Documentation
¶
Index ¶
- Constants
- Variables
- func ClusterRoleEvaluatorHandles(scope string) bool
- func ClusterRoleEvaluatorParseScope(scope string) (string, string, bool, error)
- func UserEvaluatorHandles(scope string) bool
- func ValidateScopeRestrictions(client *oauthv1.OAuthClient, scopes ...string) error
- func ValidateScopes(scopes []string, fldPath *field.Path) field.ErrorList
- type ClusterRoleEvaluator
- type ScopeDescriber
- type UserEvaluator
Constants ¶
View Source
const ( UserInfo = userIndicator + "info" UserAccessCheck = userIndicator + "check-access" // UserListScopedProjects gives explicit permission to see the projects that this token can see. UserListScopedProjects = userIndicator + "list-scoped-projects" // UserListAllProjects gives explicit permission to see the projects a user can see. This is often used to prime secondary ACL systems // unrelated to openshift and to display projects for selection in a secondary UI. UserListAllProjects = userIndicator + "list-projects" )
these must agree with the scope authorizer, but it's an API we cannot realistically change
Variables ¶
View Source
var ScopeDescribers = []ScopeDescriber{ UserEvaluator{}, ClusterRoleEvaluator{}, }
ScopeDescribers map prefixes to a function that handles that prefix
Functions ¶
func ClusterRoleEvaluatorParseScope ¶
ClusterRoleEvaluatorParseScope parses the requested scope, determining the requested role name, namespace, and if access to escalating objects is required. It will return an error if it doesn't parse cleanly
func UserEvaluatorHandles ¶
func ValidateScopeRestrictions ¶
func ValidateScopeRestrictions(client *oauthv1.OAuthClient, scopes ...string) error
Types ¶
type ClusterRoleEvaluator ¶
type ClusterRoleEvaluator struct{}
role:<clusterrole name>:<namespace to allow the cluster role, * means all>
func (ClusterRoleEvaluator) Describe ¶
func (e ClusterRoleEvaluator) Describe(scope string) (string, string, error)
func (ClusterRoleEvaluator) Handles ¶
func (ClusterRoleEvaluator) Handles(scope string) bool
func (ClusterRoleEvaluator) Validate ¶
func (e ClusterRoleEvaluator) Validate(scope string) error
type ScopeDescriber ¶
type ScopeDescriber interface {
// Handles returns true if this evaluator can evaluate this scope
Handles(scope string) bool
// Validate returns an error if the scope is malformed
Validate(scope string) error
// Describe returns a description, warning (typically used to warn about escalation dangers), or an error if the scope is malformed
Describe(scope string) (description string, warning string, err error)
}
ScopeDescriber takes a scope and returns metadata about it
type UserEvaluator ¶
type UserEvaluator struct{}
user:<scope name>
func (UserEvaluator) Handles ¶
func (UserEvaluator) Handles(scope string) bool
func (UserEvaluator) Validate ¶
func (e UserEvaluator) Validate(scope string) error
Source Files
Click to show internal directories.
Click to hide internal directories.