access

package
v0.0.0-test Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 9 Imported by: 24

Documentation

Index

Constants

View Source 
const (
	CONST_PERM_SUPPORT_GLOBAL = 0x1
	CONST_PERM_SUPPORT_DOMAIN = 0x2
	CONST_PERM_SUPPORT_BOTH   = 0x3 // CONST_PERM_SUPPORT_GLOBAL + CONST_PERM_SUPPORT_DOMAIN
)
View Source 
const (
	CONST_VISIBLE_USER_ROLE   = iota // roles that can be associated with global domain
	CONST_VISIBLE_DOMAIN_ROLE        // domaon roles & mappable group domain roles are the same set
	CONST_MAPPABLE_SERVER_DEFAULT_ROLE
)
View Source 
const (
	CONST_API_UNKNOWN = iota
	CONST_API_UNSUPPORTED
	CONST_API_SKIP
	CONST_API_NO_AUTH
	CONST_API_DEBUG // i.e. for admin only
	CONST_API_RT_SCAN
	CONST_API_REG_SCAN
	CONST_API_CICD_SCAN
	CONST_API_CLOUD
	CONST_API_INFRA
	CONST_API_NV_RESOURCE
	CONST_API_WORKLOAD
	CONST_API_GROUP
	CONST_API_RT_POLICIES
	CONST_API_ADM_CONTROL
	CONST_API_COMPLIANCE
	CONST_API_AUDIT_EVENTS
	CONST_API_SECURITY_EVENTS
	CONST_API_EVENTS
	CONST_API_AUTHENTICATION
	CONST_API_AUTHORIZATION
	CONST_API_SYSTEM_CONFIG
	CONST_API_IBMSA
	CONST_API_FED
	CONST_API_PWD_PROFILE   // i.e. for password profile
	CONST_API_VULNERABILITY // i.e. for vulnerability profile
)

apiCategoryID

View Source 
const AccessDomainGlobal = ""

Variables

View Source 
var HiddenPermissions = utils.NewSet(share.PERM_IBMSA_ID, share.PERM_FED_ID, share.PERM_CLOUD_ID, share.PERM_NV_RESOURCE_ID)
View Source 
var PermissionOptions = []*api.RESTRolePermitOptionInternal{
	{
		ID:             share.PERM_SYSTEM_CONFIG_ID,
		Value:          share.PERM_SYSTEM_CONFIG,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_IBMSA_ID,
		Value:          share.PERM_IBMSA,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_FED_ID,
		Value:          share.PERM_FED,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_NV_RESOURCE_ID,
		Value:          share.PERM_NV_RESOURCE,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERMS_RUNTIME_SCAN_ID,
		Value:          share.PERMS_RUNTIME_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			{
				ID:             share.PERM_RUNTIME_SCAN_BASIC_ID,
				Value:          share.PERM_RUNTIME_SCAN_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_INFRA_BASIC_ID,
				Value:          share.PERM_INFRA_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	{
		ID:             share.PERM_REG_SCAN_ID,
		Value:          share.PERM_REG_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_CICD_SCAN_ID,
		Value:          share.PERM_CICD_SCAN,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		WriteSupported: true,
	},

	{
		ID:             share.PERMS_RUNTIME_POLICIES_ID,
		Value:          share.PERMS_RUNTIME_POLICIES,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			{
				ID:             share.PERM_GROUP_BASIC_ID,
				Value:          share.PERM_GROUP_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_NETWORK_POLICY_BASIC_ID,
				Value:          share.PERM_NETWORK_POLICY_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_SYSTEM_POLICY_BASIC_ID,
				Value:          share.PERM_SYSTEM_POLICY_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	{
		ID:             share.PERM_ADM_CONTROL_ID,
		Value:          share.PERM_ADM_CONTROL,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERMS_COMPLIANCE_ID,
		Value:          share.PERMS_COMPLIANCE,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			{
				ID:             share.PERM_COMPLIANCE_BASIC_ID,
				Value:          share.PERM_COMPLIANCE_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_WORKLOAD_BASIC_ID,
				Value:          share.PERM_WORKLOAD_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_BOTH,
				ReadSupported:  true,
				WriteSupported: true,
			},
			{
				ID:             share.PERM_INFRA_BASIC_ID,
				Value:          share.PERM_INFRA_BASIC,
				SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
				ReadSupported:  true,
				WriteSupported: true,
			},
		},
	},
	{
		ID:            share.PERM_AUDIT_EVENTS_ID,
		Value:         share.PERM_AUDIT_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
	},
	{
		ID:            share.PERMS_SECURITY_EVENTS_ID,
		Value:         share.PERMS_SECURITY_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
		ComplexPermits: []*api.RESTRolePermitOptionInternal{
			{
				ID:            share.PERM_SECURITY_EVENTS_BASIC_ID,
				Value:         share.PERM_SECURITY_EVENTS_BASIC,
				SupportScope:  CONST_PERM_SUPPORT_BOTH,
				ReadSupported: true,
			},
			{
				ID:            share.PERM_WORKLOAD_BASIC_ID,
				Value:         share.PERM_WORKLOAD_BASIC,
				SupportScope:  CONST_PERM_SUPPORT_BOTH,
				ReadSupported: true,
			},
		},
	},
	{
		ID:            share.PERM_EVENTS_ID,
		Value:         share.PERM_EVENTS,
		SupportScope:  CONST_PERM_SUPPORT_BOTH,
		ReadSupported: true,
	},
	{
		ID:             share.PERM_AUTHENTICATION_ID,
		Value:          share.PERM_AUTHENTICATION,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_AUTHORIZATION_ID,
		Value:          share.PERM_AUTHORIZATION,
		SupportScope:   CONST_PERM_SUPPORT_BOTH,
		ReadSupported:  true,
		WriteSupported: true,
	},
	{
		ID:             share.PERM_VULNERABILITY_ID,
		Value:          share.PERM_VULNERABILITY,
		SupportScope:   CONST_PERM_SUPPORT_GLOBAL,
		ReadSupported:  true,
		WriteSupported: true,
	},
}

key is permission id that is visible to the world. Regarding to the value, 1. if len(value.ComplexPermits) == 0, value is the effective internal permission used by controller 2. if len(value.ComplexPermits) > 0, value.ComplexPermits has the effective internal permissions used by controller

Functions

func AddRole 

func AddRole(name string, role *share.CLUSUserRoleInternal)

func CompileUriPermitsMapping 

func CompileUriPermitsMapping()

func dumpApiUriParts(verb, parentURI string, nodes map[string]*UriApiNode) { // ssUri is like {"v1", "log", "event"} for GET("/v1/log/event"). return true means caller is leaf node. 

	if len(nodes) == 0 {
		return
	}
	for part, node := range nodes {
		if node != nil {
			nodeURI := fmt.Sprintf("%s/%s", parentURI, part)
			dumpApiUriParts(verb, nodeURI, node.childNodes)
			fmt.Printf("[dump] --------------> verb=%s, nodeURI=%s, apiID=%d\n", verb, nodeURI, node.apiCategoryID)
		}
	}
	return
}

func ContainsNonSupportRole 

func ContainsNonSupportRole(role string) bool

func DeleteRole 

func DeleteRole(name string)

func GetReservedRoleNames 

func GetReservedRoleNames() utils.Set

func GetRoleDetails 

func GetRoleDetails(name string) *api.RESTUserRole

func GetRoleList 

func GetRoleList() []*api.RESTUserRole

func GetTopLevelPermitsList 

func GetTopLevelPermitsList(supportScope uint8, value share.NvPermissions) []*api.RESTRolePermission

It returns a list of top-level permissions calculated from permission value

func GetUserPermissions 

func GetUserPermissions(role string, roleDomains map[string][]string, extraPermits share.NvPermissions, extraPermitsDomains []share.CLUSPermitsAssigned) (
	[]*api.RESTRolePermission, map[string][]*api.RESTRolePermission, error)

params: role: user's role on global domain roleDomains: user's role -> namespaces extraPermits: user's extra permissions on global domain extraPermitsDomains: list of user's extra permissions on namespaces

return: gPermitsList: top-level permissions list on global domain dPermitsList: domain(namespace) -> top-level permissions list

func GetValidRoles 

func GetValidRoles(usage int) []string

func IsValidRole 

func IsValidRole(role string, usage int) bool

func UpdateUserRoleForFedRoleChange 

func UpdateUserRoleForFedRoleChange(fedRole string)

Types

type AccessControl 

type AccessControl struct {
	// contains filtered or unexported fields
}

func ImportAccessControl 

func ImportAccessControl(uac *api.UserAccessControl) *AccessControl

func NewAccessControl 

func NewAccessControl(r *http.Request, op AccessOP, roles DomainRole, extraPermits DomainPermissions) *AccessControl

func NewAdminAccessControl 

func NewAdminAccessControl() *AccessControl

func NewFedAdminAccessControl 

func NewFedAdminAccessControl() *AccessControl

be careful when using this function because it returns a very powerful access control object

func NewReaderAccessControl 

func NewReaderAccessControl() *AccessControl

func (*AccessControl) Authorize 

func (acc *AccessControl) Authorize(obj share.AccessObject, f share.GetAccessObjectFunc) bool

Authorize if the access has rights on one of domains which the object is member of.

func (*AccessControl) AuthorizeOwn 

func (acc *AccessControl) AuthorizeOwn(obj share.AccessObject, f share.GetAccessObjectFunc) bool

Authorize if the access has rights on all domains which the object is member of.

func (*AccessControl) BoostPermissions 

func (acc *AccessControl) BoostPermissions(toBoost uint32) *AccessControl

now we use API-level permission. So it's rare that an API needs to boost permissions for the caller

func (*AccessControl) CanWriteCluster 

func (acc *AccessControl) CanWriteCluster() bool

returns true if the write permission of user's global role contains PERMS_CLUSTER_WRITE

func (*AccessControl) ExportAccessControl 

func (acc *AccessControl) ExportAccessControl() *api.UserAccessControl

func (*AccessControl) GetAdminDomains 

func (acc *AccessControl) GetAdminDomains(writePermitsRequired uint32) []string

get all domains over which this access control has the required write permissions

func (*AccessControl) GetRoleDomains 

func (acc *AccessControl) GetRoleDomains() map[string][]string

func (*AccessControl) HasGlobalPermissions 

func (acc *AccessControl) HasGlobalPermissions(readPermitsRequired, writePermsRequired uint32) bool

returns true only when the access control object is created for user whose global role has the specified read/write permissions

func (*AccessControl) HasPermFed 

func (acc *AccessControl) HasPermFed() bool

returns true only when the access control object is created for user whose global permission has PERM_FED custom fed role is not supported yet

func (*AccessControl) HasPermFedForReadOnly 

func (acc *AccessControl) HasPermFedForReadOnly() bool

returns true only when the access control object is created for user whose global permission has PERM_FED(r) but no PERM_FED(w)

func (*AccessControl) HasRequiredPermissions 

func (acc *AccessControl) HasRequiredPermissions() bool

returns true when the access control object is created for user whose role on any domain/global has the specified read/write permissions

func (*AccessControl) IsFedAdmin 

func (acc *AccessControl) IsFedAdmin() bool

returns true only when the access control object is created for user whose global role has the same permissions as fedAdmin role for read/write

func (*AccessControl) IsFedReader 

func (acc *AccessControl) IsFedReader() bool

returns true only when the access control object is created for user whose global role has the same permissions as fedReader role for read

func (*AccessControl) NewWithOp 

func (acc *AccessControl) NewWithOp(op AccessOP) *AccessControl

generate a new access control object that is the same as the calling object except the op is different

type AccessOP 

type AccessOP string

-------- 

const (
	AccessOPRead  AccessOP = "read"
	AccessOPWrite AccessOP = "write"
)

type DomainPermissions 

type DomainPermissions map[string]share.NvPermissions // domain -> permissions (for Rancher SSO)

type DomainRole 

type DomainRole map[string]string // domain -> role

type UriApiNode 

type UriApiNode struct {
	// contains filtered or unexported fields
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.