Documentation
¶
Overview ¶
Package assignment defines the Assignment entity (role→subject binding).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Assignment ¶
type Assignment struct {
ID id.AssignmentID `json:"id" db:"id"`
TenantID string `json:"tenant_id" db:"tenant_id"`
NamespacePath string `json:"namespace_path,omitempty" db:"namespace_path"`
AppID string `json:"app_id" db:"app_id"`
RoleID id.RoleID `json:"role_id" db:"role_id"`
SubjectKind string `json:"subject_kind" db:"subject_kind"`
SubjectID string `json:"subject_id" db:"subject_id"`
ResourceType string `json:"resource_type,omitempty" db:"resource_type"`
ResourceID string `json:"resource_id,omitempty" db:"resource_id"`
ExpiresAt *time.Time `json:"expires_at,omitempty" db:"expires_at"`
GrantedBy string `json:"granted_by,omitempty" db:"granted_by"`
Metadata map[string]any `json:"metadata,omitempty" db:"metadata"`
CreatedAt time.Time `json:"created_at" db:"created_at"`
}
Assignment binds a role to a subject within a tenant. Optionally scoped to a specific resource (resource-level RBAC).
NamespacePath locates the assignment within the tenant's namespace tree. An assignment at namespace N grants the subject the role for checks in N and all descendants.
type ListFilter ¶
type ListFilter struct {
TenantID string `json:"tenant_id,omitempty"`
NamespacePath *string `json:"namespace_path,omitempty"`
NamespacePrefix string `json:"namespace_prefix,omitempty"`
RoleID *id.RoleID `json:"role_id,omitempty"`
SubjectKind string `json:"subject_kind,omitempty"`
SubjectID string `json:"subject_id,omitempty"`
ResourceType string `json:"resource_type,omitempty"`
ResourceID string `json:"resource_id,omitempty"`
Limit int `json:"limit,omitempty"`
Offset int `json:"offset,omitempty"`
}
ListFilter contains filters for listing assignments.
type Store ¶
type Store interface {
// CreateAssignment persists a new assignment.
CreateAssignment(ctx context.Context, a *Assignment) error
// GetAssignment retrieves an assignment by ID.
GetAssignment(ctx context.Context, assID id.AssignmentID) (*Assignment, error)
// DeleteAssignment removes an assignment by ID.
DeleteAssignment(ctx context.Context, assID id.AssignmentID) error
// ListAssignments returns assignments matching the filter.
ListAssignments(ctx context.Context, filter *ListFilter) ([]*Assignment, error)
// CountAssignments returns the number of assignments matching the filter.
CountAssignments(ctx context.Context, filter *ListFilter) (int64, error)
// ListRolesForSubject returns role IDs assigned to a subject (global)
// across the given namespace paths. Pass nil or an empty slice to match
// any namespace (legacy/unscoped behavior).
ListRolesForSubject(ctx context.Context, tenantID string, namespacePaths []string, subjectKind, subjectID string) ([]id.RoleID, error)
// ListRolesForSubjectOnResource returns role IDs assigned to a subject
// scoped to a specific resource, across the given namespace paths.
ListRolesForSubjectOnResource(ctx context.Context, tenantID string, namespacePaths []string, subjectKind, subjectID, resourceType, resourceID string) ([]id.RoleID, error)
// ListSubjectsForRole returns all assignments for a given role.
ListSubjectsForRole(ctx context.Context, roleID id.RoleID) ([]*Assignment, error)
// DeleteExpiredAssignments removes assignments that have expired before the given time.
DeleteExpiredAssignments(ctx context.Context, now time.Time) (int64, error)
// DeleteAssignmentsBySubject removes all assignments for a subject.
DeleteAssignmentsBySubject(ctx context.Context, tenantID, subjectKind, subjectID string) error
// DeleteAssignmentsByRole removes all assignments for a role.
DeleteAssignmentsByRole(ctx context.Context, roleID id.RoleID) error
// DeleteAssignmentsByTenant removes all assignments for a tenant.
DeleteAssignmentsByTenant(ctx context.Context, tenantID string) error
}
Store defines persistence operations for role assignments.
Source Files
Click to show internal directories.
Click to hide internal directories.