rpcacl

package

v0.0.0-...-678c4f2 Latest Latest Go to latest Published: Nov 26, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/infra/luci/luci-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package rpcacl implements a gRPC interceptor that checks per-RPC ACLs.

It makes decisions purely based on the name of the called RPC method. It doesn't check request messages at all.

This interceptor is useful as the very first coarse ACL check that just verifies the caller is known to the service. For simple services, that may be the only check. But most services will most likely need to make additional checks in the request handler (or another service-specific interceptor) that use data from the request message to make service-specific decisions.

Index ¶

Constants
func Interceptor(mapping Map) grpcutil.UnifiedServerInterceptor
type Map

Constants ¶

View Source

const (
	// Authenticated represents all authenticated (non-anonymous) callers.
	Authenticated = "!AUTHENTICATED"
	// All represents any caller at all, including anonymous.
	All = "!ALL"
)

Variables ¶

This section is empty.

Functions ¶

func Interceptor ¶

func Interceptor(mapping Map) grpcutil.UnifiedServerInterceptor

Interceptor returns a server interceptor that checks per-RPC ACLs.

The mapping maps an RPC method to a set of callers that is authorized to call it. It should cover all services and methods exposed by the gRPC server. Access to undeclared services or methods will be denied with PermissionDenied error.

This interceptor implements "static" authorization rules that do not change during lifetime of a server process. If you need to adjust ACLs dynamically, implement your own interceptor.

Panics if mapping entries are malformed.

Types ¶

type Map ¶

type Map map[string]string

Map maps RPC methods to callers that are allowed to call them.

Each key is either "/<service>/<method>" to indicate a single method, or "/<service>/*" to indicate all methods in a service.

Values are LUCI group names with authorized callers or following special string:

rpcacl.Authenticated: any authenticated caller is authorized.
rpcacl.All: any caller at all is authorized (any authenticated caller and anonymous unauthenticated callers).

Both rpcacl.All and rpcacl.Authenticated imply the method is publicly accessible (since it is not hard at all to get an authentication token representing *some* account).

Note that group names will be publicly exposed in the PermissionDenied response messages. Do not use secret code names in group names.

Source Files ¶

View all Source files

rpcacl.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL