Documentation ¶
Overview ¶
Package authorize with definitions for group based authorization.
Index ¶
- Constants
- type Authorizer
- func (ah *Authorizer) IsPublisher(deviceID string, thingID string) bool
- func (ah *Authorizer) Start() error
- func (ah *Authorizer) Stop()
- func (ah *Authorizer) VerifyAuthorization(userID string, certOU string, thingID string, authType string) bool
- func (ah *Authorizer) VerifyRolePermission(role string, authType string) bool
- type IAclStore
- type VerifyAuthorization
Constants ¶
const ( // GroupRoleNone indicates that the client has no particular role. It can not do anything until // the role is upgraded to viewer or better. // Subscribe permissions: none // Publish permissions: none GroupRoleNone = "none" // GroupRoleViewer lets a client subscribe to Thing TD and Thing Events // Subscribe permissions: TD, Events // Publish permissions: none GroupRoleViewer = "viewer" // GroupRoleOperator lets a client subscribe to Thing TD, events and publish actions // Subscribe permissions: TD, Events // Publish permissions: Actions GroupRoleOperator = "operator" // GroupRoleManager lets a client subscribe to Thing TD, events, publish actions and update configuration // Subscribe permissions: TD, Events // Publish permissions: Actions, Configuration GroupRoleManager = "manager" // GroupRoleThing indicates the client is a IoT device that can publish and subscribe // to Thing topics. // Things should only publish events and updates for Things it published the TD for. // Publish permissions: TD, Events // Subscribe permissions: Actions, Configuration GroupRoleThing = "thing" )
Group roles set permissions for accessing Things that are members of the same group
const ( // AuthRead to read a TD AuthRead = "read" // AuthEmitAction to authorize emit an action AuthEmitAction = "emitAction" // AuthPubEvent to authorize publishing of events AuthPubEvent = "pubEvent" // AuthPubPropValue to authorize publishing of property values AuthPubPropValue = "pubPropValues" // AuthPubTD to authorize publishing of a TD document AuthPubTD = "pubTD" // AuthWriteProperty to authorize writing property value AuthWriteProperty = "writeProperty" )
Authorization of actions
const AclGroupAll = "all"
AclGroupAll defines the 'all' resources group
const AllGroupName = "all"
AllGroupName is the name of the group that includes all things (no need to add things separately) Users that are a member of the all group will have access to all things based on their role.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer handles client authorization for access to Things.
Authorization uses access control lists with group membership and roles to determine if a client is authorized to receive or post a message. This applies to all users of the message bus, regardless of how they are authenticated.
func NewAuthorizer ¶
func NewAuthorizer(aclStore IAclStore) *Authorizer
NewAuthorizer creates a new instance of the authorization handler for managing authorization.
aclStore provides the functions to read and write authorization rules
func (*Authorizer) IsPublisher ¶
func (ah *Authorizer) IsPublisher(deviceID string, thingID string) bool
IsPublisher checks if the deviceID is the publisher of the thingID. This requires that the thingID is formatted as "urn:zone:publisherID:sensorID..."" Returns true if the deviceID is the publisher of the thingID, false if not.
func (*Authorizer) Start ¶
func (ah *Authorizer) Start() error
Start the authorizer. This opens the ACL store for reading
func (*Authorizer) Stop ¶
func (ah *Authorizer) Stop()
Stop the authn handler and close the ACL and password store access.
func (*Authorizer) VerifyAuthorization ¶
func (ah *Authorizer) VerifyAuthorization( userID string, certOU string, thingID string, authType string) bool
VerifyAuthorization tests if the client has access to the device for the given operation The thingID is implicitly included in the 'all' group. Members of the 'all' group can access all things based on their role in that group.
username is the login name or device ID of the client seeking permission certOU is the OU of the client seeking permission only if user is authenticate with a client certificate. "" to ignore. certsetup.OUPlugin for plugins thingID is the ID of the Thing to access authType is one of: AuthEmitAction|AuthPubEvent|AuthWriteProperty|AuthPubPropValue|AuthRead
This returns false if access is denied or true if authorized
func (*Authorizer) VerifyRolePermission ¶
func (ah *Authorizer) VerifyRolePermission(role string, authType string) bool
VerifyRolePermission determine if the consumer role allows the read/write operation
The viewer role has read access to properties The operator role has access to invoke actions The manager role has access to actions and read/write access to properties The thing role has full read/write access to its own thing
authType describes authorization to perform: EmitAction, PublishEvent, WriteProperty, "" to read
Returns true if permission is denied, nil if granted
type IAclStore ¶
type IAclStore interface { // GetGroups returns a list of groups a thing or user is a member of GetGroups(clientID string) []string // GetRole returns the highest role of a user has in a list of group // Intended to get client permissions in case of overlapping groups // Returns the role GetRole(clientID string, groupIDs []string) string // Close the store Close() // Open the store Open() error // SetRole writes the role for the client in a group SetRole(clientID string, groupID string, role string) error // Remove client from a group Remove(clientID string, groupID string) error }
IAclStore defines the interface of a group based ACL store
type VerifyAuthorization ¶
VerifyAuthorization defines the function to authorize access to a Thing. Intended for use by all Hub services that need authorization.
userID is the ID of the authenticated user as used in the group/rule list certOU is the user's organization when using client certificates. thingID is the ID of the Thing the user is trying to access authType is message when writing, eg td.MessagetypeTD,... use MessagetypeNone for reading