groupauth

package
v0.2.2-beta Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package groupauth provides group-based authorization and permission management for cluster access control. It supports label-based group membership and permission aggregation across multiple user groups.

Index

Constants

View Source 
const GroupLabelPrefix = "group.krkn.krkn-chaos.dev/"

GroupLabelPrefix is the label prefix for group membership on KrknUser CRs Format: group.krkn.krkn-chaos.dev/<group-name>=true

Variables

This section is empty.

Functions

func AggregateClusterPermissions 

func AggregateClusterPermissions(userGroups []krknv1alpha1.KrknUserGroup) map[string][]Action

AggregateClusterPermissions aggregates permissions from all user groups. Permissions are combined using union logic - if any group grants an action, it's allowed.

Parameters:

  • userGroups: List of groups the user belongs to

Returns a map of clusterAPIURL -> list of allowed actions.

func CanPerformAction 

func CanPerformAction(userGroups []krknv1alpha1.KrknUserGroup, clusterAPIURL string, action Action) bool

CanPerformAction checks if the user can perform the given action on the cluster.

Parameters:

  • userGroups: List of groups the user belongs to
  • clusterAPIURL: The cluster API URL to check
  • action: The action to validate (view, run, cancel)

Returns true if the user has permission, false otherwise.

func CountGroupMembers 

func CountGroupMembers(ctx context.Context, k8sClient client.Client, groupName, namespace string) (int, error)

CountGroupMembers counts the number of KrknUsers that belong to a group. Used for populating group metadata/stats.

Parameters:

  • ctx: Context for the request
  • k8sClient: Kubernetes client
  • groupName: Name of the group
  • namespace: Namespace where users are located

Returns the count of members, or an error.

func ExtractGroupNamesFromLabels 

func ExtractGroupNamesFromLabels(labels map[string]string) []string

ExtractGroupNamesFromLabels extracts group names from KrknUser labels Returns a list of group names the user belongs to

func FilterClustersByPermission 

func FilterClustersByPermission(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	targetData map[string][]krknv1alpha1.ClusterTarget,
	requiredAction Action,
) (map[string][]krknv1alpha1.ClusterTarget, error)

FilterClustersByPermission filters clusters based on user permissions. Only returns clusters the user has the specified action permission for.

Parameters:

  • ctx: Context for the request
  • k8sClient: Kubernetes client
  • userID: Email address of the user
  • namespace: Namespace where CRs are located
  • targetData: Map of provider -> cluster targets from KrknTargetRequest
  • requiredAction: The action required (typically ActionView for GET /clusters)

Returns filtered targetData containing only permitted clusters.

func GetUserGroups 

func GetUserGroups(ctx context.Context, k8sClient client.Client, userID, namespace string) ([]krknv1alpha1.KrknUserGroup, error)

GetUserGroups fetches all KrknUserGroup CRs that the user belongs to. Membership is determined by labels on the KrknUser CR.

Parameters:

  • ctx: Context for the request
  • k8sClient: Kubernetes client for API calls
  • userID: Email address of the user
  • namespace: Namespace where CRs are located

Returns the list of groups the user belongs to, or an error.

func GroupLabelKey 

func GroupLabelKey(groupName string) string

GroupLabelKey returns the label key for a group name Example: "dev-team" -> "group.krkn.krkn-chaos.dev/dev-team"

func HasClusterPermission 

func HasClusterPermission(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	clusterAPIURL string,
	action Action,
) (bool, error)

HasClusterPermission checks if a user has a specific permission on a cluster. This is a convenience wrapper that combines GetUserGroups and CanPerformAction.

Parameters:

  • ctx: Context for the request
  • k8sClient: Kubernetes client
  • userID: Email address of the user
  • namespace: Namespace where user and group CRs are located
  • clusterAPIURL: The cluster API URL to check permission for
  • action: The action to check (e.g., ActionView, ActionRun, ActionCancel)

Returns true if the user has the permission, false otherwise.

func IsValidAction 

func IsValidAction(action string) bool

IsValidAction checks if the given action is valid

func SanitizeGroupName 

func SanitizeGroupName(groupName string) string

SanitizeGroupName sanitizes a group name to be valid as a Kubernetes label name - Replaces invalid characters with hyphens - Converts to lowercase - Ensures it starts/ends with alphanumeric Note: Does NOT truncate. Caller must validate length (63 char limit for K8s labels).

func ValidateScenarioRunAccess 

func ValidateScenarioRunAccess(
	ctx context.Context,
	k8sClient client.Client,
	userID string,
	namespace string,
	targetClusters map[string][]string,
	targetRequest *krknv1alpha1.KrknTargetRequest,
) error

ValidateScenarioRunAccess validates that a user has permission to run scenarios on all specified target clusters.

This function: 1. Fetches the user's groups 2. Aggregates permissions from all groups 3. Validates the user has 'run' permission on each target cluster

Parameters:

  • ctx: Context for the request
  • k8sClient: Kubernetes client for API calls
  • userID: Email address of the user
  • namespace: Namespace where CRs are located
  • targetClusters: Map of provider -> cluster names to validate
  • targetRequest: The KrknTargetRequest containing cluster API URLs

Returns nil if validation passes, or an error describing the permission violation.

Types

type Action 

type Action string

Action represents a permission action that can be performed on a cluster 

const (
	// ActionView allows viewing cluster details and scenario runs
	ActionView Action = "view"

	// ActionRun allows launching chaos scenarios on the cluster
	ActionRun Action = "run"

	// ActionCancel allows canceling running chaos scenarios
	ActionCancel Action = "cancel"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.