Documentation ¶
Overview ¶
Package tok provides AuthN token (structure and methods) for validation by AIS gateways
- Copyright (c) 2018-2022, NVIDIA CORPORATION. All rights reserved.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrNoPermissions = errors.New("insufficient permissions") ErrInvalidToken = errors.New("invalid token") ErrNoToken = errors.New("token required") ErrNoBearerToken = errors.New("invalid token: no bearer") ErrTokenExpired = errors.New("token expired") ErrTokenRevoked = errors.New("token revoked") )
Functions ¶
func ExtractToken ¶
Header format: 'Authorization: Bearer <token>'
Types ¶
type Token ¶
type Token struct { UserID string `json:"username"` Expires time.Time `json:"expires"` Token string `json:"token"` ClusterACLs []*authn.CluACL `json:"clusters"` BucketACLs []*authn.BckACL `json:"buckets,omitempty"` IsAdmin bool `json:"admin"` }
func DecryptToken ¶
func (*Token) CheckPermissions ¶
A user has two-level permissions: cluster-wide and on per bucket basis. To be able to access data, a user must have either permission. This allows creating users, e.g, with read-only access to the entire cluster, and read-write access to a single bucket. Per-bucket ACL overrides cluster-wide one. Permissions for a cluster with empty ID are used as default ones when a user do not have permissions for the given `clusterID`.
ACL rules are checked in the following order (from highest to the lowest priority):
- A user's role is an admin.
- User's permissions for the given bucket
- User's permissions for the given cluster
- User's default cluster permissions (ACL for a cluster with empty clusterID)
If there are no defined ACL found at any step, any access is denied.