Documentation ¶
Index ¶
- Constants
- Variables
- func ArnMatch(src, dst string) bool
- func GetActionsForPolicyType(typ string) ([]string, error)
- func GetActionsForPolicyTypeOrDie(typ string) []string
- func GetUser(ctx context.Context) (*model.User, error)
- func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error)
- func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements
- func ObserveDuration(operation string, duration time.Duration, success bool)
- func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
- func WithUser(ctx context.Context, user *model.User) context.Context
- type APIAuthService
- func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupID string) error
- func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupID string) error
- func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (a *APIAuthService) Cache() Cache
- func (a *APIAuthService) CheckHealth(ctx context.Context, logger logging.Logger, timeout time.Duration) error
- func (a *APIAuthService) ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error
- func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (a *APIAuthService) CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error)
- func (a *APIAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (a *APIAuthService) CreateUserExternalPrincipal(ctx context.Context, userID, principalID string) error
- func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
- func (a *APIAuthService) DeleteGroup(ctx context.Context, groupID string) error
- func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
- func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
- func (a *APIAuthService) DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error
- func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupID string) error
- func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
- func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (a *APIAuthService) GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error)
- func (a *APIAuthService) GetGroup(ctx context.Context, groupID string) (*model.Group, error)
- func (a *APIAuthService) GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error)
- func (a *APIAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (a *APIAuthService) GetUserByEmail(ctx context.Context, email string) (*model.User, error)
- func (a *APIAuthService) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error)
- func (a *APIAuthService) GetUserByID(ctx context.Context, userID string) (*model.User, error)
- func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
- func (a *APIAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool
- func (a *APIAuthService) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupPolicies(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (a *APIAuthService) ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
- func (a *APIAuthService) ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (a *APIAuthService) ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupID string) error
- func (a *APIAuthService) SecretStore() crypt.SecretStore
- func (a *APIAuthService) UpdateUserFriendlyName(ctx context.Context, userID string, friendlyName string) error
- func (a *APIAuthService) WritePolicy(ctx context.Context, policy *model.Policy, update bool) error
- type Arn
- type Authenticator
- type AuthorizationRequest
- type AuthorizationResponse
- type Authorizer
- type BasicAuthService
- func (s *BasicAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
- func (s *BasicAuthService) AddUserToGroup(_ context.Context, _, _ string) error
- func (s *BasicAuthService) AttachPolicyToGroup(_ context.Context, _, _ string) error
- func (s *BasicAuthService) AttachPolicyToUser(_ context.Context, _, _ string) error
- func (s *BasicAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
- func (s *BasicAuthService) Cache() Cache
- func (s *BasicAuthService) ClaimTokenIDOnce(_ context.Context, _ string, _ int64) error
- func (s *BasicAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
- func (s *BasicAuthService) CreateGroup(_ context.Context, _ *model.Group) (*model.Group, error)
- func (s *BasicAuthService) CreateUser(ctx context.Context, user *model.User) (string, error)
- func (s *BasicAuthService) CreateUserExternalPrincipal(_ context.Context, _, _ string) error
- func (s *BasicAuthService) DeleteCredentials(_ context.Context, _, _ string) error
- func (s *BasicAuthService) DeleteGroup(_ context.Context, _ string) error
- func (s *BasicAuthService) DeletePolicy(_ context.Context, _ string) error
- func (s *BasicAuthService) DeleteUser(ctx context.Context, username string) error
- func (s *BasicAuthService) DeleteUserExternalPrincipal(_ context.Context, _, _ string) error
- func (s *BasicAuthService) DetachPolicyFromGroup(_ context.Context, _, _ string) error
- func (s *BasicAuthService) DetachPolicyFromUser(_ context.Context, _, _ string) error
- func (s *BasicAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
- func (s *BasicAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
- func (s *BasicAuthService) GetExternalPrincipal(_ context.Context, _ string) (*model.ExternalPrincipal, error)
- func (s *BasicAuthService) GetGroup(_ context.Context, _ string) (*model.Group, error)
- func (s *BasicAuthService) GetPolicy(_ context.Context, _ string) (*model.Policy, error)
- func (s *BasicAuthService) GetUser(ctx context.Context, username string) (*model.User, error)
- func (s *BasicAuthService) GetUserByEmail(_ context.Context, _ string) (*model.User, error)
- func (s *BasicAuthService) GetUserByExternalID(_ context.Context, _ string) (*model.User, error)
- func (s *BasicAuthService) GetUserByID(_ context.Context, _ string) (*model.User, error)
- func (s *BasicAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool
- func (s *BasicAuthService) ListEffectivePolicies(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *BasicAuthService) ListGroupPolicies(context.Context, string, *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *BasicAuthService) ListGroupUsers(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *BasicAuthService) ListGroups(_ context.Context, _ *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *BasicAuthService) ListPolicies(_ context.Context, _ *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *BasicAuthService) ListUserCredentials(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
- func (s *BasicAuthService) ListUserExternalPrincipals(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
- func (s *BasicAuthService) ListUserGroups(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
- func (s *BasicAuthService) ListUserPolicies(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
- func (s *BasicAuthService) ListUsers(ctx context.Context, _ *model.PaginationParams) ([]*model.User, *model.Paginator, error)
- func (s *BasicAuthService) Migrate(ctx context.Context) (string, error)
- func (s *BasicAuthService) RemoveUserFromGroup(_ context.Context, _, _ string) error
- func (s *BasicAuthService) SecretStore() crypt.SecretStore
- func (s *BasicAuthService) UpdateUserFriendlyName(_ context.Context, _ string, _ string) error
- func (s *BasicAuthService) WritePolicy(_ context.Context, _ *model.Policy, _ bool) error
- type BuiltinAuthenticator
- type Cache
- type ChainAuthenticator
- type CheckResult
- type CommPrefs
- type CredentialSetFn
- type Credentialler
- type CredentialsCreator
- type DummyCache
- type EmailInviter
- type ExternalPrincipalsService
- type GatewayService
- type KVMetadataManager
- func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)
- func (m *KVMetadataManager) GetMetadata(ctx context.Context) (map[string]string, error)
- func (m *KVMetadataManager) GetSetupState(ctx context.Context) (SetupStateName, error)
- func (m *KVMetadataManager) IsCommPrefsSet(ctx context.Context) (bool, error)
- func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)
- func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)
- func (m *KVMetadataManager) UpdateSetupTimestamp(ctx context.Context, ts time.Time) error
- type LRUCache
- type MetadataManager
- type MissingPermissions
- type Service
- type ServiceAndInviter
- type SetupStateName
- type UserKey
- type UserPoliciesSetFn
- type UserSetFn
- Bugs
Constants ¶
const ( BasicPartitionKey = "basicAuth" SuperAdminKey = "superAdmin" MaxUsers = 1 MaxCredentialsPerUser = 1 )
const ( InstallationIDKeyName = "installation_id" SetupTimestampKeyName = "setup_timestamp" CommPrefsSetKeyName = "comm_prefs_set" EmailKeyName = "encoded_user_email" FeatureUpdatesKeyName = "feature_updates" SecurityUpdatesKeyName = "security_updates" InstrumentationSamplesRepo = "SamplesRepo" InstrumentationQuickstart = "Quickstart" InstrumentationRun = "Run" )
const ( UserNotAllowed = "not allowed" InvalidUserID = "" MaxPage = 1000 // CheckAllow Permission allowed CheckAllow CheckResult = iota // CheckNeutral Permission neither allowed nor denied CheckNeutral // CheckDeny Permission denied CheckDeny )
Variables ¶
var ( ErrNotFound = kv.ErrNotFound ErrAlreadyExists = errors.New("already exists") ErrNonUnique = errors.New("more than one user found") ErrInvalidArn = errors.New("invalid ARN") ErrInsufficientPermissions = errors.New("insufficient permissions") ErrInvalidAccessKeyID = errors.New("invalid access key ID") ErrInvalidSecretAccessKey = errors.New("invalid secret access key") ErrUnexpectedStatusCode = errors.New("unexpected status code") ErrUnexpectedSigningMethod = errors.New("unexpected signing method") ErrInvalidToken = errors.New("invalid token") ErrInvalidRequest = errors.New("invalid request") ErrUserNotFound = errors.New("user not found") ErrInvalidResponse = errors.New("invalid response") ErrNotImplemented = errors.New("not implemented") ErrMigrationNotPossible = errors.New("auth migration not possible") )
var DockeEnvExists = "/.dockerenv"
DockeEnvExists For testing purposes
var (
ErrStatementNotFound = errors.New("statement not found")
)
Functions ¶
func GetActionsForPolicyType ¶ added in v0.98.0
GetActionsForPolicyType returns the actions for police type typ.
func GetActionsForPolicyTypeOrDie ¶ added in v0.98.0
func MakeStatementForPolicyType ¶ added in v0.98.0
func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error)
MakeStatementForPolicyType returns statements for policy type typ, limited to resources.
func MakeStatementForPolicyTypeOrDie ¶ added in v0.98.0
func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements
func ObserveDuration ¶ added in v1.28.0
func VerifyToken ¶ added in v0.64.0
func VerifyToken(secret []byte, tokenString string) (*jwt.StandardClaims, error)
Types ¶
type APIAuthService ¶ added in v0.63.0
type APIAuthService struct {
// contains filtered or unexported fields
}
func NewAPIAuthService ¶ added in v0.63.0
func NewAPIAuthService(apiEndpoint, token string, externalPrincipalseEnabled bool, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) (*APIAuthService, error)
func NewAPIAuthServiceWithClient ¶ added in v0.70.0
func NewAPIAuthServiceWithClient(client ClientWithResponsesInterface, externalPrincipalseEnabled bool, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) (*APIAuthService, error)
func (*APIAuthService) AddCredentials ¶ added in v0.63.0
func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*APIAuthService) AddUserToGroup ¶ added in v0.63.0
func (a *APIAuthService) AddUserToGroup(ctx context.Context, username, groupID string) error
func (*APIAuthService) AttachPolicyToGroup ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupID string) error
func (*APIAuthService) AttachPolicyToUser ¶ added in v0.63.0
func (a *APIAuthService) AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) Authorize ¶ added in v0.63.0
func (a *APIAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*APIAuthService) Cache ¶ added in v0.68.0
func (a *APIAuthService) Cache() Cache
func (*APIAuthService) CheckHealth ¶ added in v1.1.0
func (*APIAuthService) ClaimTokenIDOnce ¶ added in v0.64.0
func (*APIAuthService) CreateCredentials ¶ added in v0.63.0
func (a *APIAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*APIAuthService) CreateGroup ¶ added in v0.63.0
func (*APIAuthService) CreateUser ¶ added in v0.63.0
func (*APIAuthService) CreateUserExternalPrincipal ¶ added in v1.14.0
func (a *APIAuthService) CreateUserExternalPrincipal(ctx context.Context, userID, principalID string) error
func (*APIAuthService) DeleteCredentials ¶ added in v0.63.0
func (a *APIAuthService) DeleteCredentials(ctx context.Context, username, accessKeyID string) error
func (*APIAuthService) DeleteGroup ¶ added in v0.63.0
func (a *APIAuthService) DeleteGroup(ctx context.Context, groupID string) error
func (*APIAuthService) DeletePolicy ¶ added in v0.63.0
func (a *APIAuthService) DeletePolicy(ctx context.Context, policyDisplayName string) error
func (*APIAuthService) DeleteUser ¶ added in v0.63.0
func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error
func (*APIAuthService) DeleteUserExternalPrincipal ¶ added in v1.14.0
func (a *APIAuthService) DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error
func (*APIAuthService) DetachPolicyFromGroup ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupID string) error
func (*APIAuthService) DetachPolicyFromUser ¶ added in v0.63.0
func (a *APIAuthService) DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error
func (*APIAuthService) GetCredentials ¶ added in v0.63.0
func (a *APIAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetCredentialsForUser ¶ added in v0.63.0
func (a *APIAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*APIAuthService) GetExternalPrincipal ¶ added in v1.14.1
func (a *APIAuthService) GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error)
func (*APIAuthService) GetUserByEmail ¶ added in v0.63.0
func (*APIAuthService) GetUserByExternalID ¶ added in v0.69.0
func (*APIAuthService) GetUserByID ¶ added in v0.63.0
func (*APIAuthService) InviteUser ¶ added in v0.69.0
func (a *APIAuthService) InviteUser(ctx context.Context, email string) error
func (*APIAuthService) IsExternalPrincipalsEnabled ¶ added in v1.14.0
func (a *APIAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool
func (*APIAuthService) ListEffectivePolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupPolicies ¶ added in v0.63.0
func (*APIAuthService) ListGroupUsers ¶ added in v0.63.0
func (*APIAuthService) ListGroups ¶ added in v0.63.0
func (a *APIAuthService) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*APIAuthService) ListPolicies ¶ added in v0.63.0
func (a *APIAuthService) ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*APIAuthService) ListUserCredentials ¶ added in v0.63.0
func (a *APIAuthService) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*APIAuthService) ListUserExternalPrincipals ¶ added in v1.14.0
func (a *APIAuthService) ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
func (*APIAuthService) ListUserGroups ¶ added in v0.63.0
func (*APIAuthService) ListUserPolicies ¶ added in v0.63.0
func (*APIAuthService) ListUsers ¶ added in v0.63.0
func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*APIAuthService) RemoveUserFromGroup ¶ added in v0.63.0
func (a *APIAuthService) RemoveUserFromGroup(ctx context.Context, username, groupID string) error
func (*APIAuthService) SecretStore ¶ added in v0.63.0
func (a *APIAuthService) SecretStore() crypt.SecretStore
func (*APIAuthService) UpdateUserFriendlyName ¶ added in v1.16.0
func (*APIAuthService) WritePolicy ¶ added in v0.63.0
type Arn ¶
type Authenticator ¶ added in v0.53.0
type Authenticator interface { // AuthenticateUser authenticates a user matching username and // password and returns their ID. AuthenticateUser(ctx context.Context, username, password string) (string, error) }
Authenticator authenticates users returning an identifier for the user. (Currently it handles only username+password single-step authentication. This interface will need to change significantly in order to support challenge-response protocols.)
type AuthorizationRequest ¶
type AuthorizationRequest struct { Username string RequiredPermissions permissions.Node }
type AuthorizationResponse ¶
type Authorizer ¶ added in v0.69.0
type Authorizer interface { // Authorize checks 'req' containing user and required permissions. An error returns in case we fail perform the request. // AuthorizationResponse holds if the request allowed and Error in case we fail with additional reason as ErrInsufficientPermissions. Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error) }
type BasicAuthService ¶ added in v1.32.0
type BasicAuthService struct {
// contains filtered or unexported fields
}
func NewBasicAuthService ¶ added in v1.32.0
func NewBasicAuthService(store kv.Store, secretStore crypt.SecretStore, cacheConf params.ServiceCache, logger logging.Logger) *BasicAuthService
func (*BasicAuthService) AddCredentials ¶ added in v1.32.0
func (s *BasicAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error)
func (*BasicAuthService) AddUserToGroup ¶ added in v1.32.0
func (s *BasicAuthService) AddUserToGroup(_ context.Context, _, _ string) error
func (*BasicAuthService) AttachPolicyToGroup ¶ added in v1.32.0
func (s *BasicAuthService) AttachPolicyToGroup(_ context.Context, _, _ string) error
func (*BasicAuthService) AttachPolicyToUser ¶ added in v1.32.0
func (s *BasicAuthService) AttachPolicyToUser(_ context.Context, _, _ string) error
func (*BasicAuthService) Authorize ¶ added in v1.32.0
func (s *BasicAuthService) Authorize(ctx context.Context, req *AuthorizationRequest) (*AuthorizationResponse, error)
func (*BasicAuthService) Cache ¶ added in v1.32.0
func (s *BasicAuthService) Cache() Cache
func (*BasicAuthService) ClaimTokenIDOnce ¶ added in v1.32.0
func (*BasicAuthService) CreateCredentials ¶ added in v1.32.0
func (s *BasicAuthService) CreateCredentials(ctx context.Context, username string) (*model.Credential, error)
func (*BasicAuthService) CreateGroup ¶ added in v1.32.0
func (*BasicAuthService) CreateUser ¶ added in v1.32.0
func (*BasicAuthService) CreateUserExternalPrincipal ¶ added in v1.32.0
func (s *BasicAuthService) CreateUserExternalPrincipal(_ context.Context, _, _ string) error
func (*BasicAuthService) DeleteCredentials ¶ added in v1.32.0
func (s *BasicAuthService) DeleteCredentials(_ context.Context, _, _ string) error
func (*BasicAuthService) DeleteGroup ¶ added in v1.32.0
func (s *BasicAuthService) DeleteGroup(_ context.Context, _ string) error
func (*BasicAuthService) DeletePolicy ¶ added in v1.32.0
func (s *BasicAuthService) DeletePolicy(_ context.Context, _ string) error
func (*BasicAuthService) DeleteUser ¶ added in v1.32.0
func (s *BasicAuthService) DeleteUser(ctx context.Context, username string) error
func (*BasicAuthService) DeleteUserExternalPrincipal ¶ added in v1.32.0
func (s *BasicAuthService) DeleteUserExternalPrincipal(_ context.Context, _, _ string) error
func (*BasicAuthService) DetachPolicyFromGroup ¶ added in v1.32.0
func (s *BasicAuthService) DetachPolicyFromGroup(_ context.Context, _, _ string) error
func (*BasicAuthService) DetachPolicyFromUser ¶ added in v1.32.0
func (s *BasicAuthService) DetachPolicyFromUser(_ context.Context, _, _ string) error
func (*BasicAuthService) GetCredentials ¶ added in v1.32.0
func (s *BasicAuthService) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
func (*BasicAuthService) GetCredentialsForUser ¶ added in v1.32.0
func (s *BasicAuthService) GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error)
func (*BasicAuthService) GetExternalPrincipal ¶ added in v1.32.0
func (s *BasicAuthService) GetExternalPrincipal(_ context.Context, _ string) (*model.ExternalPrincipal, error)
func (*BasicAuthService) GetUserByEmail ¶ added in v1.32.0
func (*BasicAuthService) GetUserByExternalID ¶ added in v1.32.0
func (*BasicAuthService) GetUserByID ¶ added in v1.32.0
func (*BasicAuthService) IsExternalPrincipalsEnabled ¶ added in v1.32.0
func (s *BasicAuthService) IsExternalPrincipalsEnabled(_ context.Context) bool
func (*BasicAuthService) ListEffectivePolicies ¶ added in v1.32.0
func (*BasicAuthService) ListGroupPolicies ¶ added in v1.32.0
func (*BasicAuthService) ListGroupUsers ¶ added in v1.32.0
func (*BasicAuthService) ListGroups ¶ added in v1.32.0
func (s *BasicAuthService) ListGroups(_ context.Context, _ *model.PaginationParams) ([]*model.Group, *model.Paginator, error)
func (*BasicAuthService) ListPolicies ¶ added in v1.32.0
func (s *BasicAuthService) ListPolicies(_ context.Context, _ *model.PaginationParams) ([]*model.Policy, *model.Paginator, error)
func (*BasicAuthService) ListUserCredentials ¶ added in v1.32.0
func (s *BasicAuthService) ListUserCredentials(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.Credential, *model.Paginator, error)
func (*BasicAuthService) ListUserExternalPrincipals ¶ added in v1.32.0
func (s *BasicAuthService) ListUserExternalPrincipals(_ context.Context, _ string, _ *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error)
func (*BasicAuthService) ListUserGroups ¶ added in v1.32.0
func (*BasicAuthService) ListUserPolicies ¶ added in v1.32.0
func (*BasicAuthService) ListUsers ¶ added in v1.32.0
func (s *BasicAuthService) ListUsers(ctx context.Context, _ *model.PaginationParams) ([]*model.User, *model.Paginator, error)
func (*BasicAuthService) Migrate ¶ added in v1.33.0
func (s *BasicAuthService) Migrate(ctx context.Context) (string, error)
Migrate tries to perform migration of existing lakeFS server to basic auth
func (*BasicAuthService) RemoveUserFromGroup ¶ added in v1.32.0
func (s *BasicAuthService) RemoveUserFromGroup(_ context.Context, _, _ string) error
func (*BasicAuthService) SecretStore ¶ added in v1.32.0
func (s *BasicAuthService) SecretStore() crypt.SecretStore
func (*BasicAuthService) UpdateUserFriendlyName ¶ added in v1.32.0
func (*BasicAuthService) WritePolicy ¶ added in v1.32.0
type BuiltinAuthenticator ¶ added in v0.53.0
type BuiltinAuthenticator struct {
// contains filtered or unexported fields
}
BuiltinAuthenticator authenticates users by their access key IDs and passwords stored in the auth service.
func NewBuiltinAuthenticator ¶ added in v0.53.0
func NewBuiltinAuthenticator(service Service) *BuiltinAuthenticator
func (*BuiltinAuthenticator) AuthenticateUser ¶ added in v0.53.0
func (*BuiltinAuthenticator) String ¶ added in v0.62.0
func (ba *BuiltinAuthenticator) String() string
type Cache ¶
type Cache interface { GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error) GetUser(key UserKey, setFn UserSetFn) (*model.User, error) GetUserPolicies(userID string, setFn UserPoliciesSetFn) ([]*model.Policy, error) }
type ChainAuthenticator ¶ added in v0.53.0
type ChainAuthenticator []Authenticator
ChainAuthenticator authenticates users by trying each Authenticator in order, returning the last error in case all fail.
func (ChainAuthenticator) AuthenticateUser ¶ added in v0.53.0
type CheckResult ¶ added in v0.53.1
type CheckResult int
CheckResult - the final result for the authorization is accepted only if it's CheckAllow
func CheckPermissions ¶ added in v1.32.0
func CheckPermissions(ctx context.Context, node permissions.Node, username string, policies []*model.Policy, permAudit *MissingPermissions) CheckResult
type CredentialSetFn ¶
type CredentialSetFn func() (*model.Credential, error)
type Credentialler ¶ added in v0.53.0
type Credentialler interface {
GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error)
}
Credentialler fetches S3-style credentials for access keys.
type CredentialsCreator ¶ added in v0.69.0
type DummyCache ¶
type DummyCache struct{}
DummyCache dummy cache that doesn't cache
func (*DummyCache) GetCredential ¶
func (d *DummyCache) GetCredential(_ string, setFn CredentialSetFn) (*model.Credential, error)
func (*DummyCache) GetUserPolicies ¶
func (d *DummyCache) GetUserPolicies(_ string, setFn UserPoliciesSetFn) ([]*model.Policy, error)
type EmailInviter ¶ added in v0.111.0
type ExternalPrincipalsService ¶ added in v1.14.0
type ExternalPrincipalsService interface { IsExternalPrincipalsEnabled(ctx context.Context) bool CreateUserExternalPrincipal(ctx context.Context, userID, principalID string) error DeleteUserExternalPrincipal(ctx context.Context, userID, principalID string) error GetExternalPrincipal(ctx context.Context, principalID string) (*model.ExternalPrincipal, error) ListUserExternalPrincipals(ctx context.Context, userID string, params *model.PaginationParams) ([]*model.ExternalPrincipal, *model.Paginator, error) }
ExternalPrincipalsService is an interface for managing external principals (e.g. IAM users, groups, etc.) It's part of the AuthService api's and is used as an administrative API to that service.
type GatewayService ¶ added in v0.65.0
type KVMetadataManager ¶ added in v0.69.0
type KVMetadataManager struct {
// contains filtered or unexported fields
}
func NewKVMetadataManager ¶ added in v0.69.0
func NewKVMetadataManager(version, fixedInstallationID, kvType string, store kv.Store) *KVMetadataManager
func (*KVMetadataManager) GetCommPrefs ¶ added in v0.87.0
func (m *KVMetadataManager) GetCommPrefs(ctx context.Context) (CommPrefs, error)
func (*KVMetadataManager) GetMetadata ¶ added in v0.102.0
func (*KVMetadataManager) GetSetupState ¶ added in v0.87.0
func (m *KVMetadataManager) GetSetupState(ctx context.Context) (SetupStateName, error)
func (*KVMetadataManager) IsCommPrefsSet ¶ added in v0.105.0
func (m *KVMetadataManager) IsCommPrefsSet(ctx context.Context) (bool, error)
func (*KVMetadataManager) IsInitialized ¶ added in v0.69.0
func (m *KVMetadataManager) IsInitialized(ctx context.Context) (bool, error)
func (*KVMetadataManager) UpdateCommPrefs ¶ added in v0.87.0
func (m *KVMetadataManager) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error)
UpdateCommPrefs - updates the comm prefs metadata. When commPrefs is nil, we assume the setup is done and the user didn't provide any comm prefs. The data can be provided later as the web UI verifies if the comm prefs are set.
func (*KVMetadataManager) UpdateSetupTimestamp ¶ added in v0.69.0
type LRUCache ¶
type LRUCache struct {
// contains filtered or unexported fields
}
func (*LRUCache) GetCredential ¶
func (c *LRUCache) GetCredential(accessKeyID string, setFn CredentialSetFn) (*model.Credential, error)
func (*LRUCache) GetUserPolicies ¶
type MetadataManager ¶
type MetadataManager interface { IsInitialized(ctx context.Context) (bool, error) GetSetupState(ctx context.Context) (SetupStateName, error) UpdateCommPrefs(ctx context.Context, commPrefs *CommPrefs) (string, error) IsCommPrefsSet(ctx context.Context) (bool, error) UpdateSetupTimestamp(context.Context, time.Time) error GetMetadata(context.Context) (map[string]string, error) }
type MissingPermissions ¶ added in v1.43.0
type MissingPermissions struct { // Denied is a list of actions the user was denied for the attempt. Denied []string Unauthorized []string }
func (*MissingPermissions) String ¶ added in v1.43.0
func (n *MissingPermissions) String() string
type Service ¶
type Service interface { SecretStore() crypt.SecretStore Cache() Cache // users CreateUser(ctx context.Context, user *model.User) (string, error) DeleteUser(ctx context.Context, username string) error GetUserByID(ctx context.Context, userID string) (*model.User, error) GetUser(ctx context.Context, username string) (*model.User, error) GetUserByExternalID(ctx context.Context, externalID string) (*model.User, error) GetUserByEmail(ctx context.Context, email string) (*model.User, error) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) UpdateUserFriendlyName(ctx context.Context, userID string, friendlyName string) error ExternalPrincipalsService // groups CreateGroup(ctx context.Context, group *model.Group) (*model.Group, error) DeleteGroup(ctx context.Context, groupID string) error GetGroup(ctx context.Context, groupID string) (*model.Group, error) ListGroups(ctx context.Context, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) // group<->user memberships AddUserToGroup(ctx context.Context, username, groupID string) error RemoveUserFromGroup(ctx context.Context, username, groupID string) error ListUserGroups(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Group, *model.Paginator, error) ListGroupUsers(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) // policies WritePolicy(ctx context.Context, policy *model.Policy, update bool) error GetPolicy(ctx context.Context, policyDisplayName string) (*model.Policy, error) DeletePolicy(ctx context.Context, policyDisplayName string) error ListPolicies(ctx context.Context, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // credentials CredentialsCreator AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error) DeleteCredentials(ctx context.Context, username, accessKeyID string) error GetCredentialsForUser(ctx context.Context, username, accessKeyID string) (*model.Credential, error) GetCredentials(ctx context.Context, accessKeyID string) (*model.Credential, error) ListUserCredentials(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Credential, *model.Paginator, error) // policy<->user attachments AttachPolicyToUser(ctx context.Context, policyDisplayName, username string) error DetachPolicyFromUser(ctx context.Context, policyDisplayName, username string) error ListUserPolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) ListEffectivePolicies(ctx context.Context, username string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) // policy<->group attachments AttachPolicyToGroup(ctx context.Context, policyDisplayName, groupID string) error DetachPolicyFromGroup(ctx context.Context, policyDisplayName, groupID string) error ListGroupPolicies(ctx context.Context, groupID string, params *model.PaginationParams) ([]*model.Policy, *model.Paginator, error) Authorizer ClaimTokenIDOnce(ctx context.Context, tokenID string, expiresAt int64) error }
type ServiceAndInviter ¶ added in v1.28.0
type ServiceAndInviter interface { Service EmailInviter }
type SetupStateName ¶ added in v0.87.0
type SetupStateName string
const ( SetupStateInitialized SetupStateName = "initialized" SetupStateNotInitialized SetupStateName = "not_initialized" )
type UserPoliciesSetFn ¶
Notes ¶
Bugs ¶
This parser does not handle resource types. Handling resource types is
subtle: they may be separated from resource IDs by a colon OR by a slash. For an example of a resource type, see ECS[1] (uses only slash separators). That colons are an acceptable separator appears in [2], so a workaround to this limitation is to use a slash. [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources [2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax