rpcacl

package
v0.0.0-...-f7f712b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package rpcacl implements a gRPC interceptor that checks per-RPC ACLs.

It makes decisions purely based on the name of the called RPC method. It doesn't check request messages at all.

This interceptor is useful as the very first coarse ACL check that just verifies the caller is known to the service. For simple services, that may be the only check. But most services will most likely need to make additional checks in the request handler (or another service-specific interceptor) that use data from the request message to make service-specific decisions.

Index

Constants

View Source
const (
	// Authenticated represents all authenticated (non-anonymous) callers.
	Authenticated = "!AUTHENTICATED"
	// All represents any caller at all, including anonymous.
	All = "!ALL"
)

Variables

This section is empty.

Functions

func Interceptor

func Interceptor(mapping Map) grpcutil.UnifiedServerInterceptor

Interceptor returns a server interceptor that checks per-RPC ACLs.

The mapping maps an RPC method to a set of callers that is authorized to call it. It should cover all services and methods exposed by the gRPC server. Access to undeclared services or methods will be denied with PermissionDenied error.

This interceptor implements "static" authorization rules that do not change during lifetime of a server process. If you need to adjust ACLs dynamically, implement your own interceptor.

Panics if mapping entries are malformed.

Types

type Map

type Map map[string]string

Map maps RPC methods to callers that are allowed to call them.

Each key is either "/<service>/<method>" to indicate a single method, or "/<service>/*" to indicate all methods in a service.

Values are LUCI group names with authorized callers or following special string:

  • rpcacl.Authenticated: any authenticated caller is authorized.
  • rpcacl.All: any caller at all is authorized (any authenticated caller and anonymous unauthenticated callers).

Both rpcacl.All and rpcacl.Authenticated imply the method is publicly accessible (since it is not hard at all to get an authentication token representing *some* account).

Note that group names will be publicly exposed in the PermissionDenied response messages. Do not use secret code names in group names.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL