Documentation
¶
Index ¶
Constants ¶
const ( // DriverTLS is the default TLS authorization driver. It is not compatible with OIDC authentication. DriverTLS string = "tls" // DriverOpenFGA provides fine-grained authorization. It is compatible with any authentication method. DriverOpenFGA string = "openfga" )
Variables ¶
var ErrUnknownDriver = fmt.Errorf("Unknown driver")
ErrUnknownDriver is the "Unknown driver" error.
Functions ¶
func WithConfig ¶
WithConfig can be passed into LoadAuthorizer to pass in driver specific configuration.
Types ¶
type Authorizer ¶
type Authorizer interface {
Driver() string
StopService(ctx context.Context) error
CheckPermission(ctx context.Context, r *http.Request, object Object, entitlement Entitlement) error
}
Authorizer is the primary external API for this package.
type Entitlement ¶
type Entitlement string
Entitlement is a type representation of a permission as it applies to a particular ObjectType.
const ( // Entitlements that apply to all resources. EntitlementCanCreate Entitlement = "can_create" EntitlementCanDelete Entitlement = "can_delete" EntitlementCanEdit Entitlement = "can_edit" EntitlementCanView Entitlement = "can_view" )
type FGA ¶
type FGA struct {
// contains filtered or unexported fields
}
FGA represents an OpenFGA authorizer.
func (*FGA) CheckPermission ¶
func (f *FGA) CheckPermission(ctx context.Context, r *http.Request, object Object, entitlement Entitlement) error
CheckPermission returns an error if the user does not have the given Entitlement on the given Object.
type Object ¶
type Object string
Object is a string alias that represents an authorization object. These are formatted strings that uniquely identify an API resource, and can be constructed/deconstructed reliably. An Object is always of the form <ObjectType>:<identifier> where the identifier is a "/" delimited path containing elements that uniquely identify a resource. If the resource is defined at the project level, the first element of this path is always the project. Some example objects would be:
- `instance:default/c1`: Instance object in project "default" and name "c1".
- `storage_pool:local`: Storage pool object with name "local".
- `storage_volume:default/local/custom/vol1`: Storage volume object in project "default", storage pool "local", type "custom", and name "vol1".
func NewObject ¶
func NewObject(objectType ObjectType, identifierElements ...string) (Object, error)
NewObject returns an Object of the given type. The passed in arguments must be in the correct order (as found in the URL for the resource). This function will error if an invalid object type is given, or if the correct number of arguments is not passed in.
type ObjectType ¶
type ObjectType string
ObjectType is a type of resource within the migration manager.
const ( // ObjectTypeUser represents a user. ObjectTypeUser ObjectType = "user" // ObjectTypeServer represents a server. ObjectTypeServer ObjectType = "server" )
type Opts ¶
type Opts struct {
// contains filtered or unexported fields
}
Opts is used as part of the LoadAuthorizer function so that only the relevant configuration fields are passed into a particular driver.
type PermissionChecker ¶
PermissionChecker is a type alias for a function that returns whether a user has required permissions on an object. It is returned by Authorizer.GetPermissionChecker.
type RequestDetails ¶
RequestDetails is a type representing an authorization request.
type TLS ¶
type TLS struct {
// contains filtered or unexported fields
}
TLS represents a TLS authorizer.
func (*TLS) CheckPermission ¶
func (t *TLS) CheckPermission(ctx context.Context, r *http.Request, object Object, entitlement Entitlement) error
CheckPermission returns an error if the user does not have the given Entitlement on the given Object.
func (*TLS) StopService ¶
StopService is a no-op.
Source Files
Directories