policy

package
v1.3.24 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 6, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	// Well known identity name which acts as bootstrap/fallback admin.
	PolicyAdmin = "portalops"
)
View Source 
var Scopes = []Scope{
	PortalScope,
	OrganizationScope,
	ProjectScope,
	ExperimentScope,
	UserScope,
	RealizationScope,
	MaterializationScope,
	FacilityScope,
	PoolScope,
	XDCScope,
	AnyScope,
}

Functions

func AcceptRealization 

func AcceptRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ActivateOrganization added in v1.1.22 

func ActivateOrganization(user *identity.IdentityTraits, organization string) error

ActivateOrganization policy

func ActivateUser 

func ActivateUser(caller *identity.IdentityTraits, username string) error

func AddOrganizationProject added in v1.1.22 

func AddOrganizationProject(user *identity.IdentityTraits, organization string) error

AddOrganizationProject policy

func AttachXDC 

func AttachXDC(caller *identity.IdentityTraits, xdc, xdc_proj, real_proj string) error

func Authorize 

func Authorize(requestor *identity.IdentityTraits, policy []RoleBinding, object Object) error

Authorize determines whether the `requestor` is allowed to act on an `object` given the `policy` that governs that object. `policy` is a set of role bindings. If the `requestor` has any of the role bindings in the `policy` set, the request will be approved.

func AuthorizeAny added in v1.1.22 

func AuthorizeAny(policy []RoleBinding, scope Scope) error

AuthorizeAny handles the case where the user may not be a portal user, yet we still want the object to control access to itself. In this case, we map the user to Any::Any and apply the object authorization.

func AuthorizeCreate 

func AuthorizeCreate(requestor *identity.IdentityTraits, policy []RoleBinding, scope Scope) error

AuthorizeCreate handles the case of creating an object where we cannot get the user roles from the object as it doesn't exist yet.

func CreateExperiment 

func CreateExperiment(caller *identity.IdentityTraits, pid, eid string) error

CreateExperiment ...

func CreateFacility 

func CreateFacility(caller *identity.IdentityTraits) error

func CreateOrganization added in v1.1.22 

func CreateOrganization(user *identity.IdentityTraits, organization string, mode portal.AccessMode) error

CreateOrganization policy

func CreatePool 

func CreatePool(caller *identity.IdentityTraits) error

func CreateProject 

func CreateProject(user *identity.IdentityTraits, project string) error

CreateProject policy

func CreateRealization 

func CreateRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func DeactivateOrganization added in v1.1.22 

func DeactivateOrganization(user *identity.IdentityTraits, organization string) error

DeactivateOrganization policy

func DeactivateUser 

func DeactivateUser(caller *identity.IdentityTraits, username string) error

func DeleteExperiment 

func DeleteExperiment(caller *identity.IdentityTraits, pid, eid string) error

DeleteExperiment ...

func DeleteFacility 

func DeleteFacility(caller *identity.IdentityTraits, facility string) error

func DeleteOrganization added in v1.1.22 

func DeleteOrganization(user *identity.IdentityTraits, organization string) error

DeleteOrganization policy

func DeletePool 

func DeletePool(caller *identity.IdentityTraits, pool string) error

func DeleteProject 

func DeleteProject(user *identity.IdentityTraits, project string) error

DeleteProject policy

func DeleteRealization 

func DeleteRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func DeleteUser 

func DeleteUser(caller *identity.IdentityTraits, user string) error

func Dematerialize 

func Dematerialize(caller *identity.IdentityTraits, pid, eid, rid string) error

func DestroyXDC 

func DestroyXDC(caller *identity.IdentityTraits, pid, xdc string) error

func DetachXDC 

func DetachXDC(caller *identity.IdentityTraits, pid, xdc string) error

func InitUser 

func InitUser(caller *identity.IdentityTraits, username string) error

func Materialize 

func Materialize(caller *identity.IdentityTraits, pid, eid, rid string) error

func PolicyFile 

func PolicyFile() string

func ReadExperiment 

func ReadExperiment(caller *identity.IdentityTraits, pid, eid string) error

ReadExperiment ...

func ReadFacility 

func ReadFacility(caller *identity.IdentityTraits, facility string) error

func ReadIdentities 

func ReadIdentities(caller *identity.IdentityTraits) error

func ReadMaterialization 

func ReadMaterialization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ReadMaterializations 

func ReadMaterializations(caller *identity.IdentityTraits, pid, eid string) error

func ReadOrganization added in v1.1.22 

func ReadOrganization(user *identity.IdentityTraits, organization string) error

ReadOrganization policy

Note this method can be called by non-users, so we must handle that case. In that case, we treat the user an an AnyRole in the Organization scope.

func ReadPolicy 

func ReadPolicy(caller *identity.IdentityTraits) error

Policy about policy itself

func ReadPool 

func ReadPool(caller *identity.IdentityTraits, pool string) error

func ReadPools 

func ReadPools(caller *identity.IdentityTraits) error

func ReadPortal added in v1.1.39 

func ReadPortal(caller *identity.IdentityTraits) error

func ReadProject 

func ReadProject(user *identity.IdentityTraits, project string) error

ReadProject policy

func ReadRealization 

func ReadRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func ReadRealizations 

func ReadRealizations(caller *identity.IdentityTraits, pid, eid string) error

func ReadUser 

func ReadUser(caller *identity.IdentityTraits, user string) error

func ReadUsers 

func ReadUsers(caller *identity.IdentityTraits) error

ReadUsers is an Identity level action

func ReadXdcs 

func ReadXdcs(caller *identity.IdentityTraits, pid string) error

func RegisterUser 

func RegisterUser(caller *identity.IdentityTraits, username string) error

func RejectRealization 

func RejectRealization(caller *identity.IdentityTraits, pid, eid, rid string) error

func Satisfies 

func Satisfies(provided, required RoleBinding) bool

func SetPolicyPath 

func SetPolicyPath(p string)

func SpawnXDC 

func SpawnXDC(caller *identity.IdentityTraits, rq *portal.CreateXDCRequest) error

func SudoAsUser added in v1.3.10 

func SudoAsUser(caller *identity.IdentityTraits, username string) error

func UnregisterUser 

func UnregisterUser(caller *identity.IdentityTraits, username string) error

func UpdateExperiment 

func UpdateExperiment(caller *identity.IdentityTraits, pid, eid string) error

UpdateExperiment ...

func UpdateFacility 

func UpdateFacility(caller *identity.IdentityTraits, facility string) error

func UpdateIdentity added in v1.3.20 

func UpdateIdentity(caller *identity.IdentityTraits, username string) error

func UpdateOrganization added in v1.1.22 

func UpdateOrganization(user *identity.IdentityTraits, organization string) error

UpdateOrganization policy

func UpdatePoolFacility added in v1.0.4 

func UpdatePoolFacility(caller *identity.IdentityTraits, pool, facility string) error

func UpdatePoolOrganization added in v1.1.22 

func UpdatePoolOrganization(caller *identity.IdentityTraits, pool, organization string) error

func UpdatePoolProject added in v1.0.4 

func UpdatePoolProject(caller *identity.IdentityTraits, pool, project string) error

func UpdatePortal added in v1.1.39 

func UpdatePortal(caller *identity.IdentityTraits) error

func UpdateProject 

func UpdateProject(user *identity.IdentityTraits, project string) error

UpdateProject policy

func UpdateUser 

func UpdateUser(caller *identity.IdentityTraits, user string) error

func ValidateBinding 

func ValidateBinding(b RoleBinding) error

func ValidateCrudOperationPolicy 

func ValidateCrudOperationPolicy(c CrudOperationPolicy) error

func ValidateMode 

func ValidateMode(m Mode) error

func ValidatePolicy 

func ValidatePolicy(p Policy) error

func ValidateRoleBindings 

func ValidateRoleBindings(bs []RoleBinding) error

func WriteOrganizationStoragePolicy added in v1.1.28 

func WriteOrganizationStoragePolicy(usernames []string, organization string) error

WriteOrganizationStoragePolicy policy - given a list of usernames, can the list as a whole write to local organization storage?

Types

type CarrOperationPolicy 

type CarrOperationPolicy struct {
	Create  []RoleBinding
	Accept  []RoleBinding
	Reject  []RoleBinding
	Release []RoleBinding
}

type CreateDestroyOperationPolicy 

type CreateDestroyOperationPolicy struct {
	Create  []RoleBinding
	Destroy []RoleBinding
}

type CrudMap 

type CrudMap map[Mode]CrudOperationPolicy

type CrudOp 

type CrudOp func(CrudOperationPolicy) []RoleBinding

type CrudOperationPolicy 

type CrudOperationPolicy struct {
	Create []RoleBinding
	Read   []RoleBinding
	Update []RoleBinding
	Delete []RoleBinding
}

type CrudcdOperationPolicy 

type CrudcdOperationPolicy struct {
	Create       []RoleBinding
	Read         []RoleBinding
	Update       []RoleBinding
	Delete       []RoleBinding
	Commission   []RoleBinding
	Decommission []RoleBinding
}

type ExperimentObject 

type ExperimentObject struct {
	*portal.Experiment
}

ExperimentObject interface implementation --------------------------------

func (ExperimentObject) UserRoles 

func (o ExperimentObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles given an existing Experiment

type FacilityObject 

type FacilityObject struct {
	*portal.Facility
}

func (FacilityObject) UserRoles 

func (o FacilityObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type IdentityObject 

type IdentityObject struct {
	Identity *identity.IdentityTraits
	// contains filtered or unexported fields
}

func (IdentityObject) UserRoles 

func (o IdentityObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type IdentityOperationPolicy 

type IdentityOperationPolicy struct {
	Read        []RoleBinding
	Register    []RoleBinding
	Unregister  []RoleBinding
	UpdateState []RoleBinding
	Init        []RoleBinding
	Sudo        []RoleBinding
}

type MaterializationObject 

type MaterializationObject struct {
	Pid, Eid, Rid string
}

MaterializationObject ...

func (MaterializationObject) UserRoles 

func (o MaterializationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles ...

type Mode 

type Mode int
const (
	Public Mode = iota
	Protected
	Private
)

func (Mode) MarshalYAML 

func (m Mode) MarshalYAML() (interface{}, error)

func (*Mode) UnmarshalYAML 

func (m *Mode) UnmarshalYAML(unmarshal func(interface{}) error) error

type Object 

type Object interface {
	UserRoles(*portal.User) ([]RoleBinding, error)
}

type OrganizationObject added in v1.1.22 

type OrganizationObject struct {
	*portal.Organization
}

OrganizationObject ...

func (OrganizationObject) UserRoles added in v1.1.22 

func (o OrganizationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for organizations

type OrganizationOperationPolicy added in v1.1.22 

type OrganizationOperationPolicy struct {
	CrudOperationPolicy `yaml:",inline"`
	AddProject          []RoleBinding
	UpdateState         []RoleBinding
	WriteStorage        []RoleBinding
}

type Policy 

type Policy struct {
	Project         map[Mode]CrudOperationPolicy
	Experiment      map[Mode]CrudOperationPolicy
	User            map[Mode]CrudOperationPolicy
	Organization    map[Mode]OrganizationOperationPolicy
	Xdc             map[Mode]XdcOperationPolicy
	Realization     map[Mode]CarrOperationPolicy
	Materialization map[Mode]CreateDestroyOperationPolicy
	Facility        map[Mode]CrudcdOperationPolicy
	Pool            map[Mode]PoolOperationPolicy
	Identity        IdentityOperationPolicy
	Portal          PortalOperationPolicy
}

func GetPolicy 

func GetPolicy() Policy

type PoolObject 

type PoolObject struct {
	Pool *portal.Pool

	// If given, evaluate user wrt these fields.
	UpdateFacility     string
	UpdateProject      string
	UpdateOrganization string
}

func (PoolObject) UserRoles 

func (o PoolObject) UserRoles(u *portal.User) ([]RoleBinding, error)

type PoolOperationPolicy added in v1.0.4 

type PoolOperationPolicy struct {
	Create             []RoleBinding
	Read               []RoleBinding
	UpdateProject      []RoleBinding
	UpdateOrganization []RoleBinding
	UpdateFacility     []RoleBinding
	Delete             []RoleBinding
}

type PortalObject added in v1.1.39 

type PortalObject struct {
	Identity *identity.IdentityTraits
}

ProjectObject ...

func (PortalObject) UserRoles added in v1.1.39 

func (p PortalObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for projects

type PortalOperationPolicy added in v1.1.39 

type PortalOperationPolicy struct {
	Read   []RoleBinding
	Update []RoleBinding
}

type ProjectObject 

type ProjectObject struct {
	Project *portal.Project
}

ProjectObject ...

func (ProjectObject) UserRoles 

func (p ProjectObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for projects

type RealizationObject 

type RealizationObject struct {
	*portal.Realization
}

RealizationObject ...

func (RealizationObject) UserRoles 

func (o RealizationObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles ...

type Role 

type Role struct {
	Name     RoleKind
	Includes []Role
}

type RoleBinding 

type RoleBinding struct {
	Scope Scope
	Role  RoleKind
}

func CrudCreate 

func CrudCreate(x CrudOperationPolicy) []RoleBinding

func CrudDelete 

func CrudDelete(x CrudOperationPolicy) []RoleBinding

func CrudRead 

func CrudRead(x CrudOperationPolicy) []RoleBinding

func CrudUpdate 

func CrudUpdate(x CrudOperationPolicy) []RoleBinding

func ProjectAndExperimentRoles 

func ProjectAndExperimentRoles(u *portal.User, pid string, eid string) ([]RoleBinding, error)

XXX ProjectAndExperimentRoles given the context of the project and experiment, return the roles for the given user

func (RoleBinding) MarshalYAML 

func (m RoleBinding) MarshalYAML() (interface{}, error)

func (*RoleBinding) UnmarshalYAML 

func (m *RoleBinding) UnmarshalYAML(unmarshal func(interface{}) error) error

type RoleKind 

type RoleKind string
const (
	CreatorRole    RoleKind = "Creator"
	MaintainerRole RoleKind = "Maintainer"
	MemberRole     RoleKind = "Member"
	AnyRole        RoleKind = "Any"
)

type Scope 

type Scope string
const (
	PortalScope          Scope = "Portal"
	OrganizationScope    Scope = "Organization"
	ProjectScope         Scope = "Project"
	ExperimentScope      Scope = "Experiment"
	UserScope            Scope = "User"
	RealizationScope     Scope = "Realization"
	MaterializationScope Scope = "Materialization"
	FacilityScope        Scope = "Facility"
	PoolScope            Scope = "Pool"
	XDCScope             Scope = "Xdc"
	AnyScope             Scope = "Any"
)

type UserObject 

type UserObject struct {
	*portal.User
}

func (UserObject) UserRoles 

func (o UserObject) UserRoles(requestor *portal.User) ([]RoleBinding, error)

type UserPolicy 

type UserPolicy struct {
	Activate []RoleBinding
	Init     []RoleBinding
	CrudMap  `yaml:",inline"`
}

type XDCObject 

type XDCObject struct {
	*portal.XDCStorage
}

func (XDCObject) UserRoles 

func (x XDCObject) UserRoles(u *portal.User) ([]RoleBinding, error)

UserRoles for XDCs

type XdcOperationPolicy added in v1.1.22 

type XdcOperationPolicy struct {
	Spawn   []RoleBinding
	Destroy []RoleBinding
	Attach  []RoleBinding
	Detach  []RoleBinding
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.