accessmanager

package
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 9, 2026 License: MIT Imports: 32 Imported by: 0

README

The Access Manager Core

The access manager is implemented in layers as shown in the following digram

img.png

The AccessManager and PermissionLogic are in this package. The protobuf definitions including the REST binding for the AccessManager are defined by the AccessManager service in protobuf/proto/accessmanager.proto.

Documentation

Overview

Package accessmanager is a reverse proxy.

It translates gRPC into RESTful JSON APIs.

Index

Constants

View Source 
const (
	AccessManager_Bootstrap_FullMethodName              = "/accessmanager.AccessManager/Bootstrap"
	AccessManager_GetPrincipalCredential_FullMethodName = "/accessmanager.AccessManager/GetPrincipalCredential"
	AccessManager_CreateObject_FullMethodName           = "/accessmanager.AccessManager/CreateObject"
	AccessManager_CreateDirectory_FullMethodName        = "/accessmanager.AccessManager/CreateDirectory"
	AccessManager_DeleteObject_FullMethodName           = "/accessmanager.AccessManager/DeleteObject"
	AccessManager_Annotate_FullMethodName               = "/accessmanager.AccessManager/Annotate"
	AccessManager_DeleteAnnotation_FullMethodName       = "/accessmanager.AccessManager/DeleteAnnotation"
	AccessManager_GetDetails_FullMethodName             = "/accessmanager.AccessManager/GetDetails"
	AccessManager_GetDatasetCredential_FullMethodName   = "/accessmanager.AccessManager/GetDatasetCredential"
	AccessManager_ValidateCredential_FullMethodName     = "/accessmanager.AccessManager/ValidateCredential"
	AccessManager_GetSigningKeys_FullMethodName         = "/accessmanager.AccessManager/GetSigningKeys"
)

Variables

View Source 
var AccessManager_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "accessmanager.AccessManager",
	HandlerType: (*AccessManagerServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Bootstrap",
			Handler:    _AccessManager_Bootstrap_Handler,
		},
		{
			MethodName: "GetPrincipalCredential",
			Handler:    _AccessManager_GetPrincipalCredential_Handler,
		},
		{
			MethodName: "CreateObject",
			Handler:    _AccessManager_CreateObject_Handler,
		},
		{
			MethodName: "CreateDirectory",
			Handler:    _AccessManager_CreateDirectory_Handler,
		},
		{
			MethodName: "DeleteObject",
			Handler:    _AccessManager_DeleteObject_Handler,
		},
		{
			MethodName: "Annotate",
			Handler:    _AccessManager_Annotate_Handler,
		},
		{
			MethodName: "DeleteAnnotation",
			Handler:    _AccessManager_DeleteAnnotation_Handler,
		},
		{
			MethodName: "GetDetails",
			Handler:    _AccessManager_GetDetails_Handler,
		},
		{
			MethodName: "GetDatasetCredential",
			Handler:    _AccessManager_GetDatasetCredential_Handler,
		},
		{
			MethodName: "ValidateCredential",
			Handler:    _AccessManager_ValidateCredential_Handler,
		},
		{
			MethodName: "GetSigningKeys",
			Handler:    _AccessManager_GetSigningKeys_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "internal/services/access-manager/accessmanager.proto",
}

AccessManager_ServiceDesc is the grpc.ServiceDesc for AccessManager service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_internal_services_access_manager_accessmanager_proto protoreflect.FileDescriptor
View Source 
var File_internal_services_access_manager_credentials_proto protoreflect.FileDescriptor

Functions

func RegisterAccessManagerHandler 

func RegisterAccessManagerHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error

RegisterAccessManagerHandler registers the http handlers for service AccessManager to "mux". The handlers forward requests to the grpc endpoint over "conn".

func RegisterAccessManagerHandlerClient 

func RegisterAccessManagerHandlerClient(ctx context.Context, mux *runtime.ServeMux, client AccessManagerClient) error

RegisterAccessManagerHandlerClient registers the http handlers for service AccessManager to "mux". The handlers forward requests to the grpc endpoint over the given implementation of "AccessManagerClient". Note: the gRPC framework executes interceptors within the gRPC handler. If the passed in "AccessManagerClient" doesn't go through the normal gRPC flow (creating a gRPC client etc.) then it will be up to the passed in "AccessManagerClient" to call the correct interceptors. This client ignores the HTTP middlewares.

func RegisterAccessManagerHandlerFromEndpoint 

func RegisterAccessManagerHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) (err error)

RegisterAccessManagerHandlerFromEndpoint is same as RegisterAccessManagerHandler but automatically dials to "endpoint" and closes the connection when "ctx" gets done.

func RegisterAccessManagerHandlerServer 

func RegisterAccessManagerHandlerServer(ctx context.Context, mux *runtime.ServeMux, server AccessManagerServer) error

RegisterAccessManagerHandlerServer registers the http handlers for service AccessManager to "mux". UnaryRPC :call AccessManagerServer directly. StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906. Note that using this registration option will cause many gRPC library features to stop working. Consider using RegisterAccessManagerHandlerFromEndpoint instead. GRPC interceptors will not work for this type of registration. To use interceptors, you must use the "runtime.WithMiddlewares" option in the "runtime.NewServeMux" call.

func RegisterAccessManagerServer 

func RegisterAccessManagerServer(s grpc.ServiceRegistrar, srv AccessManagerServer)

Types

type AccessManagerClient 

type AccessManagerClient interface {
	Bootstrap(ctx context.Context, in *BoostrapRequest, opts ...grpc.CallOption) (*BootstrapResponse, error)
	// Used by an identity plugin to generate a signed credential for a user or workload. The plugin
	// must have the right to VouchFor the user or workload
	GetPrincipalCredential(ctx context.Context, in *GetPrincipalCredentialRequest, opts ...grpc.CallOption) (*GetPrincipalCredentialResponse, error)
	// Creates an object with the specified name. This object can be data, user, workload, role
	// or key. Subsequent calls can decorate the object with any required annotations like applied
	// roles, permissions or special keys. This object will be marked as a leaf, not a directory.
	CreateObject(ctx context.Context, in *CreateObjectRequest, opts ...grpc.CallOption) (*CreateObjectResponse, error)
	// Creates a directory with the specified name.
	CreateDirectory(ctx context.Context, in *CreateDirectoryRequest, opts ...grpc.CallOption) (*CreateDirectoryResponse, error)
	// Deletes any object at a specified path. This entails the deletion
	// of all of the metadata at that path as well and thus is likely
	// to require quite a number of permissions (UseRole+View on any role in
	// ACEs, Admin+View on the object). Internally, this function dispatches
	// to the specialized delete operation for whatever kind of object is
	// being deleted.
	// If the path is not an object, but is rather a directory, this operation
	// will only proceed if that directory has no children unless the recursive
	// flag is set in the request.
	DeleteObject(ctx context.Context, in *DeleteObjectRequest, opts ...grpc.CallOption) (*DeleteObjectResponse, error)
	// add or update an annotation on an object. If the unique value on the annotation
	// matches an existing annotation, that annotation is replaced. If the unique value
	// is novel, the annotation is added.
	Annotate(ctx context.Context, in *AnnotateRequest, opts ...grpc.CallOption) (*AnnotateResponse, error)
	DeleteAnnotation(ctx context.Context, in *DeleteAnnotationRequest, opts ...grpc.CallOption) (*DeleteAnnotationResponse, error)
	// Details for a particular path are returned with all roles,
	// direct or inherited and all permissions, also direct or
	// inherited.  Note that roles in the details may be redacted if the
	// caller does not have sufficient permission to see them. An error
	// will be returned if the path does not exist or if the caller
	// does not have view permission for the requested path.
	GetDetails(ctx context.Context, in *GetDetailsRequest, opts ...grpc.CallOption) (*GetDetailsResponse, error)
	GetDatasetCredential(ctx context.Context, in *GetDatasetCredentialRequest, opts ...grpc.CallOption) (*GetDatasetCredentialResponse, error)
	// credential validation
	ValidateCredential(ctx context.Context, in *ValidateCredentialRequest, opts ...grpc.CallOption) (*ValidateCredentialResponse, error)
	// get the list of all live signing keys
	GetSigningKeys(ctx context.Context, in *GetSigningKeysRequest, opts ...grpc.CallOption) (*GetSigningKeysResponse, error)
}

AccessManagerClient is the client API for AccessManager service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewAccessManagerClient 

func NewAccessManagerClient(cc grpc.ClientConnInterface) AccessManagerClient

type AccessManagerServer 

type AccessManagerServer interface {
	Bootstrap(context.Context, *BoostrapRequest) (*BootstrapResponse, error)
	// Used by an identity plugin to generate a signed credential for a user or workload. The plugin
	// must have the right to VouchFor the user or workload
	GetPrincipalCredential(context.Context, *GetPrincipalCredentialRequest) (*GetPrincipalCredentialResponse, error)
	// Creates an object with the specified name. This object can be data, user, workload, role
	// or key. Subsequent calls can decorate the object with any required annotations like applied
	// roles, permissions or special keys. This object will be marked as a leaf, not a directory.
	CreateObject(context.Context, *CreateObjectRequest) (*CreateObjectResponse, error)
	// Creates a directory with the specified name.
	CreateDirectory(context.Context, *CreateDirectoryRequest) (*CreateDirectoryResponse, error)
	// Deletes any object at a specified path. This entails the deletion
	// of all of the metadata at that path as well and thus is likely
	// to require quite a number of permissions (UseRole+View on any role in
	// ACEs, Admin+View on the object). Internally, this function dispatches
	// to the specialized delete operation for whatever kind of object is
	// being deleted.
	// If the path is not an object, but is rather a directory, this operation
	// will only proceed if that directory has no children unless the recursive
	// flag is set in the request.
	DeleteObject(context.Context, *DeleteObjectRequest) (*DeleteObjectResponse, error)
	// add or update an annotation on an object. If the unique value on the annotation
	// matches an existing annotation, that annotation is replaced. If the unique value
	// is novel, the annotation is added.
	Annotate(context.Context, *AnnotateRequest) (*AnnotateResponse, error)
	DeleteAnnotation(context.Context, *DeleteAnnotationRequest) (*DeleteAnnotationResponse, error)
	// Details for a particular path are returned with all roles,
	// direct or inherited and all permissions, also direct or
	// inherited.  Note that roles in the details may be redacted if the
	// caller does not have sufficient permission to see them. An error
	// will be returned if the path does not exist or if the caller
	// does not have view permission for the requested path.
	GetDetails(context.Context, *GetDetailsRequest) (*GetDetailsResponse, error)
	GetDatasetCredential(context.Context, *GetDatasetCredentialRequest) (*GetDatasetCredentialResponse, error)
	// credential validation
	ValidateCredential(context.Context, *ValidateCredentialRequest) (*ValidateCredentialResponse, error)
	// get the list of all live signing keys
	GetSigningKeys(context.Context, *GetSigningKeysRequest) (*GetSigningKeysResponse, error)
	// contains filtered or unexported methods
}

AccessManagerServer is the server API for AccessManager service. All implementations must embed UnimplementedAccessManagerServer for forward compatibility.

type AnnotateRequest 

type AnnotateRequest struct {
	Path       string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	Annotation string `protobuf:"bytes,2,opt,name=annotation,proto3" json:"annotation,omitempty"` // json form of the annotation itself
	CallerId   string `protobuf:"bytes,3,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*AnnotateRequest) Descriptor deprecated 

func (*AnnotateRequest) Descriptor() ([]byte, []int)

Deprecated: Use AnnotateRequest.ProtoReflect.Descriptor instead.

func (*AnnotateRequest) GetAnnotation 

func (x *AnnotateRequest) GetAnnotation() string

func (*AnnotateRequest) GetCallerId 

func (x *AnnotateRequest) GetCallerId() string

func (*AnnotateRequest) GetPath 

func (x *AnnotateRequest) GetPath() string

func (*AnnotateRequest) ProtoMessage 

func (*AnnotateRequest) ProtoMessage()

func (*AnnotateRequest) ProtoReflect 

func (x *AnnotateRequest) ProtoReflect() protoreflect.Message

func (*AnnotateRequest) Reset 

func (x *AnnotateRequest) Reset()

func (*AnnotateRequest) String 

func (x *AnnotateRequest) String() string

type AnnotateResponse 

type AnnotateResponse struct {
	Error *Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*AnnotateResponse) Descriptor deprecated 

func (*AnnotateResponse) Descriptor() ([]byte, []int)

Deprecated: Use AnnotateResponse.ProtoReflect.Descriptor instead.

func (*AnnotateResponse) GetError 

func (x *AnnotateResponse) GetError() *Status

func (*AnnotateResponse) ProtoMessage 

func (*AnnotateResponse) ProtoMessage()

func (*AnnotateResponse) ProtoReflect 

func (x *AnnotateResponse) ProtoReflect() protoreflect.Message

func (*AnnotateResponse) Reset 

func (x *AnnotateResponse) Reset()

func (*AnnotateResponse) String 

func (x *AnnotateResponse) String() string

type BoostrapRequest 

type BoostrapRequest struct {
	Boot string `protobuf:"bytes,1,opt,name=boot,proto3" json:"boot,omitempty"` // the bootstrap image to load
	Key  string `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`   // the key to use to sign the bootstrap (if not empty)
	// contains filtered or unexported fields
}

func (*BoostrapRequest) Descriptor deprecated 

func (*BoostrapRequest) Descriptor() ([]byte, []int)

Deprecated: Use BoostrapRequest.ProtoReflect.Descriptor instead.

func (*BoostrapRequest) GetBoot 

func (x *BoostrapRequest) GetBoot() string

func (*BoostrapRequest) GetKey 

func (x *BoostrapRequest) GetKey() string

func (*BoostrapRequest) ProtoMessage 

func (*BoostrapRequest) ProtoMessage()

func (*BoostrapRequest) ProtoReflect 

func (x *BoostrapRequest) ProtoReflect() protoreflect.Message

func (*BoostrapRequest) Reset 

func (x *BoostrapRequest) Reset()

func (*BoostrapRequest) String 

func (x *BoostrapRequest) String() string

type BootstrapResponse 

type BootstrapResponse struct {
	Error *Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*BootstrapResponse) Descriptor deprecated 

func (*BootstrapResponse) Descriptor() ([]byte, []int)

Deprecated: Use BootstrapResponse.ProtoReflect.Descriptor instead.

func (*BootstrapResponse) GetError 

func (x *BootstrapResponse) GetError() *Status

func (*BootstrapResponse) ProtoMessage 

func (*BootstrapResponse) ProtoMessage()

func (*BootstrapResponse) ProtoReflect 

func (x *BootstrapResponse) ProtoReflect() protoreflect.Message

func (*BootstrapResponse) Reset 

func (x *BootstrapResponse) Reset()

func (*BootstrapResponse) String 

func (x *BootstrapResponse) String() string

type ConcreteAccessManager 

type ConcreteAccessManager struct {
	UnimplementedAccessManagerServer
	// contains filtered or unexported fields
}

The ConcreteAccessManager is the entry point for the overall Access Manager from either the public GRPC interface or from the REST interface.

All that should happen here is to handle the incoming requests and forward them on to the underlying PermissionLogic instance. Neither permission nor version checking should be done at this level.

func NewAccessManager 

func NewAccessManager(meta PermissionLogic, appMetrics *metrics.Metrics) *ConcreteAccessManager

func (*ConcreteAccessManager) Annotate 

func (p *ConcreteAccessManager) Annotate(ctx context.Context, request *AnnotateRequest) (*AnnotateResponse, error)

func (*ConcreteAccessManager) Bootstrap 

func (p *ConcreteAccessManager) Bootstrap(ctx context.Context, request *BoostrapRequest) (*BootstrapResponse, error)

func (*ConcreteAccessManager) CreateObject 

func (p *ConcreteAccessManager) CreateObject(ctx context.Context, request *CreateObjectRequest) (*CreateObjectResponse, error)

func (*ConcreteAccessManager) DeleteAnnotation 

func (p *ConcreteAccessManager) DeleteAnnotation(ctx context.Context, request *DeleteAnnotationRequest) (*DeleteAnnotationResponse, error)

func (*ConcreteAccessManager) DeleteObject 

func (p *ConcreteAccessManager) DeleteObject(
	ctx context.Context,
	request *DeleteObjectRequest,
) (*DeleteObjectResponse, error)

func (*ConcreteAccessManager) GetDatasetCredential 

func (p *ConcreteAccessManager) GetDatasetCredential(
	ctx context.Context,
	request *GetDatasetCredentialRequest) (*GetDatasetCredentialResponse, error)

func (*ConcreteAccessManager) GetDetails 

func (p *ConcreteAccessManager) GetDetails(ctx context.Context, request *GetDetailsRequest) (
	*GetDetailsResponse,
	error,
)

func (*ConcreteAccessManager) GetPrincipalCredential 

func (p *ConcreteAccessManager) GetPrincipalCredential(
	ctx context.Context,
	request *GetPrincipalCredentialRequest,
) (*GetPrincipalCredentialResponse, error)

func (*ConcreteAccessManager) GetSigningKeys 

func (p *ConcreteAccessManager) GetSigningKeys(
	ctx context.Context,
	request *GetSigningKeysRequest) (*GetSigningKeysResponse, error)

func (*ConcreteAccessManager) ValidateCredential 

func (p *ConcreteAccessManager) ValidateCredential(
	ctx context.Context,
	request *ValidateCredentialRequest) (*ValidateCredentialResponse, error)

type CreateDirectoryRequest 

type CreateDirectoryRequest struct {
	Path     string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	CallerId string `protobuf:"bytes,2,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*CreateDirectoryRequest) Descriptor deprecated 

func (*CreateDirectoryRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateDirectoryRequest.ProtoReflect.Descriptor instead.

func (*CreateDirectoryRequest) GetCallerId 

func (x *CreateDirectoryRequest) GetCallerId() string

func (*CreateDirectoryRequest) GetPath 

func (x *CreateDirectoryRequest) GetPath() string

func (*CreateDirectoryRequest) ProtoMessage 

func (*CreateDirectoryRequest) ProtoMessage()

func (*CreateDirectoryRequest) ProtoReflect 

func (x *CreateDirectoryRequest) ProtoReflect() protoreflect.Message

func (*CreateDirectoryRequest) Reset 

func (x *CreateDirectoryRequest) Reset()

func (*CreateDirectoryRequest) String 

func (x *CreateDirectoryRequest) String() string

type CreateDirectoryResponse 

type CreateDirectoryResponse struct {
	Version int64   `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"`
	Error   *Status `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*CreateDirectoryResponse) Descriptor deprecated 

func (*CreateDirectoryResponse) Descriptor() ([]byte, []int)

Deprecated: Use CreateDirectoryResponse.ProtoReflect.Descriptor instead.

func (*CreateDirectoryResponse) GetError 

func (x *CreateDirectoryResponse) GetError() *Status

func (*CreateDirectoryResponse) GetVersion 

func (x *CreateDirectoryResponse) GetVersion() int64

func (*CreateDirectoryResponse) ProtoMessage 

func (*CreateDirectoryResponse) ProtoMessage()

func (*CreateDirectoryResponse) ProtoReflect 

func (x *CreateDirectoryResponse) ProtoReflect() protoreflect.Message

func (*CreateDirectoryResponse) Reset 

func (x *CreateDirectoryResponse) Reset()

func (*CreateDirectoryResponse) String 

func (x *CreateDirectoryResponse) String() string

type CreateObjectRequest 

type CreateObjectRequest struct {
	Path        string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	AsDirectory bool   `protobuf:"varint,2,opt,name=asDirectory,proto3" json:"asDirectory,omitempty"`
	CallerId    string `protobuf:"bytes,3,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*CreateObjectRequest) Descriptor deprecated 

func (*CreateObjectRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateObjectRequest.ProtoReflect.Descriptor instead.

func (*CreateObjectRequest) GetAsDirectory 

func (x *CreateObjectRequest) GetAsDirectory() bool

func (*CreateObjectRequest) GetCallerId 

func (x *CreateObjectRequest) GetCallerId() string

func (*CreateObjectRequest) GetPath 

func (x *CreateObjectRequest) GetPath() string

func (*CreateObjectRequest) ProtoMessage 

func (*CreateObjectRequest) ProtoMessage()

func (*CreateObjectRequest) ProtoReflect 

func (x *CreateObjectRequest) ProtoReflect() protoreflect.Message

func (*CreateObjectRequest) Reset 

func (x *CreateObjectRequest) Reset()

func (*CreateObjectRequest) String 

func (x *CreateObjectRequest) String() string

type CreateObjectResponse 

type CreateObjectResponse struct {
	Version int64   `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"`
	Error   *Status `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*CreateObjectResponse) Descriptor deprecated 

func (*CreateObjectResponse) Descriptor() ([]byte, []int)

Deprecated: Use CreateObjectResponse.ProtoReflect.Descriptor instead.

func (*CreateObjectResponse) GetError 

func (x *CreateObjectResponse) GetError() *Status

func (*CreateObjectResponse) GetVersion 

func (x *CreateObjectResponse) GetVersion() int64

func (*CreateObjectResponse) ProtoMessage 

func (*CreateObjectResponse) ProtoMessage()

func (*CreateObjectResponse) ProtoReflect 

func (x *CreateObjectResponse) ProtoReflect() protoreflect.Message

func (*CreateObjectResponse) Reset 

func (x *CreateObjectResponse) Reset()

func (*CreateObjectResponse) String 

func (x *CreateObjectResponse) String() string

type DataCredentialProvider 

type DataCredentialProvider struct {
	Factory string `protobuf:"bytes,1,opt,name=factory,proto3" json:"factory,omitempty"` // URL of credential factory
	// contains filtered or unexported fields
}

func (*DataCredentialProvider) Descriptor deprecated 

func (*DataCredentialProvider) Descriptor() ([]byte, []int)

Deprecated: Use DataCredentialProvider.ProtoReflect.Descriptor instead.

func (*DataCredentialProvider) GetFactory 

func (x *DataCredentialProvider) GetFactory() string

func (*DataCredentialProvider) ProtoMessage 

func (*DataCredentialProvider) ProtoMessage()

func (*DataCredentialProvider) ProtoReflect 

func (x *DataCredentialProvider) ProtoReflect() protoreflect.Message

func (*DataCredentialProvider) Reset 

func (x *DataCredentialProvider) Reset()

func (*DataCredentialProvider) String 

func (x *DataCredentialProvider) String() string

type DataInfo 

type DataInfo struct {
	DelegatedAttributes []string `protobuf:"bytes,1,rep,name=delegatedAttributes,proto3" json:"delegatedAttributes,omitempty"` // if non-empty, these are the attributes to pass through (delegate)
	// contains filtered or unexported fields
}

func (*DataInfo) Descriptor deprecated 

func (*DataInfo) Descriptor() ([]byte, []int)

Deprecated: Use DataInfo.ProtoReflect.Descriptor instead.

func (*DataInfo) GetDelegatedAttributes 

func (x *DataInfo) GetDelegatedAttributes() []string

func (*DataInfo) ProtoMessage 

func (*DataInfo) ProtoMessage()

func (*DataInfo) ProtoReflect 

func (x *DataInfo) ProtoReflect() protoreflect.Message

func (*DataInfo) Reset 

func (x *DataInfo) Reset()

func (*DataInfo) String 

func (x *DataInfo) String() string

type DeleteAnnotationRequest 

type DeleteAnnotationRequest struct {
	Path     string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	Tag      string `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"`
	Unique   int64  `protobuf:"varint,3,opt,name=unique,proto3" json:"unique,omitempty"`
	CallerId string `protobuf:"bytes,4,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*DeleteAnnotationRequest) Descriptor deprecated 

func (*DeleteAnnotationRequest) Descriptor() ([]byte, []int)

Deprecated: Use DeleteAnnotationRequest.ProtoReflect.Descriptor instead.

func (*DeleteAnnotationRequest) GetCallerId 

func (x *DeleteAnnotationRequest) GetCallerId() string

func (*DeleteAnnotationRequest) GetPath 

func (x *DeleteAnnotationRequest) GetPath() string

func (*DeleteAnnotationRequest) GetTag 

func (x *DeleteAnnotationRequest) GetTag() string

func (*DeleteAnnotationRequest) GetUnique 

func (x *DeleteAnnotationRequest) GetUnique() int64

func (*DeleteAnnotationRequest) ProtoMessage 

func (*DeleteAnnotationRequest) ProtoMessage()

func (*DeleteAnnotationRequest) ProtoReflect 

func (x *DeleteAnnotationRequest) ProtoReflect() protoreflect.Message

func (*DeleteAnnotationRequest) Reset 

func (x *DeleteAnnotationRequest) Reset()

func (*DeleteAnnotationRequest) String 

func (x *DeleteAnnotationRequest) String() string

type DeleteAnnotationResponse 

type DeleteAnnotationResponse struct {
	Error *Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*DeleteAnnotationResponse) Descriptor deprecated 

func (*DeleteAnnotationResponse) Descriptor() ([]byte, []int)

Deprecated: Use DeleteAnnotationResponse.ProtoReflect.Descriptor instead.

func (*DeleteAnnotationResponse) GetError 

func (x *DeleteAnnotationResponse) GetError() *Status

func (*DeleteAnnotationResponse) ProtoMessage 

func (*DeleteAnnotationResponse) ProtoMessage()

func (*DeleteAnnotationResponse) ProtoReflect 

func (x *DeleteAnnotationResponse) ProtoReflect() protoreflect.Message

func (*DeleteAnnotationResponse) Reset 

func (x *DeleteAnnotationResponse) Reset()

func (*DeleteAnnotationResponse) String 

func (x *DeleteAnnotationResponse) String() string

type DeleteObjectRequest 

type DeleteObjectRequest struct {
	Path      string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	Version   int64  `protobuf:"varint,2,opt,name=version,proto3" json:"version,omitempty"`
	Recursive bool   `protobuf:"varint,3,opt,name=recursive,proto3" json:"recursive,omitempty"`
	CallerId  string `protobuf:"bytes,4,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*DeleteObjectRequest) Descriptor deprecated 

func (*DeleteObjectRequest) Descriptor() ([]byte, []int)

Deprecated: Use DeleteObjectRequest.ProtoReflect.Descriptor instead.

func (*DeleteObjectRequest) GetCallerId 

func (x *DeleteObjectRequest) GetCallerId() string

func (*DeleteObjectRequest) GetPath 

func (x *DeleteObjectRequest) GetPath() string

func (*DeleteObjectRequest) GetRecursive 

func (x *DeleteObjectRequest) GetRecursive() bool

func (*DeleteObjectRequest) GetVersion 

func (x *DeleteObjectRequest) GetVersion() int64

func (*DeleteObjectRequest) ProtoMessage 

func (*DeleteObjectRequest) ProtoMessage()

func (*DeleteObjectRequest) ProtoReflect 

func (x *DeleteObjectRequest) ProtoReflect() protoreflect.Message

func (*DeleteObjectRequest) Reset 

func (x *DeleteObjectRequest) Reset()

func (*DeleteObjectRequest) String 

func (x *DeleteObjectRequest) String() string

type DeleteObjectResponse 

type DeleteObjectResponse struct {
	Error *Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*DeleteObjectResponse) Descriptor deprecated 

func (*DeleteObjectResponse) Descriptor() ([]byte, []int)

Deprecated: Use DeleteObjectResponse.ProtoReflect.Descriptor instead.

func (*DeleteObjectResponse) GetError 

func (x *DeleteObjectResponse) GetError() *Status

func (*DeleteObjectResponse) ProtoMessage 

func (*DeleteObjectResponse) ProtoMessage()

func (*DeleteObjectResponse) ProtoReflect 

func (x *DeleteObjectResponse) ProtoReflect() protoreflect.Message

func (*DeleteObjectResponse) Reset 

func (x *DeleteObjectResponse) Reset()

func (*DeleteObjectResponse) String 

func (x *DeleteObjectResponse) String() string

type GetDatasetCredentialRequest 

type GetDatasetCredentialRequest struct {
	Path       string               `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	Operations []metadata.Operation `protobuf:"varint,2,rep,packed,name=operations,proto3,enum=metadata.Operation" json:"operations,omitempty"`
	CallerId   string               `protobuf:"bytes,3,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*GetDatasetCredentialRequest) Descriptor deprecated 

func (*GetDatasetCredentialRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetDatasetCredentialRequest.ProtoReflect.Descriptor instead.

func (*GetDatasetCredentialRequest) GetCallerId 

func (x *GetDatasetCredentialRequest) GetCallerId() string

func (*GetDatasetCredentialRequest) GetOperations 

func (x *GetDatasetCredentialRequest) GetOperations() []metadata.Operation

func (*GetDatasetCredentialRequest) GetPath 

func (x *GetDatasetCredentialRequest) GetPath() string

func (*GetDatasetCredentialRequest) ProtoMessage 

func (*GetDatasetCredentialRequest) ProtoMessage()

func (*GetDatasetCredentialRequest) ProtoReflect 

func (x *GetDatasetCredentialRequest) ProtoReflect() protoreflect.Message

func (*GetDatasetCredentialRequest) Reset 

func (x *GetDatasetCredentialRequest) Reset()

func (*GetDatasetCredentialRequest) String 

func (x *GetDatasetCredentialRequest) String() string

type GetDatasetCredentialResponse 

type GetDatasetCredentialResponse struct {
	Url        string  `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`               // a physical location for the credential in device specific format
	Info       string  `protobuf:"bytes,2,opt,name=info,proto3" json:"info,omitempty"`             // a human readable description of the credential
	Credential string  `protobuf:"bytes,3,opt,name=credential,proto3" json:"credential,omitempty"` // the signed credential itself, also device specific format
	Error      *Status `protobuf:"bytes,4,opt,name=error,proto3" json:"error,omitempty"`           // error status
	// contains filtered or unexported fields
}

func (*GetDatasetCredentialResponse) Descriptor deprecated 

func (*GetDatasetCredentialResponse) Descriptor() ([]byte, []int)

Deprecated: Use GetDatasetCredentialResponse.ProtoReflect.Descriptor instead.

func (*GetDatasetCredentialResponse) GetCredential 

func (x *GetDatasetCredentialResponse) GetCredential() string

func (*GetDatasetCredentialResponse) GetError 

func (x *GetDatasetCredentialResponse) GetError() *Status

func (*GetDatasetCredentialResponse) GetInfo 

func (x *GetDatasetCredentialResponse) GetInfo() string

func (*GetDatasetCredentialResponse) GetUrl 

func (x *GetDatasetCredentialResponse) GetUrl() string

func (*GetDatasetCredentialResponse) ProtoMessage 

func (*GetDatasetCredentialResponse) ProtoMessage()

func (*GetDatasetCredentialResponse) ProtoReflect 

func (x *GetDatasetCredentialResponse) ProtoReflect() protoreflect.Message

func (*GetDatasetCredentialResponse) Reset 

func (x *GetDatasetCredentialResponse) Reset()

func (*GetDatasetCredentialResponse) String 

func (x *GetDatasetCredentialResponse) String() string

type GetDetailsRequest 

type GetDetailsRequest struct {
	Path            string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`                                               // the path. May or may not include am:// prefix
	IncludeChildren bool   `protobuf:"varint,2,opt,name=include_children,json=includeChildren,proto3" json:"include_children,omitempty"` // if true, return details on the children as well
	CallerId        string `protobuf:"bytes,3,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`                       // who is asking?
	// contains filtered or unexported fields
}

func (*GetDetailsRequest) Descriptor deprecated 

func (*GetDetailsRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetDetailsRequest.ProtoReflect.Descriptor instead.

func (*GetDetailsRequest) GetCallerId 

func (x *GetDetailsRequest) GetCallerId() string

func (*GetDetailsRequest) GetIncludeChildren 

func (x *GetDetailsRequest) GetIncludeChildren() bool

func (*GetDetailsRequest) GetPath 

func (x *GetDetailsRequest) GetPath() string

func (*GetDetailsRequest) ProtoMessage 

func (*GetDetailsRequest) ProtoMessage()

func (*GetDetailsRequest) ProtoReflect 

func (x *GetDetailsRequest) ProtoReflect() protoreflect.Message

func (*GetDetailsRequest) Reset 

func (x *GetDetailsRequest) Reset()

func (*GetDetailsRequest) String 

func (x *GetDetailsRequest) String() string

type GetDetailsResponse 

type GetDetailsResponse struct {
	Details  *NodeDetails `protobuf:"bytes,1,opt,name=details,proto3" json:"details,omitempty"`
	Children []string     `protobuf:"bytes,2,rep,name=children,proto3" json:"children,omitempty"`
	Error    *Status      `protobuf:"bytes,3,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*GetDetailsResponse) Descriptor deprecated 

func (*GetDetailsResponse) Descriptor() ([]byte, []int)

Deprecated: Use GetDetailsResponse.ProtoReflect.Descriptor instead.

func (*GetDetailsResponse) GetChildren 

func (x *GetDetailsResponse) GetChildren() []string

func (*GetDetailsResponse) GetDetails 

func (x *GetDetailsResponse) GetDetails() *NodeDetails

func (*GetDetailsResponse) GetError 

func (x *GetDetailsResponse) GetError() *Status

func (*GetDetailsResponse) ProtoMessage 

func (*GetDetailsResponse) ProtoMessage()

func (*GetDetailsResponse) ProtoReflect 

func (x *GetDetailsResponse) ProtoReflect() protoreflect.Message

func (*GetDetailsResponse) Reset 

func (x *GetDetailsResponse) Reset()

func (*GetDetailsResponse) String 

func (x *GetDetailsResponse) String() string

type GetPrincipalCredentialRequest 

type GetPrincipalCredentialRequest struct {
	Path     string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	CallerId string `protobuf:"bytes,2,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"`
	// contains filtered or unexported fields
}

func (*GetPrincipalCredentialRequest) Descriptor deprecated 

func (*GetPrincipalCredentialRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetPrincipalCredentialRequest.ProtoReflect.Descriptor instead.

func (*GetPrincipalCredentialRequest) GetCallerId 

func (x *GetPrincipalCredentialRequest) GetCallerId() string

func (*GetPrincipalCredentialRequest) GetPath 

func (x *GetPrincipalCredentialRequest) GetPath() string

func (*GetPrincipalCredentialRequest) ProtoMessage 

func (*GetPrincipalCredentialRequest) ProtoMessage()

func (*GetPrincipalCredentialRequest) ProtoReflect 

func (x *GetPrincipalCredentialRequest) ProtoReflect() protoreflect.Message

func (*GetPrincipalCredentialRequest) Reset 

func (x *GetPrincipalCredentialRequest) Reset()

func (*GetPrincipalCredentialRequest) String 

func (x *GetPrincipalCredentialRequest) String() string

type GetPrincipalCredentialResponse 

type GetPrincipalCredentialResponse struct {
	Credential string  `protobuf:"bytes,1,opt,name=credential,proto3" json:"credential,omitempty"` // the signed credential
	Error      *Status `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
	// contains filtered or unexported fields
}

func (*GetPrincipalCredentialResponse) Descriptor deprecated 

func (*GetPrincipalCredentialResponse) Descriptor() ([]byte, []int)

Deprecated: Use GetPrincipalCredentialResponse.ProtoReflect.Descriptor instead.

func (*GetPrincipalCredentialResponse) GetCredential 

func (x *GetPrincipalCredentialResponse) GetCredential() string

func (*GetPrincipalCredentialResponse) GetError 

func (x *GetPrincipalCredentialResponse) GetError() *Status

func (*GetPrincipalCredentialResponse) ProtoMessage 

func (*GetPrincipalCredentialResponse) ProtoMessage()

func (*GetPrincipalCredentialResponse) ProtoReflect 

func (x *GetPrincipalCredentialResponse) ProtoReflect() protoreflect.Message

func (*GetPrincipalCredentialResponse) Reset 

func (x *GetPrincipalCredentialResponse) Reset()

func (*GetPrincipalCredentialResponse) String 

func (x *GetPrincipalCredentialResponse) String() string

type GetSigningKeysRequest 

type GetSigningKeysRequest struct {
	CallerId string `protobuf:"bytes,1,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"` // who is asking?
	// contains filtered or unexported fields
}

func (*GetSigningKeysRequest) Descriptor deprecated 

func (*GetSigningKeysRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetSigningKeysRequest.ProtoReflect.Descriptor instead.

func (*GetSigningKeysRequest) GetCallerId 

func (x *GetSigningKeysRequest) GetCallerId() string

func (*GetSigningKeysRequest) ProtoMessage 

func (*GetSigningKeysRequest) ProtoMessage()

func (*GetSigningKeysRequest) ProtoReflect 

func (x *GetSigningKeysRequest) ProtoReflect() protoreflect.Message

func (*GetSigningKeysRequest) Reset 

func (x *GetSigningKeysRequest) Reset()

func (*GetSigningKeysRequest) String 

func (x *GetSigningKeysRequest) String() string

type GetSigningKeysResponse 

type GetSigningKeysResponse struct {
	Keys map[int64]string `` // the signing keys indexed by expiration time
	/* 136-byte string literal not displayed */
	Error *Status `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` // error status
	// contains filtered or unexported fields
}

func (*GetSigningKeysResponse) Descriptor deprecated 

func (*GetSigningKeysResponse) Descriptor() ([]byte, []int)

Deprecated: Use GetSigningKeysResponse.ProtoReflect.Descriptor instead.

func (*GetSigningKeysResponse) GetError 

func (x *GetSigningKeysResponse) GetError() *Status

func (*GetSigningKeysResponse) GetKeys 

func (x *GetSigningKeysResponse) GetKeys() map[int64]string

func (*GetSigningKeysResponse) ProtoMessage 

func (*GetSigningKeysResponse) ProtoMessage()

func (*GetSigningKeysResponse) ProtoReflect 

func (x *GetSigningKeysResponse) ProtoReflect() protoreflect.Message

func (*GetSigningKeysResponse) Reset 

func (x *GetSigningKeysResponse) Reset()

func (*GetSigningKeysResponse) String 

func (x *GetSigningKeysResponse) String() string

type NodeDetails 

type NodeDetails struct {
	Path           string                     `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	Roles          []*metadata.AppliedRole    `protobuf:"bytes,2,rep,name=roles,proto3" json:"roles,omitempty"`
	InheritedRoles []*metadata.AppliedRole    `protobuf:"bytes,4,rep,name=inheritedRoles,proto3" json:"inheritedRoles,omitempty"`
	Aces           []*metadata.ACE            `protobuf:"bytes,5,rep,name=aces,proto3" json:"aces,omitempty"`
	InheritedAces  []*metadata.ACE            `protobuf:"bytes,6,rep,name=inheritedAces,proto3" json:"inheritedAces,omitempty"`
	Annotations    []*metadata.UserAnnotation `protobuf:"bytes,7,rep,name=annotations,proto3" json:"annotations,omitempty"`
	IsDirectory    bool                       `protobuf:"varint,8,opt,name=isDirectory,proto3" json:"isDirectory,omitempty"`
	// contains filtered or unexported fields
}

func (*NodeDetails) Descriptor deprecated 

func (*NodeDetails) Descriptor() ([]byte, []int)

Deprecated: Use NodeDetails.ProtoReflect.Descriptor instead.

func (*NodeDetails) GetAces 

func (x *NodeDetails) GetAces() []*metadata.ACE

func (*NodeDetails) GetAnnotations 

func (x *NodeDetails) GetAnnotations() []*metadata.UserAnnotation

func (*NodeDetails) GetInheritedAces 

func (x *NodeDetails) GetInheritedAces() []*metadata.ACE

func (*NodeDetails) GetInheritedRoles 

func (x *NodeDetails) GetInheritedRoles() []*metadata.AppliedRole

func (*NodeDetails) GetIsDirectory 

func (x *NodeDetails) GetIsDirectory() bool

func (*NodeDetails) GetPath 

func (x *NodeDetails) GetPath() string

func (*NodeDetails) GetRoles 

func (x *NodeDetails) GetRoles() []*metadata.AppliedRole

func (*NodeDetails) ProtoMessage 

func (*NodeDetails) ProtoMessage()

func (*NodeDetails) ProtoReflect 

func (x *NodeDetails) ProtoReflect() protoreflect.Message

func (*NodeDetails) Reset 

func (x *NodeDetails) Reset()

func (*NodeDetails) String 

func (x *NodeDetails) String() string

type OperationLog 

type OperationLog struct {
	// contains filtered or unexported fields
}

type PermissionLogic 

type PermissionLogic interface {
	// GetPrincipalCredential validates that the caller is allowed to vouch for a
	// user or workload and, if so, generates and returns a credential that can be
	// used by that user or workload on subsequently validate their identity. The
	// caller is typically an identity plugin acting on behalf of a user or workload.
	GetPrincipalCredential(ctx context.Context, principal string, callerId string) (string, error)

	// CreateObject establishes a node in the metadata tree that must be a directory
	// or a leaf. A directory can be the parent of other directories or leaves. A
	// leaf is something like a user, role or dataset and cannot contain other nodes.
	// CreateObject should always be called with a "leaf" or "dir" annotation; an
	// error will be returned otherwise.
	CreateObject(ctx context.Context, path string, callerId string, annotations ...*metadata.Annotation) error

	Annotate(ctx context.Context, path string, annotation *metadata.Annotation, callerId string) error
	GetAnnotations(ctx context.Context, path string, callerID string, filters ...metadata.KeyOption) ([]*metadata.Annotation, error)

	// DeleteObject deletes the specified object which can be a principal, role, user or workload.
	// Note that this will force the deletion of all metadata attached to the object as well.
	// If the object is a directory, then it must be empty or else the recursive flag must be
	// used to force the deletion of all children.
	DeleteObject(ctx context.Context, uri string, recursive bool, callerID string) error

	DeleteAnnotation(ctx context.Context, path string, tag string, unique int64, callerID string) error

	// GetDatasetCredential returns a delegation token or a credential suitable for the datastore
	GetDatasetCredential(ctx context.Context, path string, ops []metadata.Operation, callerID string) (string, string, error)

	// GetACEs returns a list of access control expressions for a URI. The version of the
	// metadata is also returned to allow safe update. The version should be used when
	// calling UpdateAces. This function will return an error if the id is invalid. An
	// error will also be returned if the caller does not have permission for the visible
	// operation.
	GetACEs(ctx context.Context, uri string, callerID string) ([]*metadata.Annotation, error)

	// UpdateACE sets the ACE for a path. ACEs have a globally unique identifier that can
	// be used to determine if the ACEs being passed in to this call refer to ACEs already
	// on the path or not. ACEs that do not already exist on the path but which are given
	// in the argument to UpdateACEs will be added. Those ACEs that already exist on the
	// path, but which are not mentioned in the argument here will be deleted. Those ACEs
	// that exist on the path and which are passed in here will be updated. An error will
	// be returned if the caller id does not exist as a principal. An error will be returned
	// if the version does not match the current version associated with the URI being
	// modified. An error will be returned if the caller does not have permission for the
	// admin operation on the specified object. An error will be returned if caller does
	// not have `UseRole` permission on any roles in ACEs that are deleted, updated or added.
	// An error may be returned if the ACEs refer to any operation that are not applicable
	// to the path.
	UpdateACE(ctx context.Context, uri string, perm *metadata.Annotation, callerID string) (int64, error)

	// GetRoles returns a list of roles for any path starting with `am://user` or
	// `am://workload`. The roles are returned as Annotation structures including a
	// version number to allow safe update of individual applied roles. This function
	// will return an error if the URI is invalid. An error will also be returned if
	// the requester does not have permission for the `View` operation on the path
	// and all prefixes. The roles returned are for the exact path given and do not
	// include any roles inherited from prefixes of the path.
	GetRoles(ctx context.Context, uri string, callerID string) ([]*metadata.Annotation, error)

	// GetAllRoles returns a list all the children and grand children of roles for
	// any path starting with `am://role` This function will return an error
	// if the path is invalid. An error will also be returned if the requester does
	// not have permission for the `View` operation on the path and all prefixes.
	GetAllRoles(ctx context.Context, path, callerID string) ([]string, error)

	GetDetails(ctx context.Context, path string, includeChildren bool, cred string) (*NodeDetails, []string, error)

	// GetInheritedRoles returns a list of all inherited or direct roles for any path starting
	// with `am://user` or `am://workload`. No version is returned because the roles
	// returned don't come from any single structure that could be updated. This function
	// will return an error if the URI is invalid. An error will also be returned if
	// the requester does not have permission for the `View` operation on the path
	// and all prefixes. The roles returned are for the exact path given and do not include
	// any roles inherited from prefixes of the path.
	GetInheritedRoles(ctx context.Context, uri string, callerID string) ([]*metadata.Annotation, error)

	// UpdateAppliedRole adds roles to or removes roles from a principal. An error will be returned
	// if the caller id does not exist as a principal. An error will be returned if the version
	// does not match the current version of the URI. An error will be returned if the caller
	// does not have permission for the `Admin` and `View` operations on the path or if the caller
	// does not have permission for the Apply operation on any roles being added or removed.
	UpdateAppliedRole(ctx context.Context, appliedRole *metadata.Annotation, uri, callerID string) (int64, error)

	// ValidateRoles determines if the list of given roles are valid and exist in the store
	ValidateRoles(ctx context.Context, roles []string) error

	// Exists returns true if a path refers to a directory or a leaf node
	Exists(ctx context.Context, path string, callerId string) (bool, error)

	// IsFolder returns true if a path exists and refers to a directory (i.e. not a Principal, Role or Data)
	IsFolder(ctx context.Context, uri string, callerID string) (bool, error)

	// GetChildren returns a list of the children of a path that are visible to the caller.
	GetChildren(ctx context.Context, path string, callerID string) ([]string, error)

	// Bootstrap loads the metadata store with a bootstrap file. The bootstrap file must be one of
	// a small number of predefined files. The key (if present) is injected as the ssh public key
	// for the operator user.
	Bootstrap(bootstrap string, key string) error

	// GetSigningKeys returns a list of public keys. Any unexpired credential
	// will have been signed the private key corresponding to one of these..
	GetSigningKeys(ctx context.Context, id string) (map[int64]string, error)

	// ValidateCredential verifies that a credential has been properly signed and has not
	// expired.
	ValidateCredential(ctx context.Context, credential string, callerId string) (string, error)
}

PermissionLogic implements the core intelligence of the Access Manager including checking permissions, but does not handle any version checking. Data is stored in an underlying metadata store which does version checking and persistence of metadata.

func NewPermissionLogic 

func NewPermissionLogic(pc metadata.MetaStore) PermissionLogic

type PermissionLogicManager 

type PermissionLogicManager struct {
	// contains filtered or unexported fields
}

func (*PermissionLogicManager) Annotate 

func (plm *PermissionLogicManager) Annotate(ctx context.Context, path string, annotation *metadata.Annotation, cred string) error

func (*PermissionLogicManager) Bootstrap 

func (plm *PermissionLogicManager) Bootstrap(bootstrap string, key string) error

func (*PermissionLogicManager) CreateObject 

func (plm *PermissionLogicManager) CreateObject(ctx context.Context, path string, cred string, annotations ...*metadata.Annotation) error

func (*PermissionLogicManager) DeleteAnnotation 

func (plm *PermissionLogicManager) DeleteAnnotation(ctx context.Context, path string, tag string, unique int64, cred string) error

func (*PermissionLogicManager) DeleteObject 

func (plm *PermissionLogicManager) DeleteObject(
	ctx context.Context,
	path string,
	recursive bool,
	cred string,
) error

func (*PermissionLogicManager) Exists 

func (plm *PermissionLogicManager) Exists(ctx context.Context, path string, cred string) (bool, error)

func (*PermissionLogicManager) GetACEs 

func (plm *PermissionLogicManager) GetACEs(ctx context.Context, path string, cred string) ([]*metadata.Annotation, error)

func (*PermissionLogicManager) GetAllRoles 

func (plm *PermissionLogicManager) GetAllRoles(ctx context.Context, path, cred string) ([]string, error)

func (*PermissionLogicManager) GetAnnotations 

func (plm *PermissionLogicManager) GetAnnotations(
	ctx context.Context,
	path string,
	cred string,
	filters ...metadata.KeyOption,
) ([]*metadata.Annotation, error)

func (*PermissionLogicManager) GetChildren 

func (plm *PermissionLogicManager) GetChildren(ctx context.Context, path, cred string) ([]string, error)

func (*PermissionLogicManager) GetDatasetCredential 

func (plm *PermissionLogicManager) GetDatasetCredential(
	ctx context.Context,
	path string,
	ops []metadata.Operation,
	cred string,
) (string, string, error)

func (*PermissionLogicManager) GetDetails 

func (plm *PermissionLogicManager) GetDetails(ctx context.Context, path string, includeChildren bool, cred string) (*NodeDetails, []string, error)

func (*PermissionLogicManager) GetInheritedRoles 

func (plm *PermissionLogicManager) GetInheritedRoles(
	ctx context.Context,
	path, cred string,
) ([]*metadata.Annotation, error)

func (*PermissionLogicManager) GetPrincipalCredential 

func (plm *PermissionLogicManager) GetPrincipalCredential(ctx context.Context, principal, cred string) (string, error)

GetPrincipalCredential returns a credential for the specified principal based on the authority of the user or workload in the specified credential `cred`. The caller must have `View` and `VouchFor` permission on `principal`, else an error will be returned. This is the mechanism that identity plugins use to get credentials for users or workloads.

func (*PermissionLogicManager) GetRoles 

func (plm *PermissionLogicManager) GetRoles(ctx context.Context, path, cred string) ([]*metadata.Annotation, error)

func (*PermissionLogicManager) GetSigningKeys 

func (plm *PermissionLogicManager) GetSigningKeys(ctx context.Context, _ string) (map[int64]string, error)

func (*PermissionLogicManager) IsFolder 

func (plm *PermissionLogicManager) IsFolder(ctx context.Context, path, cred string) (bool, error)

func (*PermissionLogicManager) UpdateACE 

func (plm *PermissionLogicManager) UpdateACE(ctx context.Context, path string, perm *metadata.Annotation, cred string) (int64, error)

func (*PermissionLogicManager) UpdateAppliedRole 

func (plm *PermissionLogicManager) UpdateAppliedRole(
	ctx context.Context,
	appliedRole *metadata.Annotation,
	path, cred string,
) (int64, error)

UpdateAppliedRole creates or updates an existing applied role. Updating really just means to change the end time.

func (*PermissionLogicManager) ValidateCredential 

func (plm *PermissionLogicManager) ValidateCredential(_ context.Context, credential string, _ string) (string, error)

func (*PermissionLogicManager) ValidateRoles 

func (plm *PermissionLogicManager) ValidateRoles(ctx context.Context, roles []string) error

ValidRoles checks to see if all of the elements of a slice are well-formed roles that exist in the metadata store.

type Status 

type Status struct {
	Error   int32  `protobuf:"varint,3,opt,name=error,proto3" json:"error,omitempty"`    // non-zero implies error
	Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"` // provides some detail about error
	Global  uint64 `protobuf:"varint,5,opt,name=global,proto3" json:"global,omitempty"`  // global transaction number
	// contains filtered or unexported fields
}

func (*Status) Descriptor deprecated 

func (*Status) Descriptor() ([]byte, []int)

Deprecated: Use Status.ProtoReflect.Descriptor instead.

func (*Status) GetError 

func (x *Status) GetError() int32

func (*Status) GetGlobal 

func (x *Status) GetGlobal() uint64

func (*Status) GetMessage 

func (x *Status) GetMessage() string

func (*Status) ProtoMessage 

func (*Status) ProtoMessage()

func (*Status) ProtoReflect 

func (x *Status) ProtoReflect() protoreflect.Message

func (*Status) Reset 

func (x *Status) Reset()

func (*Status) String 

func (x *Status) String() string

type UnimplementedAccessManagerServer 

type UnimplementedAccessManagerServer struct{}

UnimplementedAccessManagerServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAccessManagerServer) Annotate 

func (UnimplementedAccessManagerServer) Annotate(context.Context, *AnnotateRequest) (*AnnotateResponse, error)

func (UnimplementedAccessManagerServer) Bootstrap 

func (UnimplementedAccessManagerServer) Bootstrap(context.Context, *BoostrapRequest) (*BootstrapResponse, error)

func (UnimplementedAccessManagerServer) CreateDirectory 

func (UnimplementedAccessManagerServer) CreateDirectory(context.Context, *CreateDirectoryRequest) (*CreateDirectoryResponse, error)

func (UnimplementedAccessManagerServer) CreateObject 

func (UnimplementedAccessManagerServer) CreateObject(context.Context, *CreateObjectRequest) (*CreateObjectResponse, error)

func (UnimplementedAccessManagerServer) DeleteAnnotation 

func (UnimplementedAccessManagerServer) DeleteAnnotation(context.Context, *DeleteAnnotationRequest) (*DeleteAnnotationResponse, error)

func (UnimplementedAccessManagerServer) DeleteObject 

func (UnimplementedAccessManagerServer) DeleteObject(context.Context, *DeleteObjectRequest) (*DeleteObjectResponse, error)

func (UnimplementedAccessManagerServer) GetDatasetCredential 

func (UnimplementedAccessManagerServer) GetDatasetCredential(context.Context, *GetDatasetCredentialRequest) (*GetDatasetCredentialResponse, error)

func (UnimplementedAccessManagerServer) GetDetails 

func (UnimplementedAccessManagerServer) GetDetails(context.Context, *GetDetailsRequest) (*GetDetailsResponse, error)

func (UnimplementedAccessManagerServer) GetPrincipalCredential 

func (UnimplementedAccessManagerServer) GetPrincipalCredential(context.Context, *GetPrincipalCredentialRequest) (*GetPrincipalCredentialResponse, error)

func (UnimplementedAccessManagerServer) GetSigningKeys 

func (UnimplementedAccessManagerServer) GetSigningKeys(context.Context, *GetSigningKeysRequest) (*GetSigningKeysResponse, error)

func (UnimplementedAccessManagerServer) ValidateCredential 

func (UnimplementedAccessManagerServer) ValidateCredential(context.Context, *ValidateCredentialRequest) (*ValidateCredentialResponse, error)

type UnsafeAccessManagerServer 

type UnsafeAccessManagerServer interface {
	// contains filtered or unexported methods
}

UnsafeAccessManagerServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AccessManagerServer will result in compilation errors.

type ValidateCredentialRequest 

type ValidateCredentialRequest struct {
	Credential string `protobuf:"bytes,1,opt,name=credential,proto3" json:"credential,omitempty"`             // the credential to validate
	CallerId   string `protobuf:"bytes,2,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"` // who is asking?
	// contains filtered or unexported fields
}

func (*ValidateCredentialRequest) Descriptor deprecated 

func (*ValidateCredentialRequest) Descriptor() ([]byte, []int)

Deprecated: Use ValidateCredentialRequest.ProtoReflect.Descriptor instead.

func (*ValidateCredentialRequest) GetCallerId 

func (x *ValidateCredentialRequest) GetCallerId() string

func (*ValidateCredentialRequest) GetCredential 

func (x *ValidateCredentialRequest) GetCredential() string

func (*ValidateCredentialRequest) ProtoMessage 

func (*ValidateCredentialRequest) ProtoMessage()

func (*ValidateCredentialRequest) ProtoReflect 

func (x *ValidateCredentialRequest) ProtoReflect() protoreflect.Message

func (*ValidateCredentialRequest) Reset 

func (x *ValidateCredentialRequest) Reset()

func (*ValidateCredentialRequest) String 

func (x *ValidateCredentialRequest) String() string

type ValidateCredentialResponse 

type ValidateCredentialResponse struct {
	Valid bool    `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"` // true if the credential is valid
	Info  string  `protobuf:"bytes,2,opt,name=info,proto3" json:"info,omitempty"`    // human readable description of the credential
	Error *Status `protobuf:"bytes,3,opt,name=error,proto3" json:"error,omitempty"`  // error status
	// contains filtered or unexported fields
}

func (*ValidateCredentialResponse) Descriptor deprecated 

func (*ValidateCredentialResponse) Descriptor() ([]byte, []int)

Deprecated: Use ValidateCredentialResponse.ProtoReflect.Descriptor instead.

func (*ValidateCredentialResponse) GetError 

func (x *ValidateCredentialResponse) GetError() *Status

func (*ValidateCredentialResponse) GetInfo 

func (x *ValidateCredentialResponse) GetInfo() string

func (*ValidateCredentialResponse) GetValid 

func (x *ValidateCredentialResponse) GetValid() bool

func (*ValidateCredentialResponse) ProtoMessage 

func (*ValidateCredentialResponse) ProtoMessage()

func (*ValidateCredentialResponse) ProtoReflect 

func (x *ValidateCredentialResponse) ProtoReflect() protoreflect.Message

func (*ValidateCredentialResponse) Reset 

func (x *ValidateCredentialResponse) Reset()

func (*ValidateCredentialResponse) String 

func (x *ValidateCredentialResponse) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.