authorization

package
v1.28.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2025 License: BSD-3-Clause Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CREATE Represents the action to create a new resource.
	CREATE = "C"
	// READ Represents the action to retrieve a resource.
	READ = "R"
	// UPDATE Represents the action to update an existing resource.
	UPDATE = "U"
	// DELETE Represents the action to delete a resource.
	DELETE = "D"

	ROLE_SCOPE_ALL   = "ALL"
	ROLE_SCOPE_MATCH = "MATCH"
)
View Source 
const (
	UsersDomain       = "users"
	RolesDomain       = "roles"
	ClusterDomain     = "cluster"
	NodesDomain       = "nodes"
	BackupsDomain     = "backups"
	SchemaDomain      = "schema"
	CollectionsDomain = "collections"
	TenantsDomain     = "tenants"
	DataDomain        = "data"
)

Variables

View Source 
var (
	All = String("*")

	AllBackups = &models.PermissionBackups{
		Collection: All,
	}
	AllData = &models.PermissionData{
		Collection: All,
		Tenant:     All,
		Object:     All,
	}
	AllTenants = &models.PermissionTenants{
		Collection: All,
		Tenant:     All,
	}
	AllNodes = &models.PermissionNodes{
		Verbosity:  String(verbosity.OutputVerbose),
		Collection: All,
	}
	AllRoles = &models.PermissionRoles{
		Role:  All,
		Scope: String(models.PermissionRolesScopeAll),
	}
	AllUsers = &models.PermissionUsers{
		Users: All,
	}
	AllCollections = &models.PermissionCollections{
		Collection: All,
	}

	ComponentName = "RBAC"

	// Note:  if a new action added, don't forget to add it to availableWeaviateActions
	// to be added to built in roles
	// any action has to contain of `{verb}_{domain}` verb: CREATE, READ, UPDATE, DELETE domain: roles, users, cluster, collections, data
	ReadRoles   = "read_roles"
	CreateRoles = "create_roles"
	UpdateRoles = "update_roles"
	DeleteRoles = "delete_roles"

	ReadCluster = "read_cluster"
	ReadNodes   = "read_nodes"

	AssignAndRevokeUsers = "assign_and_revoke_users"
	ReadUsers            = "read_users"

	ManageBackups = "manage_backups"

	CreateCollections = "create_collections"
	ReadCollections   = "read_collections"
	UpdateCollections = "update_collections"
	DeleteCollections = "delete_collections"

	CreateData = "create_data"
	ReadData   = "read_data"
	UpdateData = "update_data"
	DeleteData = "delete_data"

	CreateTenants = "create_tenants"
	ReadTenants   = "read_tenants"
	UpdateTenants = "update_tenants"
	DeleteTenants = "delete_tenants"
)
View Source 
var (
	Viewer       = "viewer"
	Admin        = "admin"
	Root         = "root"
	BuiltInRoles = []string{Viewer, Admin, Root}

	// viewer : can view everything , roles, users, schema, data
	// editor : can create/read/update everything , roles, users, schema, data
	// Admin : aka basically super Admin or root
	BuiltInPermissions = map[string][]*models.Permission{
		Viewer: viewerPermissions(),
		Admin:  adminPermissions(),
		Root:   adminPermissions(),
	}
)

Functions

func Backups added in v1.28.0 

func Backups(classes ...string) []string

Example outputs: - "backups/*" if the backend is an empty string - "backups/{backend}" for the provided backend

func Cluster added in v1.28.0 

func Cluster() string

Cluster returns a string representing the cluster authorization scope. The returned string is "cluster/*", which can be used to specify that the authorization applies to all resources within the cluster.

func Collections added in v1.28.0 

func Collections(classes ...string) []string

func CollectionsData added in v1.28.0 

func CollectionsData(classes ...string) []string

func CollectionsMetadata added in v1.28.0 

func CollectionsMetadata(classes ...string) []string

CollectionsMetadata generates a list of resource strings for the given classes. If no classes are provided, it returns a default resource string "collections/*". Each class is formatted as "collection/{class}".

Parameters: 

classes - a variadic parameter representing the class names.

Returns: 

A slice of strings representing the resource paths.

func Nodes added in v1.28.0 

func Nodes(verbosity string, classes ...string) []string

func Objects added in v1.27.0 

func Objects(class, shard string, id strfmt.UUID) string

Objects generates a string representing a path to objects within a collection and shard. The path format varies based on the provided class, shard, and id parameters.

Parameters: - class: the class of the collection (string) - shard: the shard identifier (string) - id: the unique identifier of the object (strfmt.UUID)

Returns: - A string representing the path to the objects, with wildcards (*) used for any empty parameters.

Example outputs: - "collections/*/shards/*/objects/*" if all parameters are empty - "collections/*/shards/*/objects/{id}" if only id is provided - "collections/{class}/shards/{shard}/objects/{id}" if all parameters are provided

func Roles added in v1.28.0 

func Roles(roles ...string) []string

Roles generates a list of role resource strings based on the provided role names. If no role names are provided, it returns a default role resource string "roles/*".

Parameters: 

roles - A variadic parameter representing the role names.

Returns: 

A slice of strings where each string is a formatted role resource string.

func ShardsData added in v1.28.0 

func ShardsData(class string, shards ...string) []string

func ShardsMetadata added in v1.28.0 

func ShardsMetadata(class string, shards ...string) []string

ShardsMetadata generates a list of shard resource strings for a given class and shards. If the class is an empty string, it defaults to "*". If no shards are provided, it returns a single resource string with a wildcard for shards. If shards are provided, it returns a list of resource strings for each shard.

Parameters:

  • class: The class name for the resource. If empty, defaults to "*".
  • shards: A variadic list of shard names. If empty, it will replace it with '#' to mark it as collection only check

Returns: 

A slice of strings representing the resource paths for the given class and shards.

func String added in v1.28.0 

func String(s string) *string

func Users added in v1.28.0 

func Users(users ...string) []string

Users generates a list of user resource strings based on the provided user names. If no user names are provided, it returns a default user resource string "users/*".

Parameters: 

users - A variadic parameter representing the user names.

Returns: 

A slice of strings where each string is a formatted user resource string.

func VerbWithScope added in v1.28.5 

func VerbWithScope(verb, scope string) string

func WildcardPath added in v1.28.5 

func WildcardPath(resource string) string

WildcardPath returns the appropriate wildcard path based on the domain and original resource path. The domain is expected to be the first part of the resource path.

Types

type Authorizer 

type Authorizer interface {
	Authorize(principal *models.Principal, verb string, resources ...string) error
	// AuthorizeSilent Silent authorization without audit logs
	AuthorizeSilent(principal *models.Principal, verb string, resources ...string) error
	// FilterAuthorizedResources authorize the passed resources with best effort approach, it will return
	// list of allowed resources, if none, it will return an empty slice
	FilterAuthorizedResources(principal *models.Principal, verb string, resources ...string) ([]string, error)
}

Authorizer always makes a yes/no decision on a specific resource. Which authorization technique is used in the background (e.g. RBAC, adminlist, ...) is hidden through this interface

type Controller added in v1.28.0 

type Controller interface {
	UpsertRolesPermissions(roles map[string][]Policy) error
	GetRoles(names ...string) (map[string][]Policy, error)
	DeleteRoles(roles ...string) error
	AddRolesForUser(user string, roles []string) error
	GetRolesForUser(user string) (map[string][]Policy, error)
	GetUsersForRole(role string) ([]string, error)
	RevokeRolesForUser(user string, roles ...string) error
	RemovePermissions(role string, permissions []*Policy) error
	HasPermission(role string, permission *Policy) (bool, error)
}

type DummyAuthorizer 

type DummyAuthorizer struct{}

DummyAuthorizer is a pluggable Authorizer which can be used if no specific authorizer is configured. It will allow every auth decision, i.e. it is effectively the same as "no authorization at all"

func (*DummyAuthorizer) Authorize 

func (d *DummyAuthorizer) Authorize(principal *models.Principal, verb string, resources ...string) error

Authorize on the DummyAuthorizer will allow any subject access to any resource

func (*DummyAuthorizer) AuthorizeSilent added in v1.28.5 

func (d *DummyAuthorizer) AuthorizeSilent(principal *models.Principal, verb string, resources ...string) error

func (*DummyAuthorizer) FilterAuthorizedResources added in v1.28.5 

func (d *DummyAuthorizer) FilterAuthorizedResources(principal *models.Principal, verb string, resources ...string) ([]string, error)

type Policy added in v1.28.0 

type Policy struct {
	Resource string
	Verb     string
	Domain   string
}

Source Files

View all Source files

Directories

Path Synopsis
rbacconf

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.