policy

package
v1.1.20-helm Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2023 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (

	// Well known identity name which acts as bootstrap/fallback admin.
	PolicyAdmin = "portalops"
)

Functions

func AcceptRealization

func AcceptRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ActivateOrganization added in v1.1.22

func ActivateOrganization(user *identity.IdentityTraits, organization string) error

ActivateOrganization policy

func ActivateUser

func ActivateUser(caller *identity.IdentityTraits, username string) error

func AddOrganizationProject added in v1.1.22

func AddOrganizationProject(user *identity.IdentityTraits, organization string) error

AddOrganizationProject policy

func AttachXDC

func AttachXDC(caller *identity.IdentityTraits, pid, xdc string) error

func Authorize

func Authorize(requestor *identity.IdentityTraits, policy []RoleBinding, object Object) error

Authorize determines whether the `requestor` is allowed to act on an `object` given the `policy` that governs that object. `policy` is a set of role bindings. If the `requestor` has any of the role bindings in the `policy` set, the request will be approved.

func AuthorizeAny added in v1.1.22

func AuthorizeAny(policy []RoleBinding, scope Scope) error

AuthorizeAny handles the case where the user may not be a portal user, yet we still want the object to control access to itself. In this case, we map the user to Any::Any and apply the object authorization.

func AuthorizeCreate

func AuthorizeCreate(requestor *identity.IdentityTraits, policy []RoleBinding, scope Scope) error

AuthorizeCreate handles the case of creating an object where we cannot get the user roles from the object as it doesn't exist yet.

func CreateExperiment

func CreateExperiment(caller *identity.IdentityTraits, pid, eid string) error

CreateExperiment ...

func CreateFacility

func CreateFacility(caller *identity.IdentityTraits) error

func CreateOrganization added in v1.1.22

func CreateOrganization(user *identity.IdentityTraits, organization string, mode portal.AccessMode) error

CreateOrganization policy

func CreatePool

func CreatePool(caller *identity.IdentityTraits) error

func CreateProject

func CreateProject(user *identity.IdentityTraits, project string) error

CreateProject policy

func CreateRealization

func CreateRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func DeactivateOrganization added in v1.1.22

func DeactivateOrganization(user *identity.IdentityTraits, organization string) error

DactivateOrganization policy

func DeactivateUser

func DeactivateUser(caller *identity.IdentityTraits, username string) error

func DeleteExperiment

func DeleteExperiment(caller *identity.IdentityTraits, pid, eid string) error

DeleteExperiment ...

func DeleteFacility

func DeleteFacility(caller *identity.IdentityTraits, facility string) error

func DeleteOrganization added in v1.1.22

func DeleteOrganization(user *identity.IdentityTraits, organization string) error

DeleteOrganization policy

func DeletePool

func DeletePool(caller *identity.IdentityTraits, pool string) error

func DeleteProject

func DeleteProject(user *identity.IdentityTraits, project string) error

DeleteProject policy

func DeleteRealization

func DeleteRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func DeleteUser

func DeleteUser(caller *identity.IdentityTraits, user string) error

func Dematerialize

func Dematerialize(caller *identity.IdentityTraits, pid, eid, rid string) error

func DestroyXDC

func DestroyXDC(caller *identity.IdentityTraits, pid, xdc string) error

func DetachXDC

func DetachXDC(caller *identity.IdentityTraits, pid, xdc string) error

func InitUser

func InitUser(caller *identity.IdentityTraits, username string) error

func Materialize

func Materialize(caller *identity.IdentityTraits, pid, eid, rid string) error

func PolicyFile

func PolicyFile() string

func ReadExperiment

func ReadExperiment(caller *identity.IdentityTraits, pid, eid string) error

ReadExperiment ...

func ReadFacility

func ReadFacility(caller *identity.IdentityTraits, facility string) error

func ReadIdentities

func ReadIdentities(caller *identity.IdentityTraits) error

func ReadMaterialization

func ReadMaterialization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ReadMaterializations

func ReadMaterializations(caller *identity.IdentityTraits, pid, eid string) error

func ReadOrganization added in v1.1.22

func ReadOrganization(user *identity.IdentityTraits, organization string) error

ReadOrganization policy

Note this method can be called by non-users, so we must handle that case. In that case, we treat the user an an AnyRole in the Organization scope.

func ReadPolicy

func ReadPolicy(caller *identity.IdentityTraits) error

Policy about policy itself

func ReadPool

func ReadPool(caller *identity.IdentityTraits, pool string) error

func ReadPools

func ReadPools(caller *identity.IdentityTraits) error

func ReadProject

func ReadProject(user *identity.IdentityTraits, project string) error

ReadProject policy

func ReadRealization

func ReadRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ReadRealizations

func ReadRealizations(caller *identity.IdentityTraits, pid, eid string) error

func ReadUser

func ReadUser(caller *identity.IdentityTraits, user string) error

func ReadUsers

func ReadUsers(caller *identity.IdentityTraits) error

ReadUsers is an Identity level action

func ReadXdcs

func ReadXdcs(caller *identity.IdentityTraits, pid string) error

func RegisterUser

func RegisterUser(caller *identity.IdentityTraits, username string) error

func RejectRealization

func RejectRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func Satisfies

func Satisfies(provided, required RoleBinding) bool

func SetPolicyPath

func SetPolicyPath(p string)

func SpawnXDC

func SpawnXDC(caller *identity.IdentityTraits, rq *portal.CreateXDCRequest) error

func UnregisterUser

func UnregisterUser(caller *identity.IdentityTraits, username string) error

func UpdateExperiment

func UpdateExperiment(caller *identity.IdentityTraits, pid, eid string) error

UpdateExperiment ...

func UpdateFacility

func UpdateFacility(caller *identity.IdentityTraits, facility string) error

func UpdateOrganization added in v1.1.22

func UpdateOrganization(user *identity.IdentityTraits, organization string) error

UpdateOrganization policy

func UpdatePoolFacility added in v1.0.4

func UpdatePoolFacility(caller *identity.IdentityTraits, pool, facility string) error

func UpdatePoolOrganization added in v1.1.22

func UpdatePoolOrganization(caller *identity.IdentityTraits, pool, organization string) error

func UpdatePoolProject added in v1.0.4

func UpdatePoolProject(caller *identity.IdentityTraits, pool, project string) error

func UpdateProject

func UpdateProject(user *identity.IdentityTraits, project string) error

UpdateProject policy

func UpdateUser

func UpdateUser(caller *identity.IdentityTraits, user string) error

func ValidateBinding

func ValidateBinding(b RoleBinding) error

func ValidateCrudOperationPolicy

func ValidateCrudOperationPolicy(c CrudOperationPolicy) error

func ValidateMode

func ValidateMode(m Mode) error

func ValidatePolicy

func ValidatePolicy(p Policy) error

func ValidateRoleBindings

func ValidateRoleBindings(bs []RoleBinding) error

Types

type CarrOperationPolicy

type CarrOperationPolicy struct {
	Create  []RoleBinding
	Accept  []RoleBinding
	Reject  []RoleBinding
	Release []RoleBinding
}

type CreateDestroyOperationPolicy

type CreateDestroyOperationPolicy struct {
	Create  []RoleBinding
	Destroy []RoleBinding
}

type CrudMap

type CrudMap map[Mode]CrudOperationPolicy

type CrudOp

type CrudOp func(CrudOperationPolicy) []RoleBinding

type CrudOperationPolicy

type CrudOperationPolicy struct {
	Create []RoleBinding
	Read   []RoleBinding
	Update []RoleBinding
	Delete []RoleBinding
}

type CrudcdOperationPolicy

type CrudcdOperationPolicy struct {
	Create       []RoleBinding
	Read         []RoleBinding
	Update       []RoleBinding
	Delete       []RoleBinding
	Commission   []RoleBinding
	Decommission []RoleBinding
}

type ExperimentObject

type ExperimentObject struct {
	*portal.Experiment
}

ExperimentObject interface implementation --------------------------------

func (ExperimentObject) UserRoles

func (o ExperimentObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles given an existing Experiment

type FacilityObject

type FacilityObject struct {
	*portal.Facility
}

func (FacilityObject) UserRoles

func (o FacilityObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type IdentityObject

type IdentityObject struct {
	Identity *identity.IdentityTraits
	// contains filtered or unexported fields
}

func (IdentityObject) UserRoles

func (o IdentityObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type IdentityOperationPolicy

type IdentityOperationPolicy struct {
	Read        []RoleBinding
	Register    []RoleBinding
	Unregister  []RoleBinding
	UpdateState []RoleBinding
	Init        []RoleBinding
}

type MaterializationObject

type MaterializationObject struct {
	Pid, Eid, Rid string
}

MaterializationObject ...

func (MaterializationObject) UserRoles

func (o MaterializationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles ...

type Mode

type Mode int
const (
	Public Mode = iota
	Protected
	Private
)

func (Mode) MarshalYAML

func (m Mode) MarshalYAML() (interface{}, error)

func (*Mode) UnmarshalYAML

func (m *Mode) UnmarshalYAML(unmarshal func(interface{}) error) error

type Object

type Object interface {
	UserRoles(*portal.User) ([]RoleBinding, error)
}

type OrganizationObject added in v1.1.22

type OrganizationObject struct {
	*portal.Organization
}

OrganizationObject ...

func (OrganizationObject) UserRoles added in v1.1.22

func (o OrganizationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for organizations

type OrganizationOperationPolicy added in v1.1.22

type OrganizationOperationPolicy struct {
	CrudOperationPolicy `yaml:",inline"`
	AddProject          []RoleBinding
	UpdateState         []RoleBinding
}

type Policy

type Policy struct {
	Project         map[Mode]CrudOperationPolicy
	Experiment      map[Mode]CrudOperationPolicy
	User            map[Mode]CrudOperationPolicy
	Organization    map[Mode]OrganizationOperationPolicy
	Xdc             map[Mode]XdcOperationPolicy
	Realization     map[Mode]CarrOperationPolicy
	Materialization map[Mode]CreateDestroyOperationPolicy
	Facility        map[Mode]CrudcdOperationPolicy
	Pool            map[Mode]PoolOperationPolicy
	Identity        IdentityOperationPolicy
}

func GetPolicy

func GetPolicy() Policy

type PoolObject

type PoolObject struct {
	Pool *portal.Pool

	// If given, evaluate user wrt these fields.
	UpdateFacility     string
	UpdateProject      string
	UpdateOrganization string
}

func (PoolObject) UserRoles

func (o PoolObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type PoolOperationPolicy added in v1.0.4

type PoolOperationPolicy struct {
	Create             []RoleBinding
	Read               []RoleBinding
	UpdateProject      []RoleBinding
	UpdateOrganization []RoleBinding
	UpdateFacility     []RoleBinding
	Delete             []RoleBinding
}

type ProjectObject

type ProjectObject struct {
	Project *portal.Project
}

ProjectObject ...

func (ProjectObject) UserRoles

func (p ProjectObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for projects

type RealizationObject

type RealizationObject struct {
	*portal.Realization
}

RealizationObject ...

func (RealizationObject) UserRoles

func (o RealizationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles ...

type Role

type Role struct {
	Name     RoleKind
	Includes []Role
}

type RoleBinding

type RoleBinding struct {
	Scope Scope
	Role  RoleKind
}

func CrudCreate

func CrudCreate(x CrudOperationPolicy) []RoleBinding

func CrudDelete

func CrudDelete(x CrudOperationPolicy) []RoleBinding

func CrudRead

func CrudRead(x CrudOperationPolicy) []RoleBinding

func CrudUpdate

func CrudUpdate(x CrudOperationPolicy) []RoleBinding

func ProjectAndExperimentRoles

func ProjectAndExperimentRoles(u *portal.User, pid string, eid string) ([]RoleBinding, error)

XXX ProjectAndExperimentRoles given the context of the project and experiment, return the roles for the given user

func (RoleBinding) MarshalYAML

func (m RoleBinding) MarshalYAML() (interface{}, error)

func (*RoleBinding) UnmarshalYAML

func (m *RoleBinding) UnmarshalYAML(unmarshal func(interface{}) error) error

type RoleKind

type RoleKind string
const (
	CreatorRole    RoleKind = "Creator"
	MaintainerRole RoleKind = "Maintainer"
	MemberRole     RoleKind = "Member"
	AnyRole        RoleKind = "Any"
)

type Scope

type Scope string
const (
	PortalScope          Scope = "Portal"
	OrganizationScope    Scope = "Organization"
	ProjectScope         Scope = "Project"
	ExperimentScope      Scope = "Experiment"
	UserScope            Scope = "User"
	RealizationScope     Scope = "Realization"
	MaterializationScope Scope = "Materialization"
	FacilityScope        Scope = "Facility"
	PoolScope            Scope = "Pool"
	XDCScope             Scope = "Xdc"
	AnyScope             Scope = "Any"
)

type UserObject

type UserObject struct {
	*portal.User
}

func (UserObject) UserRoles

func (o UserObject) UserRoles(requestor *portal.User) ([]RoleBinding, error)

type UserPolicy

type UserPolicy struct {
	Activate []RoleBinding
	Init     []RoleBinding
	CrudMap  `yaml:",inline"`
}

type XDCObject

type XDCObject struct {
	*portal.XDCStorage
}

func (XDCObject) UserRoles

func (x XDCObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for XDCs

type XdcOperationPolicy added in v1.1.22

type XdcOperationPolicy struct {
	Spawn   []RoleBinding
	Destroy []RoleBinding
	Attach  []RoleBinding
	Detach  []RoleBinding
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL