rbac

Documentation

Index

• func AddRoleForUser(user, role string) bool
• func Enforce(sub, obj, act string) bool
• func GetUserRoles(user string) []string
• func Init(model model.Model, kapi etcd.KeysAPI, loadPolicy func(model.Model) error) error
• func NewEtcdWatcher(kapi etcd.KeysAPI) persist.Watcher
• type EtcdAdapter
  • func NewEtcdAdapter(kapi etcd.KeysAPI) (*EtcdAdapter, error)
  • func (a *EtcdAdapter) AddPolicy(sec string, ptype string, rule []string) error
  • func (a *EtcdAdapter) LoadPolicy(model model.Model) error
  • func (a *EtcdAdapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error
  • func (a *EtcdAdapter) RemovePolicy(sec string, ptype string, rule []string) error
  • func (a *EtcdAdapter) SavePolicy(model model.Model) error
• type EtcdWatcher
  • func (w *EtcdWatcher) SetUpdateCallback(callback func(string)) error
  • func (w *EtcdWatcher) Update() error
• type Permission
  • func GetPermissionsForUser(user string) []Permission

Functions

func AddRoleForUser

func AddRoleForUser(user, role string) bool

func Enforce

func Enforce(sub, obj, act string) bool

Enforce decides whether a "subject" can access an "object" with the operation "action"

func GetUserRoles

func GetUserRoles(user string) []string

func Init

func Init(model model.Model, kapi etcd.KeysAPI, loadPolicy func(model.Model) error) error

Init loads the model from the configuration file then the policies. 3 policies are applied, in that order : - the policy uploaded in etcd and shared by all analyzers - a policy bundled into the binary - a policy specified in the configuration file

func NewEtcdWatcher

func NewEtcdWatcher(kapi etcd.KeysAPI) persist.Watcher

NewEtcdWatcher returns new etcd change watcher

Types

type EtcdAdapter

type EtcdAdapter struct {
	// contains filtered or unexported fields
}

EtcdAdapter represents the etcd adapter for policy persistence, can load policy from etcd or save policy to etcd.

func NewEtcdAdapter

func NewEtcdAdapter(kapi etcd.KeysAPI) (*EtcdAdapter, error)

NewEtcdAdapter is the constructor for EtcdAdapter.

func (*EtcdAdapter) AddPolicy

func (a *EtcdAdapter) AddPolicy(sec string, ptype string, rule []string) error

AddPolicy adds a policy rule to the storage.

func (*EtcdAdapter) LoadPolicy

func (a *EtcdAdapter) LoadPolicy(model model.Model) error

LoadPolicy loads policy from etcd.

func (*EtcdAdapter) RemoveFilteredPolicy

func (a *EtcdAdapter) RemoveFilteredPolicy(sec string, ptype string, fieldIndex int, fieldValues ...string) error

RemoveFilteredPolicy removes policy rules that match the filter from the storage.

func (*EtcdAdapter) RemovePolicy

func (a *EtcdAdapter) RemovePolicy(sec string, ptype string, rule []string) error

RemovePolicy removes a policy rule from the storage.

func (*EtcdAdapter) SavePolicy

func (a *EtcdAdapter) SavePolicy(model model.Model) error

SavePolicy saves policy to etcd.

type EtcdWatcher

type EtcdWatcher struct {
	// contains filtered or unexported fields
}

func (*EtcdWatcher) SetUpdateCallback

func (w *EtcdWatcher) SetUpdateCallback(callback func(string)) error

SetUpdateCallback sets the callback function that the watcher will call when the policy in DB has been changed by other instances. A classic callback is Enforcer.LoadPolicy().

func (*EtcdWatcher) Update

func (w *EtcdWatcher) Update() error

Update calls the update callback of other instances to synchronize their policy. It is usually called after changing the policy in DB, like Enforcer.SavePolicy(), Enforcer.AddPolicy(), Enforcer.RemovePolicy(), etc.

type Permission

type Permission struct {
	Object  string
	Action  string
	Allowed bool
}

Permission defines a permission

func GetPermissionsForUser

func GetPermissionsForUser(user string) []Permission

GetPermissionsForUser returns all the allow and deny permissions for a user