engine

package

v0.0.0-...-8bf2b3e Latest Latest Go to latest Published: May 31, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grpc/grpc-go

Documentation ¶

Overview ¶

Package engine provides a CEL-based authorization engine for gRPC.

Index ¶

type AuthorizationArgs
type AuthorizationDecision
type AuthorizationEngine
- func NewAuthorizationEngine(allow, deny *pb.RBAC) (*AuthorizationEngine, error)
- func (authorizationEngine *AuthorizationEngine) Evaluate(args *AuthorizationArgs) (AuthorizationDecision, error)
type Decision
- func (d Decision) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthorizationArgs ¶

type AuthorizationArgs struct {
	// contains filtered or unexported fields
}

AuthorizationArgs is the input of the CEL-based authorization engine.

type AuthorizationDecision ¶

type AuthorizationDecision struct {
	// contains filtered or unexported fields
}

AuthorizationDecision is the output of CEL-based authorization engines. If decision is allow or deny, policyNames will either contain the names of all the policies matched in the engine that permitted the action, or be empty as the decision was made after all conditions evaluated to false. If decision is unknown, policyNames will contain the list of policies that evaluated to unknown.

type AuthorizationEngine ¶

type AuthorizationEngine struct {
	// contains filtered or unexported fields
}

AuthorizationEngine is the struct for the CEL-based authorization engine.

func NewAuthorizationEngine ¶

func NewAuthorizationEngine(allow, deny *pb.RBAC) (*AuthorizationEngine, error)

NewAuthorizationEngine builds a CEL evaluation engine from at most one allow and one deny Envoy RBAC.

func (*AuthorizationEngine) Evaluate ¶

func (authorizationEngine *AuthorizationEngine) Evaluate(args *AuthorizationArgs) (AuthorizationDecision, error)

Evaluate is the core function that evaluates whether an RPC is authorized.

ALLOW policy. If one of the RBAC conditions is evaluated as true, then the CEL-based authorization engine evaluation returns allow. If all of the RBAC conditions are evaluated as false, then it returns deny. Otherwise, some conditions are false and some are unknown, it returns undecided.

DENY policy. If one of the RBAC conditions is evaluated as true, then the CEL-based authorization engine evaluation returns deny. If all of the RBAC conditions are evaluated as false, then it returns allow. Otherwise, some conditions are false and some are unknown, it returns undecided.

DENY policy + ALLOW policy. Evaluation is in the following order: If one of the expressions in the DENY policy is true, the authorization engine returns deny. If one of the expressions in the DENY policy is unknown, it returns undecided. Now all the expressions in the DENY policy are false, it returns the evaluation of the ALLOW policy.

type Decision ¶

type Decision int32

Decision represents different authorization decisions a CEL-based authorization engine can return.

const (
	// DecisionAllow indicates allowing the RPC to go through.
	DecisionAllow Decision = iota
	// DecisionDeny indicates denying the RPC from going through.
	DecisionDeny
	// DecisionUnknown indicates that there is insufficient information to
	// determine whether or not an RPC call is authorized.
	DecisionUnknown
)

func (Decision) String ¶

func (d Decision) String() string

String returns the string representation of a Decision object.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL