Documentation ¶
Index ¶
- Constants
- Variables
- func MatchIPStrings(prefstr string, ipstr string) bool
- type IBaseIdentity
- type IRbacIdentity
- type IRbacIdentity2
- type SPolicy
- type SPolicyMatch
- type SPolicyResult
- type SRbacPolicy
- func (policy *SRbacPolicy) Decode(policyJson jsonutils.JSONObject) error
- func (policy *SRbacPolicy) Encode() jsonutils.JSONObject
- func (policy *SRbacPolicy) IsSystemWidePolicy() bool
- func (policy *SRbacPolicy) Match(userCred IRbacIdentity2) (bool, int)
- func (policy *SRbacPolicy) MatchDomain(domainId string) bool
- func (policy *SRbacPolicy) MatchProject(projectName string) bool
- func (policy *SRbacPolicy) MatchRoles(roleNames []string) bool
- type SRbacRule
- type TPolicy
- type TPolicyGroup
- type TPolicyMatches
- type TPolicySet
- type TRbacResult
Constants ¶
View Source
const ( ActionList = "list" ActionGet = "get" ActionUpdate = "update" ActionCreate = "create" ActionDelete = "delete" ActionPerform = "perform" ActionPatch = "patch" )
View Source
const ( WILD_MATCH = "*" Allow = TRbacResult("allow") Deny = TRbacResult("deny") AdminAllow = TRbacResult("admin") // deprecated OwnerAllow = TRbacResult("owner") // deprecated UserAllow = TRbacResult("user") // deprecated GuestAllow = TRbacResult("guest") // deprecated GUEST_TOKEN = "guest_token" )
View Source
const ( DomainTagsKey = "__domain_tags__" ProjectTagsKey = "__project_tags__" ObjectTagsKey = "__object_tags__" )
View Source
const (
FAKE_TOKEN = "fake_token"
)
View Source
const (
IP_PREFIX_SEP = ","
)
Variables ¶
View Source
var ( AllActions = []string{ ActionList, ActionGet, ActionUpdate, ActionCreate, ActionDelete, ActionPerform, } AllSortedActions = stringutils2.NewSortedStrings(AllActions) )
View Source
var ( ErrEmptyPolicy = errors.New("empty policy") ErrUnsuportRuleData = errors.New("unsupport rule data") ErrConflict = errors.New("conflict?") ErrInvalidRules = errors.New("invalid rules") )
View Source
var ( PolicyDeny = SPolicyResult{ Result: Deny, } PolicyAllow = SPolicyResult{ Result: Allow, } )
View Source
var (
ShowMatchRuleDebug = false
)
Functions ¶
func MatchIPStrings ¶
Types ¶
type IBaseIdentity ¶
type IRbacIdentity ¶
type IRbacIdentity interface { GetProjectId() string GetRoleIds() []string IBaseIdentity }
func NewRbacIdentity ¶
func NewRbacIdentity(projectId string, roleIds []string, ip string) IRbacIdentity
type IRbacIdentity2 ¶
type IRbacIdentity2 interface { GetProjectDomainId() string GetProjectName() string GetRoles() []string IBaseIdentity }
type SPolicy ¶
type SPolicy struct { // policy rules Rules TPolicy // tags for domains DomainTags tagutils.TTagSetList // tags for projects ProjectTags tagutils.TTagSetList // tags for resources ObjectTags tagutils.TTagSetList }
func DecodePolicy ¶
func DecodePolicy(policyJson jsonutils.JSONObject) (*SPolicy, error)
func DecodePolicyData ¶
func DecodePolicyData(domainTags, projectTags, objectTags tagutils.TTagSetList, input jsonutils.JSONObject) (*SPolicy, error)
func (SPolicy) Contains ¶
policy1 contains policy2 means
- any action allow in policy2 is allowed in policy1
- policy tags of policy1 contains of policy tags of policy2
func (SPolicy) Encode ¶
func (policy SPolicy) Encode() jsonutils.JSONObject
func (SPolicy) GetMatchRule ¶
type SPolicyMatch ¶
type SPolicyMatch struct { Rule SRbacRule DomainTags tagutils.TTagSetList ProjectTags tagutils.TTagSetList ObjectTags tagutils.TTagSetList }
type SPolicyResult ¶
type SPolicyResult struct { Result TRbacResult DomainTags tagutils.TTagSetList ProjectTags tagutils.TTagSetList ObjectTags tagutils.TTagSetList }
func (SPolicyResult) IsEmpty ¶
func (result SPolicyResult) IsEmpty() bool
func (SPolicyResult) Json ¶
func (result SPolicyResult) Json() jsonutils.JSONObject
func (SPolicyResult) Merge ¶
func (r1 SPolicyResult) Merge(r2 SPolicyResult) SPolicyResult
func (SPolicyResult) String ¶
func (result SPolicyResult) String() string
type SRbacPolicy ¶
type SRbacPolicy struct { // condition, when the policy takes effects // Deprecated Condition string DomainId string IsPublic bool PublicScope rbacscope.TRbacScope Projects []string Roles []string Ips []netutils.IPV4Prefix Auth bool // whether needs authentication // scope, the scope of the policy, system/domain/project Scope rbacscope.TRbacScope // Deprecated // is_admin=true means scope=system, is_admin=false means scope=project IsAdmin bool Rules TPolicy }
func (*SRbacPolicy) Decode ¶
func (policy *SRbacPolicy) Decode(policyJson jsonutils.JSONObject) error
Deprecated
func (*SRbacPolicy) Encode ¶
func (policy *SRbacPolicy) Encode() jsonutils.JSONObject
func (*SRbacPolicy) IsSystemWidePolicy ¶
func (policy *SRbacPolicy) IsSystemWidePolicy() bool
func (*SRbacPolicy) Match ¶
func (policy *SRbacPolicy) Match(userCred IRbacIdentity2) (bool, int)
check whether policy maches a userCred return value bool isMatched int match weight, the higher the value, the more exact the match the more exact match wins
func (*SRbacPolicy) MatchDomain ¶
func (policy *SRbacPolicy) MatchDomain(domainId string) bool
func (*SRbacPolicy) MatchProject ¶
func (policy *SRbacPolicy) MatchProject(projectName string) bool
func (*SRbacPolicy) MatchRoles ¶
func (policy *SRbacPolicy) MatchRoles(roleNames []string) bool
type SRbacRule ¶
type SRbacRule struct { Service string Resource string Action string Extra []string Result TRbacResult }
type TPolicy ¶
type TPolicy []SRbacRule
func DecodeRawPolicyData ¶
func DecodeRawPolicyData(input jsonutils.JSONObject) (TPolicy, error)
func (TPolicy) Contains ¶
Contains of TPolicy
TPolicy p1 contains p2 means any action allowed by p2 is also allowed by p1 and any action denied by p1 is also denied by p2
func (TPolicy) EncodeRawData ¶
func (policy TPolicy) EncodeRawData() jsonutils.JSONObject
type TPolicyGroup ¶
type TPolicyGroup map[rbacscope.TRbacScope]TPolicySet
func DecodePolicyGroup ¶
func DecodePolicyGroup(json jsonutils.JSONObject) (TPolicyGroup, error)
func (TPolicyGroup) Encode ¶
func (sets TPolicyGroup) Encode() jsonutils.JSONObject
func (TPolicyGroup) HighestScope ¶
func (sets TPolicyGroup) HighestScope() rbacscope.TRbacScope
type TPolicyMatches ¶
type TPolicyMatches []SPolicyMatch
func (TPolicyMatches) GetResult ¶
func (matches TPolicyMatches) GetResult() SPolicyResult
type TPolicySet ¶
type TPolicySet []SPolicy
func DecodePolicySet ¶
func DecodePolicySet(jsonObj jsonutils.JSONObject) (TPolicySet, error)
func (TPolicySet) Contains ¶
func (policies1 TPolicySet) Contains(policies2 TPolicySet) bool
Contains of TPolicySet
TPolicySet ps1 contains ps2 means any member of ps2 is contained by one of the members of ps1
func (TPolicySet) Encode ¶
func (policies TPolicySet) Encode() jsonutils.JSONObject
func (TPolicySet) GetMatchRules ¶
func (policies TPolicySet) GetMatchRules(service string, resource string, action string, extra ...string) []SPolicyMatch
type TRbacResult ¶
type TRbacResult string
func (TRbacResult) IsAllow ¶
func (r TRbacResult) IsAllow() bool
func (TRbacResult) IsDeny ¶
func (r TRbacResult) IsDeny() bool
func (TRbacResult) LooserThan ¶
func (r1 TRbacResult) LooserThan(r2 TRbacResult) bool
func (TRbacResult) StricterThan ¶
func (r1 TRbacResult) StricterThan(r2 TRbacResult) bool
func (TRbacResult) Strictness ¶
func (r TRbacResult) Strictness() int
Click to show internal directories.
Click to hide internal directories.