given roles in gRPC metadata.

Types ¶

type Authorizer ¶

type Authorizer struct {
	// Maps full gRPC method names to roles. The user should have at least one of them.
	Rules map[string]role.Set

	// Defines roles for gRPC methods not present in Rules.
	FallbackRoles role.Set

	// Logger.
	Logger func(format string, v ...interface{})
}

Authorizer checks that the user is authorized (has a valid role) to call intercepted gRPC method. User roles should be set the Injector interceptor.

func (*Authorizer) StreamInterceptor ¶

func (a *Authorizer) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Authorizer) UnaryInterceptor ¶

func (a *Authorizer) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type Injector ¶

type Injector struct {
	// Mode.
	Mode InjectorMode

	// Logger.
	Logger func(format string, v ...interface{})
}

Injector sets roles to the context.

func (*Injector) StreamInterceptor ¶

func (i *Injector) StreamInterceptor() grpc.StreamServerInterceptor

StreamInterceptor returns grpc StreamServerInterceptor.

func (*Injector) UnaryInterceptor ¶

func (i *Injector) UnaryInterceptor() grpc.UnaryServerInterceptor

UnaryInterceptor returns grpc UnaryServerInterceptor.

type InjectorMode ¶

type InjectorMode int

InjectorMode specifies how roles are extracted.

const (
	// Disabled is used when RBAC is disabled in the machine configuration. All roles are assumed.
	Disabled InjectorMode = iota

	// ReadOnly is used to inject only Reader role.
	ReadOnly

	// MetadataOnly is used internally. Checks only metadata.
	MetadataOnly

	// Enabled is used when RBAC is enabled in the machine configuration. Roles are extracted normally.
	Enabled
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL