authentication

package

v0.29.0-rc.0 Latest Latest Go to latest Published: Nov 4, 2025 License: Apache-2.0 Imports: 33 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kcp-dev/kcp

Links

Open Source Insights

Documentation ¶

Index ¶

func ForbidSystemUsernames(delegate authenticator.Request) authenticator.Request
func NewIndex(lifecycleCtx context.Context, baseAudiences authenticator.Audiences) *state
func NewShardWatcher(ctx context.Context, shardName string, ...) (*shardWatcher, error)
func NewStandaloneWorkspaceAuthenticator(clusterIndex *index.State, authIndex AuthenticatorIndex) authenticator.Request
func NewWorkspaceAuthenticator() authenticator.Request
func WithWorkspaceAuthResolver(handler http.Handler, authIndex AuthenticatorIndex) http.Handler
func WithWorkspaceAuthenticator(parent context.Context, authenticator authenticator.Request) context.Context
func WorkspaceAuthenticatorFrom(ctx context.Context) (authenticator.Request, bool)
type AuthenticatorIndex
type ClusterClientGetter
type Controller
- func NewController(ctx context.Context, shardInformer corev1alpha1informers.ShardInformer, ...) (*Controller, error)
- func (c *Controller) Lookup(wsType logicalcluster.Path) (authenticator.Request, bool)
- func (c *Controller) Start(ctx context.Context, numThreads int)
type ExtraFilter
- func (a *ExtraFilter) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)
type GroupFilter
- func (a *GroupFilter) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ForbidSystemUsernames ¶

func ForbidSystemUsernames(delegate authenticator.Request) authenticator.Request

ForbidSystemUsernames wraps an authenticator and prevents it from returning an internal system username (anything beginning with "system:"). This is so per-workspace authenticators cannot impersonate low-level system accounts or serviceaccounts. This filter should be used together with the GroupsFilter to also strip system groups.

func NewIndex ¶

func NewIndex(lifecycleCtx context.Context, baseAudiences authenticator.Audiences) *state

func NewShardWatcher ¶

func NewShardWatcher(
	ctx context.Context,
	shardName string,
	shardClient kcpclientset.ClusterInterface,
	state *state,
) (*shardWatcher, error)

func NewStandaloneWorkspaceAuthenticator ¶

func NewStandaloneWorkspaceAuthenticator(clusterIndex *index.State, authIndex AuthenticatorIndex) authenticator.Request

func NewWorkspaceAuthenticator ¶

func NewWorkspaceAuthenticator() authenticator.Request

func WithWorkspaceAuthResolver ¶

func WithWorkspaceAuthResolver(handler http.Handler, authIndex AuthenticatorIndex) http.Handler

WithWorkspaceAuthResolver looks up the target cluster in the given auth index to populate a possible workspace authenticator in the request's context. This is used to let other middlewares know about the existence of additional auth options.

func WithWorkspaceAuthenticator ¶

func WithWorkspaceAuthenticator(parent context.Context, authenticator authenticator.Request) context.Context

func WorkspaceAuthenticatorFrom ¶

func WorkspaceAuthenticatorFrom(ctx context.Context) (authenticator.Request, bool)

Types ¶

type AuthenticatorIndex ¶

type AuthenticatorIndex interface {
	Lookup(wsType logicalcluster.Path) (authenticator.Request, bool)
}

AuthenticatorIndex implements a mapping from workspace type to authenticator.Request.

type ClusterClientGetter ¶

type ClusterClientGetter func(shard *corev1alpha1.Shard) (kcpclientset.ClusterInterface, error)

type Controller ¶

type Controller struct {
	// contains filtered or unexported fields
}

Controller watches Shards on the root shard, and then starts informers for every Shard, watching the Workspaces, their types and their authentication configurations on them. It then updates the workspace index, which maps logical clusters to their authenticators.

This controller is very much inspired by the workspace index controller, but is its own thing because of the additional complexity of recursively resolving workspace types.

func NewController ¶

func NewController(
	ctx context.Context,
	shardInformer corev1alpha1informers.ShardInformer,
	clientGetter ClusterClientGetter,
	baseAudiences authenticator.Audiences,
) (*Controller, error)

func (*Controller) Lookup ¶

func (c *Controller) Lookup(wsType logicalcluster.Path) (authenticator.Request, bool)

func (*Controller) Start ¶

func (c *Controller) Start(ctx context.Context, numThreads int)

Start the controller. It does not really do anything, but to keep the shape of a normal controller, we keep it.

type ExtraFilter ¶

type ExtraFilter struct {
	Authenticator authenticator.Request

	// AllowExtraKeys is a list of exact keys to allow through.
	// It takes precedence over DropExtraKeyContains.
	AllowExtraKeys []string
	// DropExtraKeyContains is a list of strings that will cause an extra
	// key/value pair to be dropped if the key contains any of them.
	DropExtraKeyContains []string
}

ExtraFilter is a filter that filters out extra fields that are not allowed.

func (*ExtraFilter) AuthenticateRequest ¶

func (a *ExtraFilter) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

type GroupFilter ¶

type GroupFilter struct {
	Authenticator authenticator.Request

	PassOnGroups sets.Set[string]
	DropGroups   sets.Set[string]

	PassOnGroupPrefixes []string
	DropGroupPrefixes   []string
}

GroupFilter is a filter that filters out group that are not in the allowed groups, and groups that are in the disallowed groups.

func (*GroupFilter) AuthenticateRequest ¶

func (a *GroupFilter) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL