Documentation
¶
Overview ¶
Package persona provides persona-based access control and customization.
Index ¶
- type Authorizer
- type ChainedRoleMapper
- type Config
- type ConnectionRules
- type ConnectionRulesConfig
- type ContextOverrides
- type ContextOverridesYAML
- type OIDCRoleMapper
- type Persona
- type Registry
- func (r *Registry) All() []*Persona
- func (r *Registry) DefaultName() string
- func (r *Registry) Get(name string) (*Persona, bool)
- func (r *Registry) GetDefault() (*Persona, bool)
- func (r *Registry) GetForRoles(roles []string) (*Persona, bool)
- func (r *Registry) LoadFromConfig(config map[string]*Config) error
- func (r *Registry) Register(p *Persona) error
- func (r *Registry) SetDefault(name string)
- func (r *Registry) Unregister(name string) error
- type RoleMapper
- type StaticRoleMapper
- type ToolFilter
- type ToolRules
- type ToolRulesConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶ added in v0.14.0
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer implements middleware.Authorizer using personas.
func NewAuthorizer ¶ added in v0.14.0
func NewAuthorizer(registry *Registry, mapper RoleMapper) *Authorizer
NewAuthorizer creates a new persona-based authorizer.
func (*Authorizer) IsAuthorized ¶ added in v0.14.0
func (a *Authorizer) IsAuthorized(ctx context.Context, _ string, roles []string, toolName, connectionName string) (allowed bool, personaName, reason string)
IsAuthorized checks if the user is authorized for the tool on the given connection. Both the tool and the connection must be allowed by the persona's rules. Returns the resolved persona name for audit logging.
type ChainedRoleMapper ¶
type ChainedRoleMapper struct {
Mappers []RoleMapper
}
ChainedRoleMapper tries multiple mappers in order.
func (*ChainedRoleMapper) MapToPersona ¶
MapToPersona uses the first mapper that returns a persona.
func (*ChainedRoleMapper) MapToRoles ¶
func (c *ChainedRoleMapper) MapToRoles(claims map[string]any) ([]string, error)
MapToRoles aggregates roles from all mappers.
type Config ¶ added in v0.14.0
type Config struct {
DisplayName string `yaml:"display_name"`
Description string `yaml:"description,omitempty"`
Roles []string `yaml:"roles"`
Tools ToolRulesConfig `yaml:"tools"`
Connections ConnectionRulesConfig `yaml:"connections"`
Context ContextOverridesYAML `yaml:"context"`
Priority int `yaml:"priority,omitempty"`
}
Config is the configuration format for personas.
type ConnectionRules ¶ added in v1.48.0
type ConnectionRules struct {
// Allow patterns for allowed connections (supports wildcards like "prod-*").
Allow []string `json:"allow,omitempty" yaml:"allow,omitempty"`
// Deny patterns for denied connections (takes precedence over Allow).
Deny []string `json:"deny,omitempty" yaml:"deny,omitempty"`
}
ConnectionRules defines connection-level access rules for a persona. These work alongside ToolRules — a tool call must pass both the tool check AND the connection check. If the Allow list is empty, all connections are permitted (backward-compatible default).
type ConnectionRulesConfig ¶ added in v1.48.0
type ConnectionRulesConfig struct {
Allow []string `yaml:"allow,omitempty"`
Deny []string `yaml:"deny,omitempty"`
}
ConnectionRulesConfig is the YAML configuration for connection rules.
type ContextOverrides ¶ added in v1.48.0
type ContextOverrides struct {
// DescriptionPrefix is prepended to the server description (separated by
// a blank line). Use this to add persona-specific context before the
// base platform description. Ignored if DescriptionOverride is set.
DescriptionPrefix string `json:"description_prefix,omitempty" yaml:"description_prefix,omitempty"`
// DescriptionOverride replaces the server description entirely.
// Use this when a persona needs a completely different description.
DescriptionOverride string `json:"description_override,omitempty" yaml:"description_override,omitempty"`
// AgentInstructionsSuffix is appended to the server agent instructions
// (separated by a blank line). Use this to add persona-specific guidance
// after the base instructions. Ignored if AgentInstructionsOverride is set.
AgentInstructionsSuffix string `json:"agent_instructions_suffix,omitempty" yaml:"agent_instructions_suffix,omitempty"`
// AgentInstructionsOverride replaces the server agent instructions entirely.
// Use this when a persona needs completely different instructions.
AgentInstructionsOverride string `json:"agent_instructions_override,omitempty" yaml:"agent_instructions_override,omitempty"`
}
ContextOverrides defines per-persona overrides for the description and agent instructions that the platform_info tool returns. These let you tailor what an AI agent sees based on who is using the platform.
For each field pair (prefix/override), the override takes precedence. If an override is set, the prefix/suffix is ignored.
type ContextOverridesYAML ¶ added in v1.48.0
type ContextOverridesYAML struct {
DescriptionPrefix string `yaml:"description_prefix,omitempty"`
DescriptionOverride string `yaml:"description_override,omitempty"`
AgentInstructionsSuffix string `yaml:"agent_instructions_suffix,omitempty"`
AgentInstructionsOverride string `yaml:"agent_instructions_override,omitempty"`
}
ContextOverridesYAML is the YAML configuration for context overrides.
type OIDCRoleMapper ¶
type OIDCRoleMapper struct {
// ClaimPath is the dot-separated path to roles in claims.
ClaimPath string
// RolePrefix filters roles to those starting with this prefix.
RolePrefix string
// PersonaMapping maps roles to persona names.
PersonaMapping map[string]string
// Registry is the persona registry.
Registry *Registry
}
OIDCRoleMapper extracts roles from OIDC token claims.
func (*OIDCRoleMapper) MapToPersona ¶
MapToPersona maps roles to a persona.
func (*OIDCRoleMapper) MapToRoles ¶
func (m *OIDCRoleMapper) MapToRoles(claims map[string]any) ([]string, error)
MapToRoles extracts roles from OIDC claims.
type Persona ¶
type Persona struct {
// Name is the unique identifier for this persona.
Name string `json:"name" yaml:"name"`
// DisplayName is the human-readable name.
DisplayName string `json:"display_name" yaml:"display_name"`
// Description describes this persona.
Description string `json:"description,omitempty" yaml:"description,omitempty"`
// Roles are the roles that map to this persona. When a user authenticates
// via OIDC, their token claims are mapped to roles. When using API keys,
// roles are assigned directly. A user gets this persona when any of their
// roles match.
Roles []string `json:"roles" yaml:"roles"`
// Tools defines tool access rules (allow/deny glob patterns).
Tools ToolRules `json:"tools" yaml:"tools"`
// Connections defines connection-level access rules. A tool call must pass
// both the tool check and the connection check. If Connections.Allow is
// empty, all connections are permitted (backward-compatible default).
Connections ConnectionRules `json:"connections" yaml:"connections"`
// Context defines per-persona overrides for the platform description and
// agent instructions returned by the platform_info tool.
Context ContextOverrides `json:"context" yaml:"context"`
// Priority determines which persona takes precedence when a user's roles
// match multiple personas. Higher values win. Default is 0; the built-in
// admin persona uses 100.
Priority int `json:"priority,omitempty" yaml:"priority,omitempty"`
// Source indicates where this persona was loaded from at runtime.
// Values: "file" (YAML config), "database" (DB-managed), "both" (file
// with DB override). This is runtime metadata — not persisted.
Source string `json:"source,omitempty" yaml:"-"`
}
Persona defines a user persona with associated permissions and customizations.
func AdminPersona ¶
func AdminPersona() *Persona
AdminPersona creates an admin persona with full access.
func DefaultPersona ¶
func DefaultPersona() *Persona
DefaultPersona creates a default persona that denies all access. This ensures fail-closed behavior - users must be explicitly granted access.
func (*Persona) ApplyAgentInstructions ¶ added in v1.48.0
ApplyAgentInstructions returns the effective agent instructions for this persona. If AgentInstructionsOverride is set, it replaces the base entirely. If AgentInstructionsSuffix is set, it is appended to the base. Otherwise the base is returned unchanged.
func (*Persona) ApplyDescription ¶ added in v1.48.0
ApplyDescription returns the effective description for this persona. If DescriptionOverride is set, it replaces the base entirely. If DescriptionPrefix is set, it is prepended to the base. Otherwise the base is returned unchanged.
type Registry ¶
type Registry struct {
// contains filtered or unexported fields
}
Registry manages persona definitions.
func (*Registry) DefaultName ¶ added in v0.17.0
DefaultName returns the default persona name.
func (*Registry) GetDefault ¶
GetDefault returns the default persona.
func (*Registry) GetForRoles ¶
GetForRoles returns the best matching persona for the given roles.
func (*Registry) LoadFromConfig ¶
LoadFromConfig loads personas from a configuration map.
func (*Registry) SetDefault ¶
SetDefault sets the default persona name.
func (*Registry) Unregister ¶ added in v0.17.0
Unregister removes a persona by name. Returns error if not found.
type RoleMapper ¶
type RoleMapper interface {
// MapToRoles extracts roles from claims.
MapToRoles(claims map[string]any) ([]string, error)
// MapToPersona maps roles to a persona.
MapToPersona(ctx context.Context, roles []string) (*Persona, error)
}
RoleMapper maps identity claims to platform roles and personas.
type StaticRoleMapper ¶
type StaticRoleMapper struct {
// GroupPersonas maps groups to persona names.
GroupPersonas map[string]string
// DefaultPersonaName is the fallback persona.
DefaultPersonaName string
// Registry is the persona registry.
Registry *Registry
}
StaticRoleMapper uses static configuration for mapping.
func (*StaticRoleMapper) MapToPersona ¶
MapToPersona maps based on static configuration.
func (*StaticRoleMapper) MapToRoles ¶
func (*StaticRoleMapper) MapToRoles(_ map[string]any) ([]string, error)
MapToRoles returns static roles (not used for static mapping).
type ToolFilter ¶
type ToolFilter struct {
// contains filtered or unexported fields
}
ToolFilter filters tools based on persona rules.
func NewToolFilter ¶
func NewToolFilter(registry *Registry) *ToolFilter
NewToolFilter creates a new tool filter.
func (*ToolFilter) FilterTools ¶
func (f *ToolFilter) FilterTools(persona *Persona, tools []string) []string
FilterTools filters a list of tools based on persona rules.
func (*ToolFilter) IsAllowed ¶
func (*ToolFilter) IsAllowed(persona *Persona, toolName string) bool
IsAllowed checks if a tool is allowed for a persona.
func (*ToolFilter) IsConnectionAllowed ¶ added in v1.48.0
func (*ToolFilter) IsConnectionAllowed(persona *Persona, connectionName string) bool
IsConnectionAllowed checks if a connection is allowed for a persona. If the persona has no connection allow rules, all connections are permitted (backward-compatible default). Empty connection names are always allowed.
type ToolRules ¶
type ToolRules struct {
// Allow patterns for allowed tools (supports wildcards like "trino_*").
Allow []string `json:"allow" yaml:"allow"`
// Deny patterns for denied tools (takes precedence over Allow).
Deny []string `json:"deny" yaml:"deny"`
}
ToolRules defines tool access rules for a persona.
type ToolRulesConfig ¶
ToolRulesConfig is the YAML configuration for tool rules.
Source Files