authorization

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 30 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	DecisionNoOpinion = "NoOpinion"
	DecisionAllowed   = "Allowed"
	DecisionDenied    = "Denied"
)
View Source 
const (
	WorkspaceAccessNotPermittedReason = "workspace access not permitted"
)

Variables

This section is empty.

Functions

func DelegateAuthorization added in v0.10.0 

func DelegateAuthorization(delegationReason string, delegate authorizer.Authorizer) authorizer.Authorizer

DelegateAuthorization delegates authorization to the given delegate authorizer and prefixes the given reason with the reason after the given delegate authorizer executed.

func IsDeepSubjectAccessReviewFrom added in v0.8.0 

func IsDeepSubjectAccessReviewFrom(ctx context.Context, attr authorizer.Attributes) bool

IsDeepSubjectAccessReviewFrom returns whether this is a deep SAR request. If true, top-level workspace and workspace content authorization checks have to be skipped.

func NewBootstrapPolicyAuthorizer 

func NewBootstrapPolicyAuthorizer(informers kcpkubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewLocalAuthorizer 

func NewLocalAuthorizer(versionedInformers kcpkubernetesinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver)

func NewMaximalPermissionPolicyAuthorizer added in v0.10.0 

func NewMaximalPermissionPolicyAuthorizer(kubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) authorizer.Authorizer

NewMaximalPermissionPolicyAuthorizer returns an authorizer that first checks if the request is for a bound resource or not. If the resource is bound it checks the maximal permission policy of the underlying API export.

func NewSystemCRDAuthorizer added in v0.6.0 

func NewSystemCRDAuthorizer(delegate authorizer.Authorizer) authorizer.Authorizer

func NewTopLevelOrganizationAccessAuthorizer added in v0.6.0 

func NewTopLevelOrganizationAccessAuthorizer(versionedInformers kcpkubernetesinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1alpha1listers.ClusterWorkspaceClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer

NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in clusterworkspaces/content of the top-level workspace the request workspace is nested in. If one of these verbs are admitted, the delegate authorizer is called. Otherwise, NoOpionion is returned if the top-level workspace exists, and Deny otherwise.

func NewWorkspaceContentAuthorizer 

func NewWorkspaceContentAuthorizer(versionedInformers kcpkubernetesinformers.SharedInformerFactory, clusterWorkspaceLister tenancyv1alpha1listers.ClusterWorkspaceClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer

func WithDeepSARConfig added in v0.8.0 

func WithDeepSARConfig(config *rest.Config) *rest.Config

WithDeepSARConfig modifies and returns the input rest.Config with an additional header making SARs to be deep.

func WithDeepSubjectAccessReview added in v0.8.0 

func WithDeepSubjectAccessReview(handler http.Handler) http.Handler

WithDeepSubjectAccessReview attaches to the context that this request has set the DeepSubjectAccessReview header. The header is ignored for non-system:master users and for non-SAR request.

A deep SAR request skips top-level workspace and workspace content authorization checks.

Types

type BootstrapPolicyAuthorizer added in v0.8.0 

type BootstrapPolicyAuthorizer struct {
	// contains filtered or unexported fields
}

func (*BootstrapPolicyAuthorizer) Authorize added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*BootstrapPolicyAuthorizer) RulesFor added in v0.8.0 

func (a *BootstrapPolicyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type Decorator added in v0.10.0 

type Decorator struct {
	// contains filtered or unexported fields
}

func NewDecorator added in v0.10.0 

func NewDecorator(key string, target authorizer.Authorizer) *Decorator

NewDecorator returns a new authorizer which is associated with the given key. The prefix key must not contain a trailing slash `/`. Decorating functions are applied in the order they have been invoked.

func (*Decorator) AddAnonymization added in v0.10.0 

func (d *Decorator) AddAnonymization() *Decorator

AddAnonymization anonymizes authorization decisions, returning "access granted" reason in case of an allow decision and "access denied" reason otherwise to the next decoration. Previous decorations are not anonymized.

func (*Decorator) AddAuditLogging added in v0.10.0 

func (d *Decorator) AddAuditLogging() *Decorator

AddAuditLogging logs every decision of the target authorizer for the given audit prefix key if the decision is not allowed. All authorizer decisions are being logged in the audit log.

func (*Decorator) AddReasonAnnotation added in v0.10.0 

func (d *Decorator) AddReasonAnnotation() *Decorator

AddReasonAnnotation adds the authorizer key as a prefix to the authorizer reason and passes that to the next decoration. This is useful where AddAnonymization was used as a decoration, but we still want to identify the authorizer in audit logs when this decorator is passed as a delegate in an authorizer chains.

func (*Decorator) Authorize added in v0.10.0 

func (d *Decorator) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error)

type LocalAuthorizer 

type LocalAuthorizer struct {
	// contains filtered or unexported fields
}

func (*LocalAuthorizer) Authorize 

func (a *LocalAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

func (*LocalAuthorizer) RulesFor 

func (a *LocalAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

type MaximalPermissionPolicyAuthorizer added in v0.10.0 

type MaximalPermissionPolicyAuthorizer struct {
	// contains filtered or unexported fields
}

func (*MaximalPermissionPolicyAuthorizer) Authorize added in v0.10.0 

func (a *MaximalPermissionPolicyAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error)

type SystemCRDAuthorizer added in v0.6.0 

type SystemCRDAuthorizer struct {
	// contains filtered or unexported fields
}

SystemCRDAuthorizer protects the system CRDs from users who are admins in their workspaces.

func (*SystemCRDAuthorizer) Authorize added in v0.6.0 

func (a *SystemCRDAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.