iam

module
v0.50.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 8, 2023 License: MIT

README

IAM Go

An opinionated Open Source implementation of the google.iam.v1.IAMPolicy service API, using Cloud Spanner for storage.

Usage

1) Install
$ go get go.einride.tech/iam
2) Include the IAMPolicy mixin in your gRPC service

See google.iam.v1.IAMPolicy.

package your.pkg;

import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto";

service YourService {
  /* ... */

  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy);
  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy);
  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse);
}
3) Embed the IAMServer implementation in your server

See iamspanner.IAMServer.

// Server implements your gRPC API.
type Server struct {
	*iamspanner.IAMServer
	// ...
}

// Server now also implements the iam.IAMPolicyServer mixin.
var _ iam.IAMPolicyServer = &Server{}
4) Include the IAM policy bindings table in your Spanner SQL schema

See schema.sql.

5) Annotate your gRPC methods

Buf annotations for rpc method authorization are described in annotations.proto

package your.pkg;

import "einride/iam/v1/annotations.proto";

service YourService {
  rpc YourMethod(YourMethodRequest) returns YourMethodResponse {
      option (einride.iam.v1.method_authorization) = {
        permission: "namespace.entity.method"
        before: {
          expression: "test(caller, request.entity)" // iamcel expression
          description: "The caller must have method permission against the entity"
        }
      };
    };
}

message YourMethodRequest {
  string entity = 1 [
    (google.api.resource_reference) = {
      type: "example.com/Entity"
    }
  ];
};
package your.pkg;

import "einride/iam/v1/annotations.proto";

service YourService {
  rpc YourMethod(YourMethodRequest) returns YourMethodResponse {
      option (einride.iam.v1.method_authorization) = {
        resource_permissions {
          resource_permission {
            resource: {
              type: "example.com/Entity1"
            }
            permission: "namespace.entity1.method"
          }
          resource_permission {
            resource: {
              type: "example.com/Entity2"
            }
            permission: "namespace.entity2.method"
          }
        }
        after: {
          expression: "test_all(caller, response.entities)" // iamcel expression
          description: "The caller must have method permission against all entities"
        }
      };
    };
}

message YourMethodResponse {
  // Elements in this list are either Entity1 or Entity2 references
  repeated string entities = 1;
};

Expresssions in the method_authorization annotation use cel-go with iamcel extensions. The iamcel extensions provide the following cel functions.

test(caller Caller, resource string) bool

Tests callers permissions against resource.

test_all(caller Caller, resources []string) bool

Tests callers permissions against all resources. This test asserts that the caller has the permission against all resources.

test_any(caller Caller, resources []string) bool

Tests callers permissions against any resources. This test asserts that the caller has the permission against at least one resource.

ancestor(resource string, pattern string) string

Resolves an ancestor of resource using pattern. An input of ancestor("foo/1/bar/2", "foo/{foo}") will yield the result "foo/1".

6) Generate authorization middleware

Coming soon.

Directories

Path Synopsis
cmd
iamctl Module
Package iamauthz provides primitives for performing IAM request authorization.
Package iamauthz provides primitives for performing IAM request authorization.
Package iamcel provides primitives for using CEL expressions for access management.
Package iamcel provides primitives for using CEL expressions for access management.
Package iamexample provides a reference implementation of a gRPC service that uses IAM for access management.
Package iamexample provides a reference implementation of a gRPC service that uses IAM for access management.
iamexampledata
Package iamexampledata provides predefined example data for the IAM example service.
Package iamexampledata provides predefined example data for the IAM example service.
Package iamfirebase provides Firebase-specific IAM primitives.
Package iamfirebase provides Firebase-specific IAM primitives.
Package iamgoogle provides Google-specific IAM primitives.
Package iamgoogle provides Google-specific IAM primitives.
Package iammember provides primitives for IAM member identifiers.
Package iammember provides primitives for IAM member identifiers.
Package iammixin provides utilities for registering gRPC servers with IAM mixins.
Package iammixin provides utilities for registering gRPC servers with IAM mixins.
Package iampermission provides primitives for working with IAM permissions.
Package iampermission provides primitives for working with IAM permissions.
Package iampolicy provides primitives for working with IAM policies.
Package iampolicy provides primitives for working with IAM policies.
Package iamregistry provides data structures for resolving IAM roles and permissions.
Package iamregistry provides data structures for resolving IAM roles and permissions.
Package iamresource provides primitives for working with IAM resources.
Package iamresource provides primitives for working with IAM resources.
Package iamrole provides primitives and operations on IAM roles.
Package iamrole provides primitives and operations on IAM roles.
Package iamspanner provides a Spanner-based storage implementation of the IAMPolicy service.
Package iamspanner provides a Spanner-based storage implementation of the IAMPolicy service.
Package iamtest provides primitives for unit testing IAM implementations.
Package iamtest provides primitives for unit testing IAM implementations.
proto

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL