rbac

package

v1.10.0 Latest Latest Go to latest Published: Nov 28, 2025 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/percona/everest

Links

Open Source Insights

Documentation ¶

Overview ¶

Package rbac provides RBAC middleware utilies for the Everest API server.

Index ¶

Constants
Variables
func Can(ctx context.Context, filePath string, k kubernetes.KubernetesConnector, ...) (bool, error)
func IsEnabled(cm *corev1.ConfigMap) bool
func IsGlobalResource(resource string) bool
func NewEnforcer(ctx context.Context, kubeConnector kubernetes.KubernetesConnector, ...) (*casbin.Enforcer, error)
func NewEnforcerFromFilePath(filePath string) (*casbin.Enforcer, error)
func NewEnforcerWithRefresh(ctx context.Context, kubeConnector kubernetes.KubernetesConnector, ...) (*casbin.Enforcer, error)
func NewIOReaderEnforcer(r io.Reader) (*casbin.Enforcer, error)
func NewSkipper(basePath string) (func(echo.Context) bool, error)
func ObjectName(args ...string) string
func ValidateAction(action string) bool
func ValidatePolicy(ctx context.Context, k kubernetes.KubernetesConnector, filepath string) error
type User
- func GetUser(ctx context.Context) (User, error)

Constants ¶

View Source

const (
	ResourceBackupStorages             = "backup-storages"
	ResourceDatabaseClusters           = "database-clusters"
	ResourceDatabaseClusterBackups     = "database-cluster-backups"
	ResourceDatabaseClusterCredentials = "database-cluster-credentials"
	ResourceDatabaseClusterRestores    = "database-cluster-restores"
	ResourceDatabaseEngines            = "database-engines"
	ResourceLoadBalancerConfigs        = "load-balancer-configs"
	ResourceMonitoringInstances        = "monitoring-instances"
	ResourceNamespaces                 = "namespaces"
	ResourcePodSchedulingPolicies      = "pod-scheduling-policies"
	ResourceDataImporters              = "data-importers"
	ResourceDataImportJobs             = "data-import-jobs"

	ResourceEngineFeatures_SplitHorizonDNSConfigs = "enginefeatures/split-horizon-dns-configs"
)

Everest API resource names.

View Source

const (
	ActionCreate = "create"
	ActionRead   = "read"
	ActionUpdate = "update"
	ActionDelete = "delete"
	ActionAll    = "*"
)

RBAC actions.

Variables ¶

View Source

var GlobalResources = []string{
	ResourceNamespaces,
	ResourcePodSchedulingPolicies,
	ResourceLoadBalancerConfigs,
	ResourceDataImporters,
}

GlobalResources is a list of all Everest API resources that are considered global.

View Source

var SupportedActions = []string{ActionCreate, ActionRead, ActionUpdate, ActionDelete, ActionAll}

Functions ¶

func Can ¶

func Can(ctx context.Context, filePath string, k kubernetes.KubernetesConnector, req ...string) (bool, error)

Can checks if a user is allowed to perform an action on a resource. Input request should be of the form [user action resource object].

func IsEnabled ¶ added in v1.2.0

func IsEnabled(cm *corev1.ConfigMap) bool

IsEnabled returns true if enabled == 'true' in the given ConfigMap.

func IsGlobalResource ¶ added in v1.8.0

func IsGlobalResource(resource string) bool

func NewEnforcer ¶

func NewEnforcer(ctx context.Context, kubeConnector kubernetes.KubernetesConnector, l *zap.SugaredLogger) (*casbin.Enforcer, error)

NewEnforcer creates a new Casbin enforcer with the RBAC model and ConfigMap adapter.

func NewEnforcerFromFilePath ¶

func NewEnforcerFromFilePath(filePath string) (*casbin.Enforcer, error)

NewEnforcerFromFilePath creates a new Casbin enforcer with the policy stored at the given filePath.

func NewEnforcerWithRefresh ¶ added in v1.5.0

func NewEnforcerWithRefresh(ctx context.Context, kubeConnector kubernetes.KubernetesConnector, l *zap.SugaredLogger) (*casbin.Enforcer, error)

NewEnforcerWithRefresh creates a new enforcer that refreshes the policy whenever the ConfigMap is updated.

func NewIOReaderEnforcer ¶ added in v1.5.0

func NewIOReaderEnforcer(r io.Reader) (*casbin.Enforcer, error)

NewIOReaderEnforcer creates a new Casbin enforcer with the policy stored in the given io.Reader.

func NewSkipper ¶

func NewSkipper(basePath string) (func(echo.Context) bool, error)

NewSkipper returns a new function that checks if a given request should be skipped from RBAC checks.

func ObjectName ¶ added in v1.2.0

func ObjectName(args ...string) string

ObjectName returns the a string that represents the name of an object in RBAC format.

func ValidateAction ¶ added in v1.5.0

func ValidateAction(action string) bool

ValidateAction validates the action is supported.

func ValidatePolicy ¶

func ValidatePolicy(
	ctx context.Context,
	k kubernetes.KubernetesConnector,
	filepath string,
) error

ValidatePolicy validates a policy from either Kubernetes or local file.

Types ¶

type User ¶ added in v1.5.0

type User struct {
	Subject string
	Groups  []string
}

func GetUser ¶

func GetUser(ctx context.Context) (User, error)

GetUser extracts the user from the JWT token in the context.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
configmap-adapter Package configmapadapter provides a Casbin adapter that uses a Kubernetes ConfigMap as the storage.	Package configmapadapter provides a Casbin adapter that uses a Kubernetes ConfigMap as the storage.
io-reader-adapter Package readeradapter provides a Casbin adapter for reading policy from an io.Reader source.	Package readeradapter provides a Casbin adapter for reading policy from an io.Reader source.
mocks
utils Package utils contains utility functions for RBAC.	Package utils contains utility functions for RBAC.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL