Affected by GO-2024-3325 and 2 other vulnerabilities

GO-2024-3325: kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp

GO-2025-3538: kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace in github.com/kcp-dev/kcp

GO-2025-3985: kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace in github.com/kcp-dev/kcp

authorization

package

v0.4.0-alpha.0 Latest Latest Go to latest Published: May 3, 2022 License: Apache-2.0 Imports: 20 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kcp-dev/kcp

Links

Open Source Insights

Documentation ¶

Index ¶

func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)
func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, ...) authorizer.Authorizer
type LocalAuthorizer
- func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)
- func (a *LocalAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewBootstrapPolicyAuthorizer ¶

func NewBootstrapPolicyAuthorizer(informers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewLocalAuthorizer ¶

func NewLocalAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewTopLevelOrganizationAccessAuthorizer ¶ added in v0.6.0

func NewTopLevelOrganizationAccessAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.

func NewWorkspaceContentAuthorizer ¶

func NewWorkspaceContentAuthorizer(versionedInformers clientgoinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1.ClusterWorkspaceLister, delegate authorizer.Authorizer) authorizer.Authorizer

Types ¶

type LocalAuthorizer ¶

type LocalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*LocalAuthorizer) Authorize ¶

func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*LocalAuthorizer) RulesFor ¶

func (a *LocalAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bootstrap
delegated

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL